Upgrade rouge

[owjsub]

closes #339

I upgraded rouge to latest version.

All checks passed locally:

$ bundle exec rake spec
$ bundle exec rake cucumber
$ bundle exec rake lint

[dvelopmberg]

Can someone merge this? In rouge 2.0.7 are vulnerabilities.
https://cwe.mitre.org/data/definitions/1333

[AndriiZakhliupanyi]

@supermarin Hello! can you merge this?
this is a very important update.
now rouge have 4.1.3

[supermarin]

Hey @AndriiZakhliupanyi, I've been long gone from this project and it's been in hands of @KrauseFx and others.

I don't think anyone should be using xcpretty anymore since xcodebuild has added -q (quiet) flag a few years ago.

@KrauseFx is there any interest into finding maintainers or should this project be archived & steered off?

[AndriiZakhliupanyi]

@supermarin @KrauseFx fastlane uses xcpretty https://github.com/fastlane/fastlane/blob/master/Gemfile.lock#L42
fastlane is used by many projects.
My security team does not allow it to be used through rouge 2.0.7 :)

[supermarin]

Good point - @joshdholtz any interest of either removing xcpretty from Fastlane or maintaining it?

[AndriiZakhliupanyi]

@joshdholtz @supermarin hi, do you have any news?

[supermarin]

@AndriiZakhliupanyi I don't even have write access to merge this, sorry about that. @joshdholtz @KrauseFx another ping

[joshdholtz]

Oooops sorry! Was hard out with Covid during those initial pings.

I'm pretty sure that I removed xcpretty as a default dependency in fastlane a while ago.

We support xcbeautify with everything now. But... maybe xcpretty is the default of xcbeautify is not installed.

I can take a look later tomorrow when I have some more free time!

[supermarin]

@joshdholtz thanks! feel free to merge this one since you have commit access

[AndriiZakhliupanyi]

@joshdholtz hi! do you have any news?

[tejassharma96]

hi @joshdholtz, fastlane definitely still depends on xcpretty (see here), any updates on removing it?

[DevMobileAS]

@joshdholtz @KrauseFx

Oooops sorry! Was hard out with Covid during those initial pings.

I'm pretty sure that I removed xcpretty as a default dependency in fastlane a while ago.

We support xcbeautify with everything now. But... maybe xcpretty is the default of xcbeautify is not installed.

I can take a look later tomorrow when I have some more free time!

Sorry to bother again, but this issue is now over one year old and still active. Although fastlane also uses xcbeautify like you said, it's still also depending on xcpretty here.

So please either fully remove xcpretty from fastlane or merge the rouge update here and then update to latest xcpretty on fastlane.

Otherwise any good security review in a build pipeline will fail and prevent iOS app releases using the (compromised) fastlane at all:

Example nexus iq report on fastlane→xcpretty→rouge:

[KrauseFx]

I went ahead and merged this PR. This allows you to point to the latest master of xcpretty, and therefore fix your builds & security warnings.

However, this still requires some work on @fastlane's end to remove xcpretty as a dependency.

[DevMobileAS]

Thx Felix! Thanks to the rouge update it's now up to @joshdholtz to either just still use the (now no longer vulnerable) xcpretty or remove it later.

@KrauseFx
Mind my asking if you guys plan to maintain/update xcpretty itself in the future? Or just caring and fixing blockers?

Thanks for your work in any case ;-)

[KrauseFx]

Due to Google having stopped supporting projects like fastlane financially or through contributions, and not doing a proper handover, there is no structured approach right now. AFAIK we're happy to add you as a contributor to xcpretty, and you can help merge and ship PRs. It seems like you're using xcpretty commercially, so this will be a great opportunity to help out this non-commerical open source project used by more than hundred thousand apps.

I'm full-time working on ContextSDK, and just happen to still have push access as a backup.

[DevMobileAS]

Thanks for the clarification. For sure we can (and should) help contributing as much as we can. So feel free to add this account to the xcpretty project, so we could at least create a new version and help updating it within fastlane itself.