Shorter plugin ID, rejections for custom source sets #81
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
buildSrc/src/main/kotlin/io/spine/internal/gradle/github/pages/Update.kt
Show resolved
Hide resolved
buildSrc/src/main/kotlin/io/spine/internal/gradle/github/pages/UpdateGitHubPages.kt
Show resolved
Hide resolved
buildSrc/src/main/kotlin/io/spine/internal/gradle/javascript/JsContext.kt
Show resolved
Hide resolved
... to make IDEA happy about the “ambiguous” `equals()` call.
Also: * Remove redundant workflow.
This file is going to be discontinued. We keep it until its logic is transferred to GitHub Actions.
# Conflicts: # README.md # license-report.md # pom.xml # version.gradle.kts
| <artifactId>checkstyle</artifactId> | ||
| <version>9.1</version> | ||
| </dependency> | ||
| <dependency> |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/net.sourceforge.pmd/[email protected]
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:maven/com.google.code.gson/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data
gson - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-502
pkg:maven/commons-io/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2018-0705] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
commons-io - Path Traversal [CVE-2021-29425]
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-22
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -28,109 +26,127 @@ all modules and does not describe the project structure per-subproject. | |||
| <dependency> | |||
| <groupId>com.google.guava</groupId> | |||
| <artifactId>guava</artifactId> | |||
| <version>30.0-jre</version> | |||
| <version>30.1.1-jre</version> | |||
| <scope>compile</scope> | |||
| </dependency> | |||
| <dependency> | |||
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:maven/com.google.protobuf/[email protected]
0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:maven/com.google.guava/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2020-0926] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
guava - Creation of Temporary File in Directory with Insecure Permissions [CVE-2020-8908]
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-379
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
This PR:
bootstrapplugin toio.spine.bootstrap. Previously, it was annoyingly longer (io.spine.tools.gradle.bootstrap).Rejections to source sets other thanmainortest.IdeaModelin Gradle in relation to Spine. Such configuration actions are either already performed by corresponding plugins (e.g. inclusion of directories into source sets), or should not be done at the level of thebootstrapplugin because it's too intrusive (e.g. setting downloading of Javadoc or source code).base,tool-base,mc-plugins, andconfig.