diff --git a/0001-Do-not-load-external-DTDs-by-default.patch b/0001-Do-not-load-external-DTDs-by-default.patch new file mode 100644 index 0000000..4516c25 --- /dev/null +++ b/0001-Do-not-load-external-DTDs-by-default.patch @@ -0,0 +1,71 @@ +From a9160d06bf5b8c9c11666ab408ea8a09afa108a9 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 15:10:53 +0200 +Subject: [PATCH] Do not load external DTDs by default + +--- + .../tools/checkstyle/api/AbstractLoader.java | 43 ++++++++++++++++++- + 1 file changed, 41 insertions(+), 2 deletions(-) + +diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java +index a414492f3..76c72b767 100644 +--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java ++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java +@@ -83,8 +83,7 @@ public abstract class AbstractLoader + throws SAXException, ParserConfigurationException { + this.publicIdToResourceNameMap = new HashMap<>(publicIdToResourceNameMap); + final SAXParserFactory factory = SAXParserFactory.newInstance(); +- factory.setFeature(LOAD_EXTERNAL_DTD, true); +- factory.setFeature(EXTERNAL_GENERAL_ENTITIES, true); ++ LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory); + factory.setValidating(true); + factory.setNamespaceAware(true); + parser = factory.newSAXParser().getXMLReader(); +@@ -133,4 +132,44 @@ public abstract class AbstractLoader + public void fatalError(SAXParseException exception) throws SAXException { + throw exception; + } ++ ++ /** ++ * Used for setting specific for secure java installations features to SAXParserFactory. ++ * Pulled out as a separate class in order to suppress Pitest mutations. ++ */ ++ public static final class LoadExternalDtdFeatureProvider { ++ ++ /** System property name to enable external DTD load. */ ++ public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad"; ++ ++ /** Feature that enables loading external DTD when loading XML files. */ ++ private static final String LOAD_EXTERNAL_DTD = ++ "http://apache.org/xml/features/nonvalidating/load-external-dtd"; ++ /** Feature that enables including external general entities in XML files. */ ++ private static final String EXTERNAL_GENERAL_ENTITIES = ++ "http://xml.org/sax/features/external-general-entities"; ++ ++ /** Stop instances being created. **/ ++ private LoadExternalDtdFeatureProvider() { ++ } ++ ++ /** ++ * Configures SAXParserFactory with features required ++ * to use external DTD file loading, this is not activated by default to no allow ++ * usage of schema files that checkstyle do not know ++ * it is even security problem to allow files from outside. ++ * @param factory factory to be configured with special features ++ * @throws SAXException if an error occurs ++ * @throws ParserConfigurationException if an error occurs ++ */ ++ public static void setFeaturesBySystemProperty(SAXParserFactory factory) ++ throws SAXException, ParserConfigurationException { ++ ++ final boolean enableExternalDtdLoad = Boolean.valueOf( ++ System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false")); ++ ++ factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad); ++ factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad); ++ } ++ } + } +-- +2.20.1 + diff --git a/README.en.md b/README.en.md deleted file mode 100644 index cc8a1ec..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# checkstyle - -#### Description -A tool for checking Java source for adherence to a set of rules. - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 50df024..0000000 --- a/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# checkstyle - -#### 介绍 -A tool for checking Java source for adherence to a set of rules. - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/checkstyle-8.0-src.tar.gz b/checkstyle-8.0-src.tar.gz new file mode 100644 index 0000000..21f99e6 Binary files /dev/null and b/checkstyle-8.0-src.tar.gz differ diff --git a/checkstyle.catalog b/checkstyle.catalog new file mode 100644 index 0000000..190f1ed --- /dev/null +++ b/checkstyle.catalog @@ -0,0 +1,17 @@ +-- Checkstyle DTD catalog -- +-- JPackage Project -- + +PUBLIC "-//Puppy Crawl//DTD Check Configuration 1.2//EN" + configuration_1_2.dtd + +PUBLIC "-//Puppy Crawl//DTD Check Configuration 1.1//EN" + configuration_1_1.dtd + +PUBLIC "-//Puppy Crawl//DTD Check Configuration 1.0//EN + configuration_1_0.dtd + +PUBLIC "-//Puppy Crawl//DTD Package Names 1.0//EN" + packages_1_0.dtd + +PUBLIC "-//Puppy Crawl//DTD Suppressions 1.0//EN" + suppressions_1_0.dtd diff --git a/checkstyle.spec b/checkstyle.spec new file mode 100644 index 0000000..c5e8134 --- /dev/null +++ b/checkstyle.spec @@ -0,0 +1,96 @@ +Name: checkstyle +Version: 8.0 +Release: 4.2 +Summary: Java source code inspection tool +URL: http://checkstyle.sourceforge.net/ +License: LGPLv2+ and GPLv2+ and BSD +BuildArch: noarch + +Source0: http://download.sf.net/checkstyle/checkstyle-%{version}-src.tar.gz +Source1: %{name}.catalog + +#This patch fixed CVE-2019-9658: Checkstyle loads external DTDs by default +Patch0000: 0001-Do-not-load-external-DTDs-by-default.patch + +BuildRequires: maven-local mvn(antlr:antlr) mvn(com.google.guava:guava) mvn(commons-beanutils:commons-beanutils) +BuildRequires: mvn(commons-cli:commons-cli) mvn(com.sun:tools) mvn(org.antlr:antlr4-maven-plugin) +BuildRequires: mvn(org.antlr:antlr4-runtime) mvn(org.apache.ant:ant) mvn(org.apache.ant:ant-nodeps) +BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) mvn(org.apache.maven.plugins:maven-failsafe-plugin) +BuildRequires: mvn(org.codehaus.mojo:antlr-maven-plugin) mvn(org.codehaus.mojo:build-helper-maven-plugin) + +Obsoletes: %{name}-optional < %{version}-%{release} %{name}-demo < %{version}-%{release} +Obsoletes: %{name}-manual < %{version}-%{release} + +%description +A tool to help Java developers comply with certain coding standards + +%package help +Summary: Help documents for checkstyle +Provides: %{name}-javadoc = %{version}-%{release} +Obsoletes: %{name}-javadoc < %{version}-%{release} + +%description help +Help documents for checkstyle + +%prep +%autosetup -n %{name}-%{version} -p1 + +%pom_remove_parent + +sed -i s/guava-jdk5/guava/ pom.xml + +for file in maven-eclipse-plugin maven-site-plugin nexus-staging-maven-plugin maven-enforcer-plugin cobertura-maven-plugin maven-linkcheck-plugin maven-pmd-plugin findbugs-maven-plugin xml-maven-plugin forbiddenapis spotbugs-maven-plugin;do +%pom_remove_plugin :$file +done + +%pom_remove_dep com.sun:tools +%pom_add_dep com.sun:tools + +sed -i '/testLoadFromURL/s/ *.*/ @org.junit.Ignore&/' src/test/java/com/puppycrawl/tools/checkstyle/filters/SuppressionsLoaderTest.java + +sed -i '/testUnexpectedChar/s/./@org.junit.Ignore/' src/test/java/com/puppycrawl/tools/checkstyle/grammars/GeneratedJava14LexerTest.java + +%build +%mvn_file : %{name} +%mvn_build -f + +%install +%mvn_install + +%jpackage_script com.puppycrawl.tools.checkstyle.Main "" "" checkstyle:antlr:apache-commons-beanutils:apache-commons-cli:apache-commons-logging:apache-commons-collections:guava checkstyle true + +install -Dm 644 %{SOURCE1} %{buildroot}%{_datadir}/xml/%{name}/catalog +cp -pa src/main/resources/com/puppycrawl/tools/checkstyle/*.dtd \ + %{buildroot}%{_datadir}/xml/%{name} + +install -dm 755 %{buildroot}%{_sysconfdir}/ant.d +cat > %{buildroot}%{_sysconfdir}/ant.d/%{name} << EOF +checkstyle antlr apache-commons-beanutils apache-commons-cli apache-commons-logging guava +EOF + +%post +if [ -x %{_bindir}/install-catalog -a -d %{_sysconfdir}/sgml ]; then + %{_bindir}/install-catalog --add \ + %{_sysconfdir}/sgml/%{name}-%{version}-%{release}.cat \ + %{_datadir}/xml/%{name}/catalog > /dev/null || : +fi + +%postun +if [ -x %{_bindir}/install-catalog -a -d %{_sysconfdir}/sgml ]; then + %{_bindir}/install-catalog --remove \ + %{_sysconfdir}/sgml/%{name}-%{version}-%{release}.cat \ + %{_datadir}/xml/%{name}/catalog > /dev/null || : +fi + +%files -f .mfiles +%license LICENSE +%doc README.md +%{_datadir}/xml/%{name} +%{_bindir}/%{name} +%config(noreplace) %{_sysconfdir}/ant.d/%{name} + +%files help -f .mfiles-javadoc + +%changelog +* Wed Mar 4 2020 tangjing - 8.0-4.2 +- Package init