From 473f70ab4653aa96d79deb3f10e30400d1777a20 Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Fri, 15 Feb 2019 15:07:54 -0800 Subject: [PATCH 1/8] Bump goomph to 3.17.4 for the https bugfix. --- _ext/gradle/p2-fat-jar-setup.gradle | 4 ++-- gradle.properties | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_ext/gradle/p2-fat-jar-setup.gradle b/_ext/gradle/p2-fat-jar-setup.gradle index fd61956882..dd404e1a31 100644 --- a/_ext/gradle/p2-fat-jar-setup.gradle +++ b/_ext/gradle/p2-fat-jar-setup.gradle @@ -7,7 +7,7 @@ buildscript { } } dependencies { - classpath "com.diffplug.gradle:goomph:3.15.0" + classpath "com.diffplug.gradle:goomph:3.17.4" } } apply plugin: com.diffplug.gradle.p2.AsMavenPlugin @@ -73,7 +73,7 @@ p2AsMaven { p2ant { /* Define p2ant proxy settings as a closure. Refer to the API documents for instructions: - https://diffplug.github.io/goomph/javadoc/3.3.0/com/diffplug/gradle/p2/AsMavenPlugin.html + https://diffplug.github.io/goomph/javadoc/3.17.4/com/diffplug/gradle/p2/AsMavenPlugin.html */ if (project.hasProperty('setP2AntProxy')) { setP2AntProxy(it) diff --git a/gradle.properties b/gradle.properties index 41f440f62f..cb9d730db7 100644 --- a/gradle.properties +++ b/gradle.properties @@ -25,7 +25,7 @@ VER_SPOTBUGS=3.1.6 VER_SPOTBUGS_PLUGIN=1.6.2 VER_BINTRAY=1.7.3 VER_PLUGIN_PUBLISH=0.9.7 -VER_GOOMPH=3.8.1 +VER_GOOMPH=3.17.4 VER_GRADLE_GIT=1.6.0 VER_PEGDOWN_DOCLET=1.3 From afda9c2f434ed6233810097f4325e4569719a60a Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Fri, 15 Feb 2019 15:21:34 -0800 Subject: [PATCH 2/8] Bump readme and docs http to https. --- CODE_OF_CONDUCT.md | 6 +++--- README.md | 6 +++--- gradle/java-publish.gradle | 4 ++-- plugin-gradle/README.md | 4 ++-- plugin-maven/README.md | 6 +++--- plugin-maven/build.gradle | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 4be4ecfbbf..d35de1a7ca 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -40,7 +40,7 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [https://contributor-covenant.org/version/1/4][version] -[homepage]: http://contributor-covenant.org -[version]: http://contributor-covenant.org/version/1/4/ +[homepage]: https://contributor-covenant.org +[version]: https://contributor-covenant.org/version/1/4/ diff --git a/README.md b/README.md index 2a51b156d5..a5a389c9d1 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,6 @@ extra('wtp.EclipseWtpFormatterStep') +'{{yes}} | {{yes}} - Thanks to Gábor Bernát for improvements to logging and multi-project support. - Thanks to Andrew Oberstar for improvements to formatting java source in non-java source sets. [PR #60](https://github.com/diffplug/spotless/pull/60). - Import ordering from [EclipseCodeFormatter](https://github.com/krasa/EclipseCodeFormatter). -- Built by [gradle](http://gradle.org/). -- Tested by [junit](http://junit.org/). -- Maintained by [DiffPlug](http://www.diffplug.com/). +- Built by [gradle](https://gradle.org/). +- Tested by [junit](https://junit.org/). +- Maintained by [DiffPlug](https://www.diffplug.com/). diff --git a/gradle/java-publish.gradle b/gradle/java-publish.gradle index 29beac4452..4441e894db 100644 --- a/gradle/java-publish.gradle +++ b/gradle/java-publish.gradle @@ -20,7 +20,7 @@ javadoc { // use markdown in javadoc def makeLink = { url, text -> "${text}" } def javadocInfo = '

' + makeLink("https://github.com/${org}/${name}", "${group}:${project.ext.artifactId}:${ext.version}") + - ' by ' + makeLink('http://www.diffplug.com', 'DiffPlug') + '

' + ' by ' + makeLink('https://www.diffplug.com', 'DiffPlug') + '' String version_str = ext.version.endsWith('-SNAPSHOT') ? 'snapshot' : ext.version apply plugin: 'ch.raffael.pegdown-doclet' @@ -95,7 +95,7 @@ model { licenses { license { name 'The Apache Software License, Version 2.0' - url 'http://www.apache.org/license/LICENSE-2.0.txt' + url 'https://www.apache.org/license/LICENSE-2.0.txt' distribution 'repo' } } diff --git a/plugin-gradle/README.md b/plugin-gradle/README.md index 4dc3c0870f..946610deda 100644 --- a/plugin-gradle/README.md +++ b/plugin-gradle/README.md @@ -3,7 +3,7 @@ [![Gradle plugin](https://img.shields.io/badge/plugins.gradle.org-com.diffplug.gradle.spotless-blue.svg)](https://plugins.gradle.org/plugin/com.diffplug.gradle.spotless) -[![Maven central](https://img.shields.io/badge/mavencentral-com.diffplug.gradle.spotless%3Aspotless-blue.svg)](http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-plugin-gradle%22) +[![Maven central](https://img.shields.io/badge/mavencentral-com.diffplug.gradle.spotless%3Aspotless-blue.svg)](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-plugin-gradle%22) [![Javadoc](https://img.shields.io/badge/javadoc-3.18.0-blue.svg)](https://diffplug.github.io/spotless/javadoc/spotless-plugin-gradle/3.18.0/) [![Changelog](https://img.shields.io/badge/changelog-3.19.0--SNAPSHOT-brightgreen.svg)](CHANGES.md) diff --git a/plugin-maven/README.md b/plugin-maven/README.md index 220c943686..24354e2ede 100644 --- a/plugin-maven/README.md +++ b/plugin-maven/README.md @@ -2,7 +2,7 @@ -[![Maven central](https://img.shields.io/badge/mavencentral-com.diffplug.spotless%3Aspotless--maven--plugin-blue.svg)](http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-maven-plugin%22) +[![Maven central](https://img.shields.io/badge/mavencentral-com.diffplug.spotless%3Aspotless--maven--plugin-blue.svg)](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-maven-plugin%22) [![Javadoc](https://img.shields.io/badge/javadoc-1.18.0-blue.svg)](https://diffplug.github.io/spotless/javadoc/spotless-maven-plugin/1.18.0/) [![Changelog](https://img.shields.io/badge/changelog-1.18.0-brightgreen.svg)](CHANGES.md) @@ -52,7 +52,7 @@ cmd> mvn spotless:check ... ``` -To use it in your pom, just [add the Spotless dependency](http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-maven-plugin%22), and configure it like so: +To use it in your pom, just [add the Spotless dependency](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.diffplug.spotless%22%20AND%20a%3A%22spotless-maven-plugin%22), and configure it like so: ```xml diff --git a/plugin-maven/build.gradle b/plugin-maven/build.gradle index 0be27cfdf4..d95d429d43 100644 --- a/plugin-maven/build.gradle +++ b/plugin-maven/build.gradle @@ -15,7 +15,7 @@ visteg { nodeShape = 'box' startNodeShape = 'box' endNodeShape = 'box' - colorscheme = 'pastel24' // http://www.graphviz.org/doc/info/colors.html + colorscheme = 'pastel24' // https://www.graphviz.org/doc/info/colors.html } import com.github.mustachejava.DefaultMustacheFactory From b2e61c3197a90becd1375b45549e910ac869aa29 Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Fri, 15 Feb 2019 15:22:28 -0800 Subject: [PATCH 3/8] Bump eclipse bundled deps to https. Doesn't work yet beacuse http://dist.springsource.org/ doesn't support SSL. --- _ext/eclipse-cdt/build.gradle | 2 +- _ext/eclipse-groovy/build.gradle | 2 +- _ext/eclipse-wtp/build.gradle | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_ext/eclipse-cdt/build.gradle b/_ext/eclipse-cdt/build.gradle index ce0ba79d5c..aad99affaa 100644 --- a/_ext/eclipse-cdt/build.gradle +++ b/_ext/eclipse-cdt/build.gradle @@ -3,7 +3,7 @@ ext { fvgh: [ name: 'Frank Vennemeyer', email: 'frankgh@zoho.com' ], ] - p2Repository = "http://download.eclipse.org/tools/cdt/releases/${VER_ECLIPSE_CDT}" + p2Repository = "https://download.eclipse.org/tools/cdt/releases/${VER_ECLIPSE_CDT}" p2Dependencies = [ 'org.eclipse.cdt.core':'+', // CodeFormatter and related diff --git a/_ext/eclipse-groovy/build.gradle b/_ext/eclipse-groovy/build.gradle index 82457aa79d..da07af6067 100644 --- a/_ext/eclipse-groovy/build.gradle +++ b/_ext/eclipse-groovy/build.gradle @@ -3,7 +3,7 @@ ext { fvgh: [ name: 'Frank Vennemeyer', email: 'frankgh@zoho.com' ], ] - p2Repository = "http://dist.springsource.org/release/GRECLIPSE/e${VER_ECLIPSE}" + p2Repository = "https://dist.springsource.org/release/GRECLIPSE/e${VER_ECLIPSE}" p2Dependencies = [ 'org.codehaus.groovy.eclipse.refactoring':'+', // GroovyFormatter and related diff --git a/_ext/eclipse-wtp/build.gradle b/_ext/eclipse-wtp/build.gradle index 7dba01caf4..dbaffd5144 100644 --- a/_ext/eclipse-wtp/build.gradle +++ b/_ext/eclipse-wtp/build.gradle @@ -3,7 +3,7 @@ ext { fvgh: [ name: 'Frank Vennemeyer', email: 'frankgh@zoho.com' ], ] - p2Repository = "http://download.eclipse.org/webtools/repository/${VER_ECLIPSE_WTP}" + p2Repository = "https://download.eclipse.org/webtools/repository/${VER_ECLIPSE_WTP}" p2Dependencies = [ // XML/HTML Formatter - Dependencies From 316536b2c7bafc59102191035f5dc38f1ff699d5 Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Mon, 25 Feb 2019 13:05:45 -0800 Subject: [PATCH 4/8] Fix URL to Apache-2.0 license. --- gradle/java-publish.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/java-publish.gradle b/gradle/java-publish.gradle index 4441e894db..411a25dd2e 100644 --- a/gradle/java-publish.gradle +++ b/gradle/java-publish.gradle @@ -95,7 +95,7 @@ model { licenses { license { name 'The Apache Software License, Version 2.0' - url 'https://www.apache.org/license/LICENSE-2.0.txt' + url 'https://www.apache.org/licenses/LICENSE-2.0.txt' distribution 'repo' } } From f82e6dbdfc9ee081938860afeb3054a7edb10ce5 Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Mon, 25 Feb 2019 13:21:15 -0800 Subject: [PATCH 5/8] Publish bugfix releases of every ext-* with https fix. --- _ext/eclipse-cdt/gradle.properties | 2 +- _ext/eclipse-groovy/gradle.properties | 2 +- _ext/eclipse-wtp/gradle.properties | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_ext/eclipse-cdt/gradle.properties b/_ext/eclipse-cdt/gradle.properties index f27e7e1229..3356e79b7c 100644 --- a/_ext/eclipse-cdt/gradle.properties +++ b/_ext/eclipse-cdt/gradle.properties @@ -1,7 +1,7 @@ # Versions correspond to the Eclipse-CDT version used for the fat-JAR. # See https://www.eclipse.org/cdt/ for further information about Eclipse-CDT versions. # Patch version can be incremented independently for backward compatible patches of this library. -ext_version=9.4.4 +ext_version=9.4.5 ext_artifactId=spotless-eclipse-cdt ext_description=Eclipse's CDT C/C++ formatter bundled for Spotless ext_org=diffplug diff --git a/_ext/eclipse-groovy/gradle.properties b/_ext/eclipse-groovy/gradle.properties index ebe1b81a1d..a9b91fbca4 100644 --- a/_ext/eclipse-groovy/gradle.properties +++ b/_ext/eclipse-groovy/gradle.properties @@ -1,7 +1,7 @@ # Versions correspond to the Groovy-Eclipse version used for the fat-JAR. # See https://github.com/groovy/groovy-eclipse/releases for further information about Groovy-Eclipse versions. # Patch version can be incremented independently for backward compatible patches of this library. -ext_version=3.0.0 +ext_version=3.0.1 ext_artifactId=spotless-eclipse-groovy ext_description=Groovy Eclipse's formatter bundled for Spotless diff --git a/_ext/eclipse-wtp/gradle.properties b/_ext/eclipse-wtp/gradle.properties index 51032d6fab..63ca34379d 100644 --- a/_ext/eclipse-wtp/gradle.properties +++ b/_ext/eclipse-wtp/gradle.properties @@ -1,7 +1,7 @@ # Versions correspond to the Eclipse-WTP version used for the fat-JAR. # See https://www.eclipse.org/webtools/ for further information about Eclipse-WTP versions. # Patch version can be incremented independently for backward compatible patches of this library. -ext_version=3.10.0 +ext_version=3.9.7 ext_artifactId=spotless-eclipse-wtp ext_description=Eclipse's WTP formatters bundled for Spotless From b68b6761a93cdf5aa6e249ba444ae9981deab80c Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Mon, 25 Feb 2019 13:26:46 -0800 Subject: [PATCH 6/8] Update eclipse-wtp changelog. --- _ext/eclipse-wtp/CHANGES.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_ext/eclipse-wtp/CHANGES.md b/_ext/eclipse-wtp/CHANGES.md index fd728d3864..9c2ae26909 100644 --- a/_ext/eclipse-wtp/CHANGES.md +++ b/_ext/eclipse-wtp/CHANGES.md @@ -2,6 +2,10 @@ ### Versioni 3.10.0 - TBD +### Version 3.9.7 - February 25th 2018 ([artifact]([jcenter](https://bintray.com/diffplug/opensource/spotless-eclipse-wtp))) + +* Replaced `http` update-site with `https` ([#360](https://github.com/diffplug/spotless/issues/360)). + ### Version 3.9.6 - February 10th 2018 ([artifact]([jcenter](https://bintray.com/diffplug/opensource/spotless-eclipse-wtp))) * Fixed formatting of JSON arrays ([#344](https://github.com/diffplug/spotless/issues/344)). From 034a305044b55f3b064c2f1bce341507f41312d9 Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Mon, 25 Feb 2019 13:27:34 -0800 Subject: [PATCH 7/8] Update all lockfiles which referenced http-vulnerable artifacts to the https artifacts. --- .../spotless/extra/eclipse_cdt_formatter/v4.7.3a.lockfile | 2 +- .../spotless/extra/eclipse_wtp_formatters/v4.7.3a.lockfile | 2 +- .../spotless/extra/groovy_eclipse_formatter/v4.8.1.lockfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_cdt_formatter/v4.7.3a.lockfile b/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_cdt_formatter/v4.7.3a.lockfile index 52123a00c9..aa6e1d4bcf 100644 --- a/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_cdt_formatter/v4.7.3a.lockfile +++ b/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_cdt_formatter/v4.7.3a.lockfile @@ -1,5 +1,5 @@ # Spotless formatter based on CDT version 9.4.3 (see https://www.eclipse.org/cdt/) -com.diffplug.spotless:spotless-eclipse-cdt:9.4.4 +com.diffplug.spotless:spotless-eclipse-cdt:9.4.5 com.diffplug.spotless:spotless-eclipse-base:3.0.0 com.google.code.findbugs:annotations:3.0.0 com.google.code.findbugs:jsr305:3.0.0 diff --git a/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_wtp_formatters/v4.7.3a.lockfile b/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_wtp_formatters/v4.7.3a.lockfile index 4af0a2e8ad..324c9a8581 100644 --- a/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_wtp_formatters/v4.7.3a.lockfile +++ b/lib-extra/src/main/resources/com/diffplug/spotless/extra/eclipse_wtp_formatters/v4.7.3a.lockfile @@ -1,5 +1,5 @@ # Spotless formatter based on Eclipse-WTP version 3.9.5 (see https://www.eclipse.org/webtools/) -com.diffplug.spotless:spotless-eclipse-wtp:3.9.6 +com.diffplug.spotless:spotless-eclipse-wtp:3.9.7 com.diffplug.spotless:spotless-eclipse-base:3.0.0 com.google.code.findbugs:annotations:3.0.0 com.google.code.findbugs:jsr305:3.0.0 diff --git a/lib-extra/src/main/resources/com/diffplug/spotless/extra/groovy_eclipse_formatter/v4.8.1.lockfile b/lib-extra/src/main/resources/com/diffplug/spotless/extra/groovy_eclipse_formatter/v4.8.1.lockfile index 952bcd326b..51339f60c4 100644 --- a/lib-extra/src/main/resources/com/diffplug/spotless/extra/groovy_eclipse_formatter/v4.8.1.lockfile +++ b/lib-extra/src/main/resources/com/diffplug/spotless/extra/groovy_eclipse_formatter/v4.8.1.lockfile @@ -1,5 +1,5 @@ # Spotless formatter based on Groovy-Eclipse version 3.0.0 (see https://github.com/groovy/groovy-eclipse/releases) -com.diffplug.spotless:spotless-eclipse-groovy:3.0.0 +com.diffplug.spotless:spotless-eclipse-groovy:3.0.1 com.diffplug.spotless:spotless-eclipse-base:3.0.0 com.google.code.findbugs:annotations:3.0.0 com.google.code.findbugs:jsr305:3.0.0 From ecc7816b04fbbf8bc3ab0ba3f9d4d4bc26a272ad Mon Sep 17 00:00:00 2001 From: Ned Twigg Date: Mon, 25 Feb 2019 14:11:33 -0800 Subject: [PATCH 8/8] Update changelog with description of the security fixes. --- CHANGES.md | 2 ++ plugin-gradle/CHANGES.md | 2 ++ plugin-maven/CHANGES.md | 2 ++ 3 files changed, 6 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 79b0afb4c5..485edc3139 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -9,6 +9,8 @@ You might be looking for: **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).** +* Security fix: Updated groovy, c/c++, and eclipse WTP formatters so that they download their source jars securely using `https` rather than `http` ([#360](https://github.com/diffplug/spotless/issues/360)). + ### Version 1.18.0 - February 11th 2018 (javadoc [lib](https://diffplug.github.io/spotless/javadoc/spotless-lib/1.18.0/) [lib-extra](https://diffplug.github.io/spotless/javadoc/spotless-lib-extra/1.18.0/), artifact [lib]([jcenter](https://bintray.com/diffplug/opensource/spotless-lib), [lib-extra]([jcenter](https://bintray.com/diffplug/opensource/spotless-lib-extra))) **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).** diff --git a/plugin-gradle/CHANGES.md b/plugin-gradle/CHANGES.md index c944b45296..61755c4670 100644 --- a/plugin-gradle/CHANGES.md +++ b/plugin-gradle/CHANGES.md @@ -4,6 +4,8 @@ **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).** +* Security fix: Updated groovy, c/c++, and eclipse WTP formatters so that they download their source jars securely using `https` rather than `http` ([#360](https://github.com/diffplug/spotless/issues/360)). + ### Version 3.18.0 - February 11th 2018 ([javadoc](https://diffplug.github.io/spotless/javadoc/spotless-plugin-gradle/3.18.0/), [jcenter](https://bintray.com/diffplug/opensource/spotless-plugin-gradle/3.18.0)) **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).** diff --git a/plugin-maven/CHANGES.md b/plugin-maven/CHANGES.md index a1d5923286..0c6ea03c52 100644 --- a/plugin-maven/CHANGES.md +++ b/plugin-maven/CHANGES.md @@ -4,6 +4,8 @@ **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).** +* Security fix: Updated groovy, c/c++, and eclipse WTP formatters so that they download their source jars securely using `https` rather than `http` ([#360](https://github.com/diffplug/spotless/issues/360)). + ### Version 1.18.0 - February 11th 2018 ([javadoc](https://diffplug.github.io/spotless/javadoc/spotless-maven-plugin/1.18.0/), [jcenter](https://bintray.com/diffplug/opensource/spotless-maven-plugin/1.18.0)) **WARNING: xml formatter in this version may be vulnerable to XXE attacks (see [#358](https://github.com/diffplug/spotless/issues/358)).**