Any additional statements after the statement that is expected to
throw will never be executed in a passing test. This can lead to
inappropriately passing tests where later incorrect assertions are
skipped by the thrown exception. See [1] for examples.
There are no cases of this in the code base, but by enabling the
checker with severity ERROR we can ensure that we don't overlook
any future misuse of ExpectedException.
[1] http://errorprone.info/bugpattern/ExpectedExceptionChecker
Change-Id: I266d4f73f6075bfc1e39fa3d8aee7dee96db61b9
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
The same errors are suppressed when generating javadoc.
Suppress the errors during site generation.
Change-Id: I83bd1c10e5de82f47c351e7edf2c9230be4b1f21
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Zip Slip [1] is an arbitrary file write generic vulnerability, that can
be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war)
archive, that holds path traversal filenames.
According to Maven's announcement [2] several plugins use plexus-archiver to
unpack dependencies to disk and have been identified as potential triggers
for exposing the vulnerability.
Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin.
Update them to the fixed versions reported in [2].
See the corresponding issues for the maven-dependency-plugin [3] and the
maven-javadoc-plugin [4] for details.
[1] https://snyk.io/research/zip-slip-vulnerability
[2] https://maven.apache.org/security-plexus-archiver.html
[3] https://issues.apache.org/jira/browse/MDEP-611
[4] https://issues.apache.org/jira/browse/MJAVADOC-520
Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Found instructions for configuring maven-compiler-plugin with ecj in
[1]. Verified that ecj run in this way raises build errors when executed
on commit d3ef5213.
Define profiles "ecj" for using Eclipse compiler and "javac" for using
javac including errorprone. By default ecj will be used.
use ecj:
$ mvn -Pecj clean install
use javac:
$ mvn -Pjavac clean install
TODO: find out how to run ecj with errorprone from Maven.
[1] https://stackoverflow.com/questions/33164976/using-eclipse-java-compiler-ecj-in-maven-builds
Change-Id: I716b603b57612b953e603387c82fd01eb1b5ca97
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
and plexus-compiler-javac-errorprone to 2.8.4.
Change-Id: I36487ce53e70b54d7a04292e666540224c107b43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
The upgrade was already done 3 weeks ago, this version number was
missing, however.
Change-Id: Ibc794ba8035c46ea2160925b344ded5714b7c987
Signed-off-by: Michael Keppler <Michael.Keppler@gmx.de>
Also update xz to 1.6 as this is the version commons-compress 1.15
wants. Since xz 1.6 is an optional dependency for commons-compress we
need to add a non-optional dependency to xz for
org.eclipse.jgit.pgm.test since one of the tests explicitly requires xz.
Related change adding commons-compress to Orbit:
https://git.eclipse.org/r/#/c/115366/
CQ: 15356
CQ: 15360
Change-Id: I0d61c71bc541cc30464a0fff93775b079dd3ba88
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Matthias Sohn
David Pursehouse
Michael Keppler