Comments (4)
The last two points of this issue were done in e92d319 (shipped in version 0.3).
from echosvg.
KeenWrite uses SpotBugs and OWASP, which may also prove useful for EchoSVG.
buildscript {
repositories {
mavenCentral()
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:8.2.1'
classpath "com.github.spotbugs.snom:spotbugs-gradle-plugin:5.0.14"
}
}
plugins {
// ...
id "com.github.spotbugs" version "5.0.14"
}
spotbugs {
excludeFilter.set(
file("${projectDir}/bug-filter.xml")
)
}
apply plugin: 'org.owasp.dependencycheck'
This allows the build to fail for any issues raised by SpotBugs. Tweaking the bug-filter.xml file provides fine-grained control over what issues to ignore.
<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter>
<Match>
<Or>
<Bug code="EI, EI2" />
</Or>
</Match>
<Match class="com.keenwrite.preview.HighQualityRenderingHints">
<Method name="initializeRenderingHints" />
<Bug code="WMI" />
</Match>
<Match class="com.keenwrite.processors.HtmlPreviewProcessor">
<Method name="<init>" />
<Bug code="ST" />
</Match>
</FindBugsFilter>
from echosvg.
Thanks for the suggestion, Dave: I just committed the support for the org.owasp.dependencycheck
plugin (although @dependabot
already provides much of that functionality). However I don't think that I'll do the same with the SpotBugs plugin because it adds a maintenance burden (even for people that may contribute PRs in the future).
I run SpotBugs from the Eclipse IDE and already fixed a number of the issues found by it, but there are still several non-security issues that SpotBugs is reporting. Given that this project already runs a CodeQL scan for every commit (apart from periodic runs), I don't think that adding a SpotBugs task would be worth the effort.
from echosvg.
I can't close tickets; feel free to close.
This is basically a meta-issue about security, I'm keeping it open.
from echosvg.
Related Issues (20)
- Replace the old CSSValue API with Houdini's Typed OM HOT 1
- Check for the correct SVGDOM implementation version in Transcoder HOT 7
- Allow SVG embedded into XHTML in `XMLAbstractTranscoder`
- Deprecate `XMLReader` variant of `DocumentFactory.createDocument`, add `setXMLReader`
- `DocumentFactory` interface has no way to specify `InputStream`'s encoding
- Add encoding support to `TranscoderInput` HOT 1
- Do not assume that `GRADLE_USER_HOME` is inside `user.home` in policy files
- Replace Xalan's XPath with the JDK version
- Support Level 4 CSS Color (and Level 5 `color-mix()`) values in sRGB gamut HOT 4
- Error handling in CSS value processing is non-conformant HOT 1
- BridgeException: Cannot find the referenced element HOT 1
- Root element namespace does not match that requested HOT 20
- EchoSVG on Android HOT 6
- XMLReader HOT 7
- SVG scale problem while painting
- Add images from canvg's test suite HOT 1
- GraphicsNode and opacity HOT 1
- Publish to Maven Central HOT 4
- Arbitrary file access during archive extraction ("Zip Slip") [VERY LOW IMPACT]
- Upgrade to next Apache xmlgraphics-commons when available
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from echosvg.