Bz 62324

2018-06-08 Thread Gintautas Grigelionis 
I was advised to solicit opinions regarding the change introduced as a fix
for the abovementioned issue. It concerns how an event that has both a
message and an exception is logged.

Namely, a stack trace of the exception is logged (in debug mode only)
without any separator from the preceding message. While it seems that the
idea is that the stack trace should be presented as a continuation of the
message, IMO it would require a specially formatted message or, well, some
separator to be visually consistent.

So the question is whether there is better solution than the one currently
proposed?

Thanks,
Gintas

Re: Tooling update

2018-06-08 Thread Stefan Bodewig 
On 2018-06-08, Gintautas Grigelionis wrote:

> Then I was surprised that Dependency Check indicates that the latest
> XZ 1.8 has a vulnerability: should we ask them to investigate?

That's a false positive.

https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command
line tooling and is not related to XZ for Java at all.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org

Tooling update

2018-06-08 Thread Gintautas Grigelionis 
I took the liberty to sync QA tools among Ant, Ivy and IvyDE.
A couple of notes: Ant 1.10 having a Java 8 baseline permits migration
from FindBugs to SpotBugs; I decided to it now rather than wait for
dependency issues [1] to be resolved. Then I was surprised that
Dependency Check indicates that the latest XZ 1.8 has a vulnerability:
should we ask them to investigate?

Gintas

[1] https://github.com/spotbugs/spotbugs/issues/655

P.S. Here's the complete Dependency Check report:

[owasp:dependency-check] bsh-core-2.0b4.jar (org.beanshell:bsh-core:2.0b4,
cpe:/a:beanshell_project:beanshell:2.0.b4) : CVE-2016-2510
[owasp:dependency-check] jruby-1.6.8.jar (cpe:/a:jruby:jruby:1.6.8,
org.jruby:jruby:1.6.8) : CVE-2012-5370
[owasp:dependency-check] jython-2.7.0.jar (org.python:jython:2.7.0,
cpe:/a:jython_project:jython:2.7.0) : CVE-2016-4000
[owasp:dependency-check] xz-1.8.jar (cpe:/a:tukaani:xz:1.8,
org.tukaani:xz:1.8) : CVE-2015-4035
[owasp:dependency-check]
jruby-1.6.8.jar/META-INF/maven/org.jruby.ext.posix/jnr-posix/pom.xml
(org.jruby.ext.posix:jnr-posix:1.1.9, cpe:/a:jruby:jruby:1.1.9) :
CVE-2010-1330, CVE-2011-4838, CVE-2012-5370