apache
RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959
Summary
This PR upgrades Apache Doxia dependencies to version 2.0.0 to remediate several security vulnerabilities and improve the robustness of site report generation.
Fixed CVEs
Changes Made
- Bumped Doxia-related dependencies to
2.0.0 - Updated
RatReportMojo.javato support the newxhtml5parser and context structure in Doxia 2
Validation
- Build and tests pass
@guptas6est we are currently trying to create/prepare a release 0.17 of RAT. I'd like to postpone this change until afterwards as it changes the generation of the report.
Did you play with the report locally? Are there big layout changes? If so please file a ticket in RAT's Jira https://issues.apache.org/jira/projects/RAT/ and start a little discussion on the mailing list. Thanks for your help & contribution!
@guptas6est due to to the currently planned 0.17 release I would like to postpone merging this. Feel free to subscribe to our mailinglist and start a discussion concerning the changes.
RAT-440 seems to go in the same direction as your PR.
Thanks
@ottlinger Thanks for the update.
I’ve reviewed the site reports locally before and after the upgrade, and I can confirm there are no significant layout or styling differences. The structure and appearance remain consistent.
I'll hold off on this PR until after the 0.17 release as suggested. Also, I’ll take a look at RAT-440 and keep an eye on any discussions on the mailing list.
Thanks again!
@guptas6est sry for the misunderstanding - I meant for you to start a discussion over at the ML as the report changes and its target name means a breaking change for users (if I read your changes correctly: report.html -> report.xhtml) - thx
Thanks for the clarification, @ottlinger! You're absolutely right. The output file extension does change from report.html to report.xhtml. I'll start a discussion on the mailing list to highlight this change. Appreciate you pointing it out!
@guptas6est my naiive question would be: why can't we just keep the report.html? That's what I meant with how does the reporting change. This is not verified during the build but has massive impact on customers/users of RAT.
@ottlinger Thanks for the review! I’ve pushed an update addressing your points:
I have reverted back to generating report.html and restored the legacy repo param and marked it @Deprecated to avoid breaking existing POMs; the new param is still used internally.
Skin handling: since the old default-skin path isn’t available in Doxia 2.x, I added a minimal fallback so builds don’t break when no skin is configured. I tried the “fail if no skin” route, but several ITs failed. I’m happy to follow up with a stricter change and adjust the ITs if that’s preferred.
Could you please take another look and let me know if this addresses your concerns?
Hi @Claudenw , Thanks for the feedback. No, this change does not move the plugin entirely to Maven 4, it remains compatible with Maven 3. The main update here is to use Doxia 2.0.0 (with xhtml5 parser support) while keeping the rest of the build and APIs aligned with Maven 3. So yes, it should still work under both Maven 3 and Maven 4.