search

nidi3 / graphviz-java

Use graphviz with pure java
Apache License 2.0
934 stars 106 forks source link

Make code-assert a test dependency #198

Open sirocchj opened 3 years ago

sirocchj commented 3 years ago

code-assert is using checkstyle:6.19 that pulls in commons-beanutils:1.9.2, which is subject to CVE-2019-10086 (see also here).

While this addresses the issue in code-assert, I believe this dependency should not be scoped to compile in graphviz-java to begin with, unless I am missing something.

codecov-io commented 3 years ago

Codecov Report

Merging #198 (a0eeb74) into master (f0c1fdf) will decrease coverage by 0.15%. The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #198      +/-   ##
============================================
- Coverage     83.81%   83.66%   -0.16%     
+ Complexity     1279     1277       -2     
============================================
  Files           109      109              
  Lines          3813     3813              
  Branches        385      385              
============================================
- Hits           3196     3190       -6     
- Misses          402      408       +6     
  Partials        215      215
Impacted Files Coverage Δ Complexity Δ
...n/java/guru/nidi/graphviz/service/SystemUtils.java 50.00% <0.00%> (-13.16%) 13.00% <0.00%> (-2.00%)
...ru/nidi/graphviz/engine/GraphvizCmdLineEngine.java 86.40% <0.00%> (-0.98%) 30.00% <0.00%> (ø%)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update f0c1fdf...a0eeb74. Read the comment docs.

sirocchj commented 3 years ago

Hey @nidi3 what do you think about this? Does it make sense to you?