Gradle RAT: Add plainOutput, xmlOutput and htmlOutput options#2
Conversation
There was a problem hiding this comment.
That's an extremely expensive requirement for large code bases. We've seen with the RAT/gradle integration that the Samza team uses that it's definitely possible to generate multiple outputs from one run.
There was a problem hiding this comment.
The plugin uses the report ant task that runs rat and produces a single output.
plainOutput = true triggers a rat run and output plain text report
xmlOutput = true triggers a rat run and output xml report
htmlOutput = true triggers xmlOutput and xsl the xml output to html report
Defaults are respectively false, true, true.
If you only need the plain text output set all theses to their opposite.
However, it could be possible to get all reports with a single rat run by rewriting the plugin to use the RAT api directly. Or should we propose an enhancement for rat ant tasks?
|
This is now 3 years old, closing as outdated |
…e labels Answers Claudenw's review note (does apache#679 impact the XXE data-flow line?): the §5a/§8 text already records that RAT disables external entities + the apache#679 DOCTYPE hardening, but the data-flow diagram and the input/residual tables still labelled XXE a bare "surface". Annotate those three labels with the mitigation so the diagram is consistent with §5a/§8 apache#2. Generated-by: Claude Opus 4.8 (1M context)
Consistency with THREAT_MODEL.md (§5a / §8 apache#2): since RAT-560 (apache#679) RAT builds XML parsers via the hardened StandardXmlFactory (DOCTYPE + external entities disabled), so XXE is actively prevented. Lead with that; keep the operator-trusted-config argument as defense-in-depth. Generated-by: Claude Opus 4.8 (1M context)
As requested in RAT-163, this pull-request contains changes to add RAT plain text output support.
BTW, xml & html output are now optional.