FINOS - CVE and OpenSSF changes

Author: dschwartz-ftadvisory

README.md

@@ -6,7 +6,9 @@
 
 This repository creates a generator that will produce Python from a model developed using [Rune](https://github.com/finos/rune-dsl).  The generated Python relies upon the [RunePythonRuntime]() library.
 
-The generator supports creation of Python for the full Rune type syntax, and, as described in [EXPRESSION_SUPPORT.md](./EXPRESSION_SUPPORT.md), expression coverage is comprehensive.  The generator does not yet fully implement function generation.
+**Continuous Integration:** 
+
+*Rune Python Generator* - the generator supports creation of Python for the full Rune type syntax, and, as described in [EXPRESSION_SUPPORT.md](./EXPRESSION_SUPPORT.md), expression coverage is comprehensive.  The generator does not yet fully implement function generation.
 
 The Python package requires Python version 3.11+.
 
@@ -21,19 +23,50 @@ The Python package requires Python version 3.11+.
 - `build/build_cdm.sh` - used to create a Python package from code generated using CDM Rune definitions
 - `test` - Python unit tests and scripts to run the tests
 
-## Installation Steps
+## Development setup
+
+### Setup for developers
+This guide is meant for everyone who wants to contribute to the Rune Pyhton Generator and needs to get things up and running.
+
 Detailed build and testing instructions can be found in [BUILDANDTEST.md](./BUILDANDTEST.md)
 
-A quick overview follows:
+If this guide does not work for you, be sure to raise an issue. This way we can help you figure out what the problem is and update this guide to prevent the same problem for future users.
+
+### 1. Building with Maven
+Start by cloning the project: `git clone https://github.com/regnosys/rune-python-generator`
+
+Our project runs with Java 21. Make sure that your Maven also uses this version of Java by running `mvn -v`.
+
+To build the project, run `mvn clean install`.
 
-1. Make a local copy of this repo
-2. Build and test using Maven
-```
-cd rune-python-generator
-mvn -s clean install
-```
 All the tests should pass.
 
+### 2. Setting things up in Eclipse
+#### Install Eclipse IDE for Java and DSL Developers
+Install version `2025-06` of the "Eclipse IDE for Java and DSL Developers" using the [Eclipse Installer](https://www.eclipse.org/downloads/packages/installer). You might have to enable "Advanced Mode" in the settings of the Eclipse Installer to install a specific version.
+
+#### Configure Eclipse with the right version of Java
+Xtend files cannot be build with any Java version later than 21. In Eclipse, go to Settings... > Java > Installed JREs and make sure the checked JRE points to a Java version of 21.
+
+#### Install the Checkstyle plugin
+We use [Checkstyle](https://checkstyle.sourceforge.io/) for enforcing good coding practices. The Eclipse plugin for Checkstyle can be found here: [https://checkstyle.org/eclipse-cs/#!/](https://checkstyle.org/eclipse-cs/#!/).
+
+#### Open the project in Eclipse
+Go to Import... > Existing Maven Project, select the right folder, click Finish.
+
+### To Generate CDM from Rune
+
+Use this script to generated the Python version of CDM
+```sh
+build/build_cdm.sh
+```
+The script will use the CDM from the branch specified in the file (E.G. master) of the [FINOS Repo](https://github.com/finos/common-domain-model) and generate a wheel in the project directory `target/python-cdm`
+
+To use a different version of CDM, update CDM_VERSION in the script.
+
+## Roadmap
+
+The roadmap follows the roadmap for the [Rune-DSL](https://github.com/finos/rune-dsl/)
 
 ## Contributing
 For any questions, bugs or feature requests please open an [issue](https://github.com/regnosys/rune-python-generator/issues)
@@ -47,20 +80,15 @@ To submit a contribution:
 5. Push to the branch (`git push origin feature/fooBar`)
 6. Create a new Pull Request
 
-# To Generate CDM from Rune
+_NOTE:_ Commits and pull requests to FINOS repositories will only be accepted from those contributors with an active, executed Individual Contributor License Agreement (ICLA) with FINOS OR who are covered under an existing and active Corporate Contribution License Agreement (CCLA) executed with FINOS. Commits from individuals not covered under an ICLA or CCLA will be flagged and blocked by the FINOS Clabot tool (or EasyCLA). Please note that some CCLAs require individuals/employees to be explicitly named on the CCLA.
 
-Use this script to generated the Python version of CDM
-```sh
-build/build_cdm.sh
-```
-The script will use the CDM from the branch specified in the file (E.G. master) of the [FINOS Repo](https://github.com/finos/common-domain-model) and generate a wheel in the project directory `target/python-cdm`
+Unsure if you are covered under an existing CCLA? Email [email protected]*
 
-To use a different version of CDM, update CDM_VERSION in the script.
+## Get in touch with the Rune Python Generator Team
 
-## Contributors
-- [CLOUDRISK Limited](https://www.cloudrisk.uk), email: [email protected]
-- [FT Advisory LLC](https://www.ftadvisory.co), email: [email protected]
-- [TradeHeader SL](https://www.tradeheader.com), email: [email protected]
+ Get in touch with the Rune team by creating a [GitHub issue](https://github.com/REGnosys/rune-python-dsl/issues/new) and labelling it with "help wanted".
+
+ We encourage the community to get in touch via the [FINOS Slack](https://www.finos.org/blog/finos-announces-new-community-slack).
 
 ## Governance
 
@@ -73,3 +101,11 @@ Copyright 2023-2025 CLOUDRISK Limited and FT Advisory LLC
 Distributed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0).
 
 SPDX-License-Identifier: [Apache-2.0](https://spdx.org/licenses/Apache-2.0)
+
+## Contributors
+
+- [CLOUDRISK Limited](https://www.cloudrisk.uk), email: [email protected]
+- [FT Advisory LLC](https://www.ftadvisory.co), email: [email protected]
+- [TradeHeader SL](https://www.tradeheader.com), email: [email protected]
+
+SPDX-License-Identifier: [Apache-2.0](https://spdx.org/licenses/Apache-2.0)

allow-list.xml

@@ -1,112 +1,82 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom\.xml</filePath>
-        <cve>CVE-2023-24998</cve>
-        <cve>CVE-2016-3092</cve>
-        <cve>CVE-2016-1000031</cve>
-        <cve>CVE-2014-0050</cve>
-        <cve>CVE-2013-2186</cve>
-    </suppress>
-
-     <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/commons-io/commons-io/pom\.xml</filePath>
-        <cve>CVE-2021-29425</cve>
-    </suppress>
-
-     <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/org\.apache\.struts\.xwork/xwork-core/pom\.xml</filePath>
-        <cve>CVE-2013-1966</cve>
-        <cve>CVE-2016-4461</cve>
-        <cve>CVE-2013-1965</cve>
-        <cve>CVE-2016-2162</cve>
-        <cve>CVE-2013-2115</cve>
-        <cve>CVE-2014-0112</cve>
-        <cve>CVE-2019-0233</cve>
-        <cve>CVE-2017-9787</cve> 
-    </suppress>
-
-      <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/ognl/ognl/pom\.xml</filePath>
-        <cve>CVE-2016-3093</cve>
-    </suppress>
+<!--
+  ~ Copyright 2025 CLOUDRISK and FT Advisory LLC
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
 
-    <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0.0.1.jar/META-INF/maven/org.apache.struts/struts2-core/pom.xml</filePath>
-        <cve>CVE-2016-4461</cve>
-        <cve>CVE-2015-5209</cve>
-        <cve>CVE-2016-2162</cve>
-        <cve>CVE-2018-1327</cve>
-        <cve>CVE-2012-0394</cve>
-        <cve>CVE-2015-2992</cve>
-        <cve>CVE-2016-3093</cve>
-        <cve>CVE-2023-34396</cve>
-        <cve>CVE-2016-0785</cve>
-        <cve>CVE-2016-4003</cve>
-        <cve>CVE-2013-2248</cve>
-        <cve>CVE-2017-5638</cve>
-        <cve>CVE-2015-5169</cve>
-        <cve>CVE-2017-9793</cve>
-        <cve>CVE-2016-4430</cve>
-        <cve>CVE-2017-9791</cve>
-        <cve>CVE-2016-3081</cve>
-        <cve>CVE-2016-3082</cve>
-        <cve>CVE-2023-34149</cve>
-        <cve>CVE-2019-0230</cve>
-        <cve>CVE-2013-2134</cve>
-        <cve>CVE-2016-4436</cve>
-        <cve>CVE-2019-0233</cve>
-        <cve>CVE-2021-31805</cve>
-        <cve>CVE-2014-7809</cve>
-        <cve>CVE-2013-2135</cve>
-        <cve>CVE-2014-0116</cve>
-        <cve>CVE-2013-2251</cve>
-        <cve>CVE-2013-4310</cve>
-        <cve>CVE-2013-1966</cve>
-        <cve>CVE-2017-9804</cve>
-        <cve>CVE-2013-1965</cve>
-        <cve>CVE-2017-9805</cve>
-        <cve>CVE-2017-12611</cve>
-        <cve>CVE-2013-2115</cve>
-        <cve>CVE-2014-0113</cve>
-        <cve>CVE-2013-4316</cve>
-        <cve>CVE-2014-0112</cve>
-        <cve>CVE-2018-11776</cve>
-        <cve>CVE-2016-3090</cve>
-        <cve>CVE-2017-9787</cve>
-        <cve>CVE-2014-0094</cve>
-        <cve>CVE-2020-17530</cve>
-    </suppress>
-
- <suppress>
-   <notes><![CDATA[
-   file name: sample-project-0.0.1.jar (shaded: commons-fileupload:commons-fileupload:1.2.2)
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/commons\-fileupload/commons\-fileupload@.*$</packageUrl>
-   <cve>CVE-2013-0248</cve>
-</suppress>
-
-<suppress>
-   <notes><![CDATA[
-   file name: sample-project-0.0.1.jar (shaded: org.apache.struts:struts2-core:2.3.8)
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts2\-core@.*$</packageUrl>
-   <cve>CVE-2023-50164</cve>
-   <cve>CVE-2023-41835</cve> 
-</suppress>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[
+      This CVE only affects projects fetching p2 repo's over HTTP, but we use HTTPS.
+      ]]></notes>
+      <cve>CVE-2021-41033</cve>
+   </suppress>
+   <suppress>
+	  <notes><![CDATA[
+	  We are using Reload4j, which is a secure drop-in replacement for log4j.
+	  ]]></notes>
+	  <cve>CVE-2020-9493</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are using Reload4j, which is a secure drop-in replacement for log4j.
+	   ]]></notes>
+	   <cve>CVE-2022-23307</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This CVE is not about org.junit.platform.commons. It seems the check is
+	   too loose.
+	   ]]></notes>
+	   <cve>CVE-2020-27225</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This CVE only affects projects using Xtext prior to 2.18.0.
+	   ]]></notes>
+	   <cve>CVE-2019-10249</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   Calling the method `com.google.common.io.Files.createTempDir` is a vulnerability,
+	   but we do not call it.
+	   ]]></notes>
+	   <cve>CVE-2020-8908</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are not creating SVG's with Batik of Apache XML Graphics.
+	   ]]></notes>
+	   <cve>CVE-2022-41704</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are not creating SVG's with Batik of Apache XML Graphics.
+	   ]]></notes>
+	   <cve>CVE-2022-42890</cve>
+	</suppress>
+	<suppress>
+	   	<notes><![CDATA[
+	   This CVE is not about org.eclipse.e4.emf.xpath. It seems the check is
+	   too loose.
+	   ]]></notes>
+	   <cve>CVE-2022-41852</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This only affects milestone and RC versions, but we use a stable release.
+	   ]]></notes>
+	   <cve>CVE-2020-15824</cve>
+	</suppress>
 </suppressions>

pom.xml

@@ -154,7 +154,7 @@
 
         <apache.commons.lang.version>3.13.0</apache.commons.lang.version>
         <apache.commons.text.version>1.11.0</apache.commons.text.version>
-        <commons-io.version>2.11.0</commons-io.version>
+        <commons-io.version>2.19.0</commons-io.version>
         <guava.version>32.0.1-jre</guava.version>
 
         <!-- Release -->
@@ -389,12 +389,12 @@
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-model</artifactId>
-            <version>3.3.9</version>
+            <version>3.9.10</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-configuration2</artifactId>
-            <version>2.8.0</version>
+            <version>2.12.0</version>
         </dependency>
         <!-- migrated from Python POM: end -->
     </dependencies>