From f6004d571b35a5ef3d1cf82ef0e3af7ecdf0419d Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 11:52:38 -0400 Subject: [PATCH 1/6] configured spotbugs --- .lift.toml | 23 ----------------------- CHANGELOG.md | 3 ++- README.md | 9 +++++++++ pom.xml | 18 +++++++++++++++++- 4 files changed, 28 insertions(+), 25 deletions(-) delete mode 100644 .lift.toml diff --git a/.lift.toml b/.lift.toml deleted file mode 100644 index 4ee02516..00000000 --- a/.lift.toml +++ /dev/null @@ -1,23 +0,0 @@ -jdkVersion = "17" - -# Ignore warnings not relevant to this specific project: -# -# 1) FindSecBugs identifies our use of ThreadLocalRandom as predictable. -# We make extensive use of this class since local search require randomness. -# Our use of randomness in this library is NOT at all security related, -# and rather, we simply need a fast pseudorandom number generator since -# we need to generate large numbers of random numbers. So ignore -# predictable random warnings. -# -# 2) FindSecBugs generates a few PATH_TRAVERSAL_IN messages ("reads a file whose -# location might be specified by user input"). The Chips-n-Salsa library includes -# a few parsers for benchmark instances of a few optimization problems. Those -# parsers are passed the file to parse, and also include methods for outputting -# randomly generated instances to a file (which also accepts filename as input). -# It is the responsibility of the application that uses the library to appropriately -# obtain the relevant filenames. -# -# 3) FindSecBugs generates PATH_TRAVERSAL_OUT for the same reason as above, -# and we are ignoring them for the same reason. - -ignoreRules = ["PREDICTABLE_RANDOM", "PATH_TRAVERSAL_IN", "PATH_TRAVERSAL_OUT"] diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e4a2b6e..d91e0585 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased] - 2023-07-28 +## [Unreleased] - 2023-08-04 ### Added @@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Dependencies ### CI/CD +* Integrated SpotBugs into build process. ### Other diff --git a/README.md b/README.md index bcfacede..26cd23ee 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,15 @@ To include generation of a code coverage report during the build, execute `mvn package -Pcoverage` at the root of the repository to enable a Maven profile that executes JaCoCo during the test phase. +To run all static analysis tools (i.e., SpotBugs, refactor-first), +execute `mvn package -Panalysis` to enable a Maven profile that executes +the various static analysis tools that we are using. The SpotBugs html +report will be found in the `target` directory, or you can use the SpotBugs +GUI with: `mvn spotbugs:gui -Panalysis`. The refactor-first report will +be found in the `target/site` directory. + +To run all of the above: `mvn package -P "analysis,coverage"`. + ## Example Programs There are several example programs available in a separate repository: diff --git a/pom.xml b/pom.xml index 05e721c9..5ccd839d 100644 --- a/pom.xml +++ b/pom.xml @@ -182,7 +182,7 @@ - refactor + analysis @@ -202,6 +202,22 @@ + + com.github.spotbugs + spotbugs-maven-plugin + 4.7.3.5 + + true + + + + test + + spotbugs + + + + From 9e5dbf398df1c367a7dbe3a76ee358c02ccbd8f2 Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 12:03:46 -0400 Subject: [PATCH 2/6] configure find-sec-bugs --- pom.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pom.xml b/pom.xml index 5ccd839d..a2371adc 100644 --- a/pom.xml +++ b/pom.xml @@ -208,6 +208,13 @@ 4.7.3.5 true + + + com.h3xstream.findsecbugs + findsecbugs-plugin + 1.12.0 + + From 670561a8f2e926bb90510731d991504eb628d062 Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 12:04:55 -0400 Subject: [PATCH 3/6] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d91e0585..a816e87d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### CI/CD * Integrated SpotBugs into build process. +* Integrated Find Security Bugs into build process. ### Other From b987588e95671cfdfd0b85ffdd9af2dc08e09581 Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 12:41:11 -0400 Subject: [PATCH 4/6] exclude false positives --- pom.xml | 1 + spotbugs-exclude.xml | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 spotbugs-exclude.xml diff --git a/pom.xml b/pom.xml index a2371adc..d1a03981 100644 --- a/pom.xml +++ b/pom.xml @@ -208,6 +208,7 @@ 4.7.3.5 true + ${session.executionRootDirectory}/spotbugs-exclude.xml com.h3xstream.findsecbugs diff --git a/spotbugs-exclude.xml b/spotbugs-exclude.xml new file mode 100644 index 00000000..9cc10dd3 --- /dev/null +++ b/spotbugs-exclude.xml @@ -0,0 +1,11 @@ + + + + + + + + + + + From 0bb50ffedb4f63987a808759000b0dccf5e6d242 Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 12:43:53 -0400 Subject: [PATCH 5/6] Update README.md --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 26cd23ee..d128df75 100644 --- a/README.md +++ b/README.md @@ -82,12 +82,12 @@ To include generation of a code coverage report during the build, execute `mvn package -Pcoverage` at the root of the repository to enable a Maven profile that executes JaCoCo during the test phase. -To run all static analysis tools (i.e., SpotBugs, refactor-first), -execute `mvn package -Panalysis` to enable a Maven profile that executes -the various static analysis tools that we are using. The SpotBugs html -report will be found in the `target` directory, or you can use the SpotBugs -GUI with: `mvn spotbugs:gui -Panalysis`. The refactor-first report will -be found in the `target/site` directory. +To run all static analysis tools (i.e., SpotBugs, Find Security Bugs, +refactor-first), execute `mvn package -Panalysis` to enable a Maven +profile that executes the various static analysis tools that we are +using. The SpotBugs html report will be found in the `target` directory, +or you can use the SpotBugs GUI with: `mvn spotbugs:gui -Panalysis`. The +refactor-first report will be found in the `target/site` directory. To run all of the above: `mvn package -P "analysis,coverage"`. From 5b8c67c86f6c26bc5f796f285b45f0df3f04211e Mon Sep 17 00:00:00 2001 From: "Vincent A. Cicirello" Date: Fri, 4 Aug 2023 13:13:08 -0400 Subject: [PATCH 6/6] explain exclusions --- spotbugs-exclude.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spotbugs-exclude.xml b/spotbugs-exclude.xml index 9cc10dd3..e5cdae0b 100644 --- a/spotbugs-exclude.xml +++ b/spotbugs-exclude.xml @@ -1,8 +1,11 @@ + + +