Bump hibernate.version from 6.6.13.Final to 7.4.3.Final #4803
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Codacy Security Scan | |
| on: | |
| push: | |
| branches: [ main, 2022-12, 2022-09, 2022-06 ] | |
| pull_request: | |
| branches: [ main, 2022-12, 2022-09, 2022-06 ] | |
| paths: | |
| - '**.java' | |
| - '**/pom.xml' | |
| - '.codacy.yml' | |
| - 'ruleset.xml' | |
| - '.github/workflows/codacy.yml' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| codacy-java-tools: | |
| name: Codacy Java Tools | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 55 | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # TODO: Re-enable pmd once the MalformedInputException in Codacy PMD/SARIF is fixed | |
| # Temporarily disable pmd due to MalformedInputException in Codacy SARIF generation | |
| tool: [ spotbugs, checkstyle ] | |
| env: | |
| LC_ALL: C.UTF-8 | |
| LANG: C.UTF-8 | |
| JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF-8 | |
| steps: | |
| - name: Set up Maven | |
| uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 | |
| with: | |
| maven-version: 3.9.9 | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| cache: maven | |
| - name: Cache Maven dependencies | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-maven- | |
| - name: Build (no tests) | |
| run: mvn -B -DskipTests package | |
| # Normalize all source files to UTF-8 to prevent encoding issues in SARIF generation | |
| # Explicitly exclude binary JAR files and testresources directory to prevent MalformedInputException | |
| - name: Normalize source files to UTF-8 (in-place) | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update -y | |
| sudo apt-get install -y uchardet libxml2-utils | |
| changes=0 | |
| errors=0 | |
| # Helper function to clean invalid UTF-8 sequences | |
| clean_utf8() { | |
| local file=$1 | |
| if iconv -f utf-8 -t utf-8 -c "$file" -o "$file.tmp" 2>/dev/null; then | |
| mv "$file.tmp" "$file" | |
| return 0 | |
| else | |
| rm -f "$file.tmp" | |
| return 1 | |
| fi | |
| } | |
| # Process Java, XML, properties, and other text files | |
| # IMPORTANT: Exclude testresources/ directory which contains binary JAR files | |
| while IFS= read -r -d '' f; do | |
| # Skip if file doesn't exist or is not readable | |
| [ -r "$f" ] || continue | |
| charset=$(uchardet "$f" 2>/dev/null | tr '[:upper:]' '[:lower:]') | |
| if [ -z "$charset" ]; then | |
| echo "Warning: uchardet could not detect encoding for $f, attempting UTF-8 validation" | |
| # Try to clean as UTF-8 anyway for files < 1MB | |
| filesize=$(stat -f%z "$f" 2>/dev/null || stat -c%s "$f" 2>/dev/null || echo 0) | |
| if [ "$filesize" -lt 1048576 ] && ! iconv -f utf-8 -t utf-8 "$f" > /dev/null 2>&1; then | |
| echo "Cleaning invalid UTF-8 sequences in $f (unknown encoding)" | |
| if clean_utf8 "$f"; then | |
| changes=$((changes+1)) | |
| else | |
| errors=$((errors+1)) | |
| fi | |
| fi | |
| continue | |
| fi | |
| # Only convert if not already UTF-8/ASCII | |
| if [ "$charset" != "utf-8" ] && [ "$charset" != "ascii" ] && [ "$charset" != "binary" ]; then | |
| echo "Converting $f ($charset -> utf-8)" | |
| if iconv -f "$charset" -t utf-8 "$f" -o "$f.tmp" 2>/dev/null; then | |
| mv "$f.tmp" "$f" | |
| changes=$((changes+1)) | |
| else | |
| rm -f "$f.tmp" # Clean up partially written file on conversion failure | |
| echo "Warning: Failed to convert $f, trying to clean invalid UTF-8" | |
| if clean_utf8 "$f"; then | |
| changes=$((changes+1)) | |
| else | |
| errors=$((errors+1)) | |
| fi | |
| fi | |
| elif [ "$charset" = "utf-8" ] || [ "$charset" = "ascii" ]; then | |
| # Even if detected as UTF-8, validate and clean it (skip very large files > 1MB) | |
| filesize=$(stat -c%s "$f" 2>/dev/null || echo 0) | |
| # Check if file contains invalid UTF-8 sequences by comparing with cleaned version | |
| if [ "$filesize" -lt 1048576 ] && ! diff -q "$f" <(iconv -f utf-8 -t utf-8 -c "$f" 2>/dev/null) > /dev/null 2>&1; then | |
| echo "Cleaning invalid UTF-8 sequences in $f" | |
| if clean_utf8 "$f"; then | |
| changes=$((changes+1)) | |
| else | |
| errors=$((errors+1)) | |
| fi | |
| fi | |
| fi | |
| done < <(git ls-files -z '*.java' '*.xml' '*.properties' '*.txt' '*.md' | grep -zv '/testresources/') | |
| echo "Converted/cleaned $changes files, $errors failures" | |
| if [ "$errors" -gt 0 ]; then | |
| echo "Error: Failed to process $errors files" | |
| exit 1 | |
| fi | |
| # Ensure PMD only analyzes Java source files and excludes binary JARs | |
| # This prevents MalformedInputException during SARIF generation when PMD encounters binary files | |
| - name: Verify PMD configuration | |
| run: | | |
| echo "PMD will use ruleset.xml and .codacy.yml for filtering" | |
| echo "IMPORTANT: Binary JARs under sandbox_functional_converter_test/testresources/ must be excluded" | |
| echo "" | |
| if [ -f ruleset.xml ]; then | |
| echo "✓ ruleset.xml found" | |
| # Validate XML is well-formed | |
| xml_check=$(xmllint --noout ruleset.xml 2>&1) | |
| if [ $? -eq 0 ]; then | |
| echo "✓ ruleset.xml is well-formed XML" | |
| else | |
| echo "⚠ ruleset.xml has XML syntax errors" | |
| echo "$xml_check" | |
| fi | |
| echo "" | |
| echo "Binary file exclusions from ruleset.xml:" | |
| grep "exclude-pattern.*\\.jar" ruleset.xml || echo " WARNING: No JAR exclusions found!" | |
| grep "exclude-pattern.*\\.class" ruleset.xml || true | |
| echo "" | |
| echo "Key directory exclusions from ruleset.xml:" | |
| grep "exclude-pattern.*testresources" ruleset.xml || echo " WARNING: No testresources exclusions found!" | |
| grep "exclude-pattern.*/.*/.*" ruleset.xml | head -8 || true | |
| else | |
| echo "⚠ ruleset.xml not found" | |
| fi | |
| echo "" | |
| if [ -f .codacy.yml ]; then | |
| echo "✓ .codacy.yml found" | |
| echo "Included paths:" | |
| grep -A 5 "include_paths:" .codacy.yml || true | |
| echo "" | |
| echo "Excluded paths (should include testresources and *.jar):" | |
| grep -A 20 "exclude_paths:" .codacy.yml || true | |
| echo "" | |
| echo "PMD-specific exclusions:" | |
| grep -A 10 "pmd:" .codacy.yml || true | |
| fi | |
| echo "" | |
| echo "Java source files to be analyzed:" | |
| java_count=$(find . -name "*.java" -path "*/src/*" -not -path "*/target/*" -not -path "*/bin/*" -not -path "*/testresources/*" | wc -l) | |
| echo "Found $java_count Java files in src/ directories (excluding target/, bin/, and testresources/)" | |
| echo "" | |
| echo "JAR files that MUST be excluded from analysis:" | |
| find . -name "*.jar" -path "*/testresources/*" || echo " (none found - good!)" | |
| - name: Run Codacy Analysis CLI (${{ matrix.tool }}) | |
| uses: codacy/codacy-analysis-cli-action@v4 | |
| with: | |
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | |
| tool: ${{ matrix.tool }} | |
| verbose: true | |
| format: sarif | |
| output: ${{ runner.temp }}/results-${{ matrix.tool }}.sarif | |
| gh-code-scanning-compat: true | |
| max-allowed-issues: 2147483647 | |
| skip-uncommitted-files-check: true | |
| tool-timeout: 1hour | |
| # GitHub verlangt seit 2025-07 genau 1 run pro Upload/Kategorie | |
| - name: Split SARIF into single-run files (${{ matrix.tool }}) | |
| shell: bash | |
| env: | |
| SARIF: ${{ runner.temp }}/results-${{ matrix.tool }}.sarif | |
| OUTDIR: ${{ runner.temp }}/sarif_split_${{ matrix.tool }} | |
| run: | | |
| set -euo pipefail | |
| if [ ! -s "$SARIF" ]; then | |
| echo "No SARIF produced for ${{ matrix.tool }} -> skip." | |
| exit 0 | |
| fi | |
| sudo apt-get update -y | |
| sudo apt-get install -y jq | |
| mkdir -p "$OUTDIR" | |
| # safe default: 0 runs if field missing | |
| runs=$(jq '.runs | length // 0' "$SARIF") | |
| echo "Found $runs runs in $SARIF" | |
| for ((i=0; i<runs; i++)); do | |
| # korrektes Zugreifen auf das $schema-Feld und Extrahieren eines einzelnen runs | |
| jq --argjson i "$i" '{ "$schema": .["$schema"], version: .version, runs: [ .runs[$i] ] }' "$SARIF" > "$OUTDIR/run-$i.sarif" | |
| done | |
| - name: Upload SARIF run 0 (${{ matrix.tool }}) | |
| if: ${{ hashFiles(format('{0}/sarif_split_{1}/run-0.sarif', runner.temp, matrix.tool)) != '' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ runner.temp }}/sarif_split_${{ matrix.tool }}/run-0.sarif | |
| category: codacy-${{ matrix.tool }}-run-0 | |
| wait-for-processing: true | |
| - name: Upload SARIF run 1 (${{ matrix.tool }}) | |
| if: ${{ hashFiles(format('{0}/sarif_split_{1}/run-1.sarif', runner.temp, matrix.tool)) != '' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ runner.temp }}/sarif_split_${{ matrix.tool }}/run-1.sarif | |
| category: codacy-${{ matrix.tool }}-run-1 | |
| wait-for-processing: true | |
| - name: Upload SARIF run 2 (${{ matrix.tool }}) | |
| if: ${{ hashFiles(format('{0}/sarif_split_{1}/run-2.sarif', runner.temp, matrix.tool)) != '' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ runner.temp }}/sarif_split_${{ matrix.tool }}/run-2.sarif | |
| category: codacy-${{ matrix.tool }}-run-2 | |
| wait-for-processing: true |