Merge pull request #97 from joewiz/security-tooling

line-o · web-flow · commit aede6a9f5c92 · 2026-05-20T12:02:26.000+02:00
[ci] Add SpotBugs + FindSecBugs + CodeQL static analysis
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,49 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    # Weekly re-scan against latest CodeQL query database
+    - cron: '17 4 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze (Java)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: '21'
+          cache: maven
+          server-id: github
+          server-username: GITHUB_ACTOR
+          server-password: GITHUB_TOKEN
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java-kotlin
+          queries: security-extended,security-and-quality
+
+      - name: Build
+        env:
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mvn -B -U -DskipTests=true compile
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:java-kotlin"
diff --git a/.github/workflows/spotbugs.yml b/.github/workflows/spotbugs.yml
@@ -0,0 +1,52 @@
+name: SpotBugs
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  spotbugs:
+    name: SpotBugs + FindSecBugs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: '21'
+          cache: maven
+          server-id: github
+          server-username: GITHUB_ACTOR
+          server-password: GITHUB_TOKEN
+
+      - name: Run SpotBugs (+ FindSecBugs plugin)
+        env:
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mvn -B -U -DskipTests=true verify
+
+      - name: Upload SARIF to GitHub code scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: target/spotbugsSarif.json
+          category: spotbugs
+
+      - name: Upload SpotBugs XML as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: spotbugs-report
+          path: |
+            target/spotbugs.xml
+            target/spotbugsXml.xml
+            target/spotbugsSarif.json
+          if-no-files-found: warn
diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
 [![CI](https://github.com/eXist-db/expath-crypto-module/workflows/CI/badge.svg)](https://github.com/eXist-db/expath-crypto-module/actions?query=workflow%3ACI)
+[![Codacy Badge](https://app.codacy.com/project/badge/Grade/6700c245da044962938994fc59a2ebdc)](https://app.codacy.com/gh/eXist-db/expath-crypto-module/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
 
 # eXist-db implementation for EXPath Cryptographic Module
 
diff --git a/pom.xml b/pom.xml
@@ -245,6 +245,36 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<!-- SpotBugs + FindSecBugs static analysis. Crypto-focused via FindSecBugs
+				     plugin. Currently report-only; once findings are triaged, switch the
+				     <goal> in <executions> from "spotbugs" to "check" to fail the build. -->
+				<groupId>com.github.spotbugs</groupId>
+				<artifactId>spotbugs-maven-plugin</artifactId>
+				<version>4.8.6.6</version>
+				<configuration>
+					<effort>Max</effort>
+					<threshold>Low</threshold>
+					<failOnError>false</failOnError>
+					<xmlOutput>true</xmlOutput>
+					<sarifOutput>true</sarifOutput>
+					<plugins>
+						<plugin>
+							<groupId>com.h3xstream.findsecbugs</groupId>
+							<artifactId>findsecbugs-plugin</artifactId>
+							<version>1.13.0</version>
+						</plugin>
+					</plugins>
+				</configuration>
+				<executions>
+					<execution>
+						<phase>verify</phase>
+						<goals>
+							<goal>spotbugs</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 			<plugin>
 				<groupId>com.ruleoftech</groupId>
 				<artifactId>markdown-page-generator-plugin</artifactId>

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`[![CI](https://github.com/eXist-db/expath-crypto-module/workflows/CI/badge.svg)](https://github.com/eXist-db/expath-crypto-module/actions?query=workflow%3ACI)`
	`2`	`+[![Codacy Badge](https://app.codacy.com/project/badge/Grade/6700c245da044962938994fc59a2ebdc)](https://app.codacy.com/gh/eXist-db/expath-crypto-module/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)`
`2`	`3`
`3`	`4`	`# eXist-db implementation for EXPath Cryptographic Module`
`4`	`5`