chore: Add CI quality checks, address PR review comments

- Add SpotBugs, OWASP dependency-check, JaCoCo, Enforcer, Checkstyle plugins
- Add 'quality' CI job running static analysis and dependency scanning
- Add JaCoCo coverage reporting to build_multi_os CI job
- Make 'closed' field volatile for thread-safety
- Synchronize close() to prevent race with reset()/buildFlightClient()
- Add channel cleanup (shutdownNow) on buildFlightClient() failure
- Remove unused VectorSchemaRoot import in ResetTest
- Fix stale/misleading comments in ResetTest

Author: lukekim

.github/workflows/build.yaml

@@ -97,6 +97,14 @@ jobs:
           path: target/surefire-reports/
           retention-days: 7
 
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report-${{ matrix.os }}
+          path: target/site/jacoco/
+          retention-days: 7
+
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 20
@@ -178,3 +186,40 @@ jobs:
           name: test-results-jdk${{ matrix.java.version }}-${{ matrix.java.distribution }}
           path: target/surefire-reports/
           retention-days: 7
+
+  quality:
+    name: Code quality checks
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 17 (Oracle)
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: oracle
+          cache: maven
+
+      - name: Build
+        run: mvn install -DskipTests=true -Dgpg.skip -B -V
+
+      - name: Maven Enforcer
+        run: mvn validate -B
+
+      - name: SpotBugs
+        run: mvn spotbugs:check -B
+
+      - name: Checkstyle
+        run: mvn checkstyle:check -B
+
+      - name: OWASP Dependency-Check
+        run: mvn dependency-check:check -B
+
+      - name: Upload dependency-check report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+          retention-days: 30

pom.xml

@@ -89,7 +89,8 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>3.5.4</version>
                 <configuration>
-                    <argLine>--add-opens=java.base/java.nio=ALL-UNNAMED</argLine>
+                    <!-- @{argLine} is set by JaCoCo's prepare-agent goal -->
+                    <argLine>@{argLine} --add-opens=java.base/java.nio=ALL-UNNAMED</argLine>
                 </configuration>
             </plugin>
             <plugin>
@@ -148,6 +149,79 @@
                     <waitUntil>published</waitUntil> -->
                 </configuration>
             </plugin>
+            <!-- P0: Static bug detection — null derefs, concurrency, resource leaks -->
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+                <version>4.9.3.0</version>
+            </plugin>
+            <!-- P0: CVE scanning for transitive dependencies (Netty, gRPC, Arrow) -->
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>12.1.1</version>
+                <configuration>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                </configuration>
+            </plugin>
+            <!-- P1: Test coverage reporting -->
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>0.8.13</version>
+                <executions>
+                    <execution>
+                        <id>prepare-agent</id>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>report</id>
+                        <phase>test</phase>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <!-- P2: Build hygiene — enforce Maven/JDK versions, dependency convergence -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.5.0</version>
+                <executions>
+                    <execution>
+                        <id>enforce</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireMavenVersion>
+                                    <version>[3.6.0,)</version>
+                                </requireMavenVersion>
+                                <requireJavaVersion>
+                                    <version>[11,)</version>
+                                </requireJavaVersion>
+                                <banDuplicatePomDependencyVersions/>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <!-- P3: Code style consistency (Google Java Style) -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>3.6.0</version>
+                <configuration>
+                    <configLocation>google_checks.xml</configLocation>
+                    <consoleOutput>true</consoleOutput>
+                    <violationSeverity>warning</violationSeverity>
+                    <failOnViolation>false</failOnViolation>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>

src/main/java/ai/spice/SpiceClient.java

@@ -153,7 +153,7 @@ public class SpiceClient implements AutoCloseable {
     private FlightSqlClient flightClient;
     private CredentialCallOption authCallOptions = null;
     private BufferAllocator allocator;
-    private boolean closed = false;
+    private volatile boolean closed = false;
 
     // Cached retryers (immutable, thread-safe)
     private Retryer<ArrowReader> adbcRetryer;
@@ -275,39 +275,50 @@ private synchronized void buildFlightClient() {
                 .maxInboundMetadataSize(Integer.MAX_VALUE);
         ManagedChannel channel = channelBuilder.build();
 
-        if (Strings.isNullOrEmpty(apiKey)) {
-            FlightClient client = FlightGrpcUtils.createFlightClient(allocator, channel);
-            this.flightClient = new FlightSqlClient(client);
-            logger.debug("Flight client built (unauthenticated) - target={}", target);
-            return;
-        }
+        try {
+            if (Strings.isNullOrEmpty(apiKey)) {
+                FlightClient client = FlightGrpcUtils.createFlightClient(allocator, channel);
+                this.flightClient = new FlightSqlClient(client);
+                logger.debug("Flight client built (unauthenticated) - target={}", target);
+                return;
+            }
 
-        // prepare additional headers to insert into Flight requests
-        Map<String, String> headers = new HashMap<>();
-        String uaString;
-        if (Strings.isNullOrEmpty(userAgent)) {
-            uaString = Config.getUserAgent();
-        } else {
-            // Prepend the user-supplied user agent string with the Spice.ai user agent
-            uaString = userAgent + " " + Config.getUserAgent();
-        }
-        headers.put("User-Agent", uaString);
+            // prepare additional headers to insert into Flight requests
+            Map<String, String> headers = new HashMap<>();
+            String uaString;
+            if (Strings.isNullOrEmpty(userAgent)) {
+                uaString = Config.getUserAgent();
+            } else {
+                // Prepend the user-supplied user agent string with the Spice.ai user agent
+                uaString = userAgent + " " + Config.getUserAgent();
+            }
+            headers.put("User-Agent", uaString);
 
-        final ClientIncomingAuthHeaderMiddleware.Factory authFactory = new ClientIncomingAuthHeaderMiddleware.Factory(
-                new ClientBearerHeaderHandler());
+            final ClientIncomingAuthHeaderMiddleware.Factory authFactory = new ClientIncomingAuthHeaderMiddleware.Factory(
+                    new ClientBearerHeaderHandler());
 
-        // Combine auth and custom header middleware into a single factory
-        final HeaderAuthMiddlewareFactory combinedFactory = new HeaderAuthMiddlewareFactory(authFactory, headers);
+            // Combine auth and custom header middleware into a single factory
+            final HeaderAuthMiddlewareFactory combinedFactory = new HeaderAuthMiddlewareFactory(authFactory, headers);
 
-        List<FlightClientMiddleware.Factory> middleware = new ArrayList<>();
-        middleware.add(combinedFactory);
+            List<FlightClientMiddleware.Factory> middleware = new ArrayList<>();
+            middleware.add(combinedFactory);
 
-        final FlightClient client = FlightGrpcUtils.createFlightClient(allocator, channel, middleware);
-        client.handshake(new CredentialCallOption(new BasicAuthCredentialWriter(this.appId, this.apiKey)));
-        this.authCallOptions = authFactory.getCredentialCallOption();
-        this.flightClient = new FlightSqlClient(client);
+            final FlightClient client = FlightGrpcUtils.createFlightClient(allocator, channel, middleware);
+            client.handshake(new CredentialCallOption(new BasicAuthCredentialWriter(this.appId, this.apiKey)));
+            this.authCallOptions = authFactory.getCredentialCallOption();
+            this.flightClient = new FlightSqlClient(client);
 
-        logger.debug("Flight client built (authenticated) - target={}, appId={}", target, this.appId);
+            logger.debug("Flight client built (authenticated) - target={}, appId={}", target, this.appId);
+        } catch (Exception e) {
+            // Ensure the channel is shut down if client creation or handshake fails
+            // to avoid leaking threads and file descriptors on repeated rebuild attempts.
+            try {
+                channel.shutdownNow();
+            } catch (Exception suppressed) {
+                e.addSuppressed(suppressed);
+            }
+            throw e;
+        }
     }
 
     /**
@@ -1013,7 +1024,7 @@ private boolean shouldRetry(CallStatus status) {
     }
 
     @Override
-    public void close() throws Exception {
+    public synchronized void close() throws Exception {
         if (closed) {
             return;
         }

src/test/java/ai/spice/ResetTest.java

@@ -29,7 +29,6 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.concurrent.atomic.AtomicInteger;
 
 import org.apache.arrow.flight.FlightStream;
-import org.apache.arrow.vector.VectorSchemaRoot;
 import org.apache.arrow.vector.ipc.ArrowReader;
 
 import junit.framework.TestCase;
@@ -74,8 +73,8 @@ public void testResetOnHttpsClient() throws Exception {
     }
 
     /**
-     * After reset(), close() should complete without errors
-     * (the Flight client is already nulled out; close handles null gracefully).
+     * After reset(), close() should complete without errors.
+     * reset() eagerly rebuilds the Flight client, so close() tears down the new connection.
      */
     public void testCloseAfterReset() throws Exception {
         SpiceClient client = SpiceClient.builder().build();
@@ -199,7 +198,7 @@ public void testTryWithResourcesAndReset() throws Exception {
 
     /**
      * Concurrent calls to reset() from multiple threads should not throw
-     * or corrupt state (all methods are synchronized).
+     * or corrupt the client's internal state (reset() is expected to be thread-safe).
      */
     public void testConcurrentResetDoesNotThrow() throws Exception {
         final SpiceClient client = SpiceClient.builder().build();