Merge pull request #132 from cicirello/spotbugs

Configured SpotBugs and FindSecBugs

CHANGELOG.md

@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased] - 2023-01-12
+## [Unreleased] - 2023-08-05
 
 ### Added
 
@@ -17,6 +17,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 ### CI/CD
+* Integrated SpotBugs into build process.
+* Integrated Find Security Bugs into build process.
 
 ### Other
 

README.md

@@ -155,6 +155,15 @@ To include generation of a code coverage report during the build,
 execute `mvn package -Pcoverage` at the root of the repository to 
 enable a Maven profile that executes JaCoCo during the test phase.
 
+To run all static analysis tools (i.e., SpotBugs, Find Security Bugs, 
+refactor-first), execute `mvn package -Panalysis` to enable a Maven 
+profile that executes the various static analysis tools that we are 
+using. The SpotBugs html report will be found in the `target` directory, 
+or you can use the SpotBugs GUI with: `mvn spotbugs:gui -Panalysis`. The 
+refactor-first report will be found in the `target/site` directory.
+
+To run all of the above: `mvn package -P "analysis,coverage"`.
+
 The jar file of the application is executable, so you then simply
 double click it to run.
 

pom.xml

@@ -153,7 +153,7 @@
             </build>
         </profile>
 		<profile>
-			<id>refactor</id>
+			<id>analysis</id>
 			<build>
 				<plugins>
 					<plugin>
@@ -173,6 +173,30 @@
 							</execution>
 						</executions>
 					</plugin>
+					<plugin>
+						<groupId>com.github.spotbugs</groupId>
+						<artifactId>spotbugs-maven-plugin</artifactId>
+						<version>4.7.3.5</version>
+						<configuration>
+							<htmlOutput>true</htmlOutput>
+							<excludeFilterFile>${session.executionRootDirectory}/spotbugs-exclude.xml</excludeFilterFile>
+							<plugins>
+								<plugin>
+									<groupId>com.h3xstream.findsecbugs</groupId>
+									<artifactId>findsecbugs-plugin</artifactId>
+									<version>1.12.0</version>
+								</plugin>
+							</plugins>
+						</configuration>
+						<executions>
+							<execution>
+								<phase>test</phase>
+								<goals>
+									<goal>spotbugs</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
 				</plugins>
 			</build>
 		</profile>

spotbugs-exclude.xml

@@ -0,0 +1,13 @@
+<FindBugsFilter>
+  <!-- Random number generation is not a security application -->
+  <Match>
+    <Bug pattern="PREDICTABLE_RANDOM" />
+  </Match>
+
+  <!-- False positive -->
+  <Match>
+    <Bug pattern="PATH_TRAVERSAL_IN" />
+	<Class name="org.cicirello.ibp.MenuBar" />
+	<Method name="saveSessionLog" />
+  </Match>
+</FindBugsFilter>

src/main/java/org/cicirello/ibp/MenuBar.java

@@ -1,6 +1,6 @@
 /*
  * Interactive Bin Packing.
- * Copyright (C) 2008, 2010, 2020-2022 Vincent A. Cicirello
+ * Copyright (C) 2008, 2010, 2020-2023 Vincent A. Cicirello
  *
  * This file is part of Interactive Bin Packing.
  *
@@ -344,9 +344,6 @@ public void actionPerformed(ActionEvent e) {
   }
 
   void saveSessionLog(File logFile) {
-    // False positive on a PATH_TRAVERSAL_IN, but @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
-    // seems to be ignored by FindSecBugs. Forced to disable detection of this type of bug entirely
-    // in lift configuration.
     if (!logFile.getPath().endsWith(".ibp")) {
       logFile = new File(logFile.getPath() + ".ibp");
       chooser.setSelectedFile(logFile);