chore(build): bind spotbugs:check + dependency-check:check to mvn verify (RAN-24)#72
chore(build): bind spotbugs:check + dependency-check:check to mvn verify (RAN-24)#72aksOps wants to merge 2 commits into
Conversation
…ify (RAN-24) Both quality plugins were declared without `<executions>` so `mvn clean verify` (the command run by .github/workflows/ci-java.yml) silently skipped them. This is how 12 SpotBugs findings (RAN-23) accumulated on main without CI noticing. Adds: - spotbugs-maven-plugin: bind `check` goal to `verify` phase. - dependency-check-maven: bind `check` goal to `verify` phase, with `failBuildOnCVSS=7`, suppression file pointer, and a `<dependency-check.skip>` property (default false) so local devs can opt out of the slow NVD download via `-Ddependency-check.skip=true`. - dependency-check-suppressions.xml: empty baseline stub with policy comment. - ci-java.yml comment documenting that `verify` is the enforced gate. Verification (against origin/main HEAD 8f1ce18): mvn -B clean verify -DskipTests=true -Ddependency-check.skip=true exit=0 spotbugs-maven-plugin:check (spotbugs-verify): BugInstance size is 0 dependency-check-maven:check (dependency-check-verify): Skipping dependency-check Closes RAN-24. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Per reviewer feedback on #72: the OWASP dependency-check binding added in 15b5e6c red-lines every CI run because the public NVD 2.0 API rate-limits anonymous callers (HTTP 429), which corrupts the partial H2 NVD store and trips NPEs in the plugin's worker pool. Root cause is infra, not a real CVE finding, but the failing binding still breaks the build - the opposite of "CI enforces them." Path B (reviewer's recommendation): keep the SpotBugs binding (already green on this branch), drop the dep-check binding + skip property from this PR, and track the NVD secret + cache work in a follow-up. Removes from pom.xml: - `<dependency-check.skip>` property and comment - `<configuration>` + `<executions>` blocks on dependency-check-maven (the plugin declaration itself stays for the follow-up to re-enable) Updates .github/workflows/ci-java.yml comment to reference only the SpotBugs gate. Keeps dependency-check-suppressions.xml so the next PR can turn the gate on without re-introducing the stub. Verified locally (`mvn -B clean compile spotbugs:check ...`): [INFO] --- spotbugs-maven-plugin:4.9.8.3:check (default-cli) @ code-iq --- [INFO] BugInstance size is 0 [INFO] BUILD SUCCESS Full `mvn clean verify` on this branch pre-edits produced `Tests run: 3395, Failures: 0, Errors: 0, Skipped: 31` before the dep-check step failed (per CI run 24913046002); removing that step is the only CI delta this commit introduces. Co-Authored-By: Paperclip <noreply@paperclip.ing>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 12ba17748d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| <executions> | ||
| <execution> | ||
| <id>spotbugs-verify</id> | ||
| <phase>verify</phase> | ||
| <goals><goal>check</goal></goals> |
There was a problem hiding this comment.
This change only adds a verify execution for SpotBugs, but .github/workflows/ci-java.yml runs mvn clean verify -B as the sole gate and the dependency-check-maven plugin still has no <executions> block, so OWASP dependency scanning is never invoked in CI. That means high-CVSS dependency vulnerabilities can still merge undetected even though this commit is intended to enforce that gate.
Useful? React with 👍 / 👎.
|
|
Superseded by RAN-46 (#74) + RAN-26 (#68). Both spotbugs:check and dependency-check:check are now bound to |
1 participant
Summary
Restores CI enforcement of the SpotBugs and OWASP dependency-check quality gates by binding their
checkgoals to theverifyphase. Previously both plugins were declared inpom.xmlwithout<executions>, somvn clean verify(the command run by.github/workflows/ci-java.yml) silently skipped them — which is how the 12 SpotBugs findings cleaned up in RAN-23 accumulated onmainundetected.Closes RAN-24. Depends on RAN-23 (PR #71, merged) — without those fixes, this PR's gate would fail on the merge.
Changes
pom.xml:spotbugs-maven-plugin: bindchecktoverify(idspotbugs-verify).dependency-check-maven: bindchecktoverify(iddependency-check-verify),failBuildOnCVSS=7, suppression file pointer.<dependency-check.skip>property (defaultfalse); override locally with-Ddependency-check.skip=trueto skip the ~1GB NVD download.dependency-check-suppressions.xml(new): empty baseline stub with policy comment ("every entry MUST have a CVE id, a date, and a one-line rationale")..github/workflows/ci-java.yml: one-line comment documenting thatverifyis now the enforced gate.Verification
Against
origin/mainHEAD8f1ce18:Result:
BUILD SUCCESS, exit 0.Both new executions fire by their declared id (
spotbugs-verify,dependency-check-verify), proving the bindings are wired correctly. The dependency-checkSkippingline confirms the new<dependency-check.skip>property override works.Test plan
mvn clean verify -Band the spotbugs+depcheck executions appear in the build log.mainCI immediately.🤖 Generated with Claude Code