From 15b5e6ccc9653a15f69c764f18be2588f87d72fa Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 24 Apr 2026 21:37:32 +0000
Subject: [PATCH 1/2] chore(build): bind spotbugs:check +
 dependency-check:check to mvn verify (RAN-24)

Both quality plugins were declared without `<executions>` so `mvn clean verify`
(the command run by .github/workflows/ci-java.yml) silently skipped them. This
is how 12 SpotBugs findings (RAN-23) accumulated on main without CI noticing.

Adds:
- spotbugs-maven-plugin: bind `check` goal to `verify` phase.
- dependency-check-maven: bind `check` goal to `verify` phase, with
  `failBuildOnCVSS=7`, suppression file pointer, and a `<dependency-check.skip>`
  property (default false) so local devs can opt out of the slow NVD download
  via `-Ddependency-check.skip=true`.
- dependency-check-suppressions.xml: empty baseline stub with policy comment.
- ci-java.yml comment documenting that `verify` is the enforced gate.

Verification (against origin/main HEAD 8f1ce18):
  mvn -B clean verify -DskipTests=true -Ddependency-check.skip=true
  exit=0
  spotbugs-maven-plugin:check (spotbugs-verify): BugInstance size is 0
  dependency-check-maven:check (dependency-check-verify): Skipping dependency-check

Closes RAN-24.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci-java.yml     |  3 +++
 dependency-check-suppressions.xml | 13 +++++++++++++
 pom.xml                           | 29 +++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 dependency-check-suppressions.xml

diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
index 3c030510..bc58a68f 100644
--- a/.github/workflows/ci-java.yml
+++ b/.github/workflows/ci-java.yml
@@ -18,6 +18,9 @@ jobs:
           distribution: 'temurin'
           java-version: '25'
           cache: 'maven'
+      # `verify` is the enforced quality gate: it runs unit + integration tests
+      # AND the spotbugs:check + dependency-check:check executions bound in pom.xml.
+      # Any of those failing breaks the build.
       - run: mvn clean verify -B
       - uses: actions/upload-artifact@v4
         if: always()
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
new file mode 100644
index 00000000..9dba522a
--- /dev/null
+++ b/dependency-check-suppressions.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  OWASP dependency-check suppressions for codeiq.
+
+  Policy: every entry MUST have a CVE id, a date, and a one-line rationale
+  explaining why the finding is not exploitable here (or what the mitigation
+  is). Suppressions are reviewed when CVE bumps drop into the lockfile.
+
+  Schema: https://jeremylong.github.io/DependencyCheck/general/suppression.html
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- intentionally empty - add suppressions here when triaged -->
+</suppressions>
diff --git a/pom.xml b/pom.xml
index 691566be..405204f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -30,6 +30,14 @@
         <owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
         <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
 
+        <!--
+          Toggle for the OWASP dependency-check execution bound to `verify`.
+          Default: false (gate runs in CI). Override locally with
+          `-Ddependency-check.skip=true` since the first run downloads the
+          NVD database (~1GB).
+        -->
+        <dependency-check.skip>false</dependency-check.skip>
+
         <!--
           Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
           and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
@@ -402,12 +410,33 @@
                 <configuration>
                     <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
                 </configuration>
+                <executions>
+                    <execution>
+                        <id>spotbugs-verify</id>
+                        <phase>verify</phase>
+                        <goals><goal>check</goal></goals>
+                    </execution>
+                </executions>
             </plugin>
 
             <plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${owasp.dependency-check.version}</version>
+                <configuration>
+                    <skip>${dependency-check.skip}</skip>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <suppressionFiles>
+                        <suppressionFile>dependency-check-suppressions.xml</suppressionFile>
+                    </suppressionFiles>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>dependency-check-verify</id>
+                        <phase>verify</phase>
+                        <goals><goal>check</goal></goals>
+                    </execution>
+                </executions>
             </plugin>
 
             <plugin>

From 12ba17748daf7fae5942c4ad17bda65fb65e6557 Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 24 Apr 2026 21:56:10 +0000
Subject: [PATCH 2/2] chore(build): drop dependency-check binding from verify
 (RAN-24 review)

Per reviewer feedback on #72: the OWASP dependency-check binding added in
15b5e6c red-lines every CI run because the public NVD 2.0 API rate-limits
anonymous callers (HTTP 429), which corrupts the partial H2 NVD store and
trips NPEs in the plugin's worker pool. Root cause is infra, not a real
CVE finding, but the failing binding still breaks the build - the opposite
of "CI enforces them."

Path B (reviewer's recommendation): keep the SpotBugs binding (already
green on this branch), drop the dep-check binding + skip property from
this PR, and track the NVD secret + cache work in a follow-up.

Removes from pom.xml:
  - `<dependency-check.skip>` property and comment
  - `<configuration>` + `<executions>` blocks on dependency-check-maven
    (the plugin declaration itself stays for the follow-up to re-enable)

Updates .github/workflows/ci-java.yml comment to reference only the
SpotBugs gate.

Keeps dependency-check-suppressions.xml so the next PR can turn the gate
on without re-introducing the stub.

Verified locally (`mvn -B clean compile spotbugs:check ...`):
  [INFO] --- spotbugs-maven-plugin:4.9.8.3:check (default-cli) @ code-iq ---
  [INFO] BugInstance size is 0
  [INFO] BUILD SUCCESS

Full `mvn clean verify` on this branch pre-edits produced
`Tests run: 3395, Failures: 0, Errors: 0, Skipped: 31` before the dep-check
step failed (per CI run 24913046002); removing that step is the only CI
delta this commit introduces.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci-java.yml |  4 ++--
 pom.xml                       | 22 ----------------------
 2 files changed, 2 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
index bc58a68f..99bd79fd 100644
--- a/.github/workflows/ci-java.yml
+++ b/.github/workflows/ci-java.yml
@@ -19,8 +19,8 @@ jobs:
           java-version: '25'
           cache: 'maven'
       # `verify` is the enforced quality gate: it runs unit + integration tests
-      # AND the spotbugs:check + dependency-check:check executions bound in pom.xml.
-      # Any of those failing breaks the build.
+      # AND the spotbugs:check execution bound in pom.xml. Any of those
+      # failing breaks the build.
       - run: mvn clean verify -B
       - uses: actions/upload-artifact@v4
         if: always()
diff --git a/pom.xml b/pom.xml
index 405204f9..e8ae8ba2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -30,14 +30,6 @@
         <owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
         <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
 
-        <!--
-          Toggle for the OWASP dependency-check execution bound to `verify`.
-          Default: false (gate runs in CI). Override locally with
-          `-Ddependency-check.skip=true` since the first run downloads the
-          NVD database (~1GB).
-        -->
-        <dependency-check.skip>false</dependency-check.skip>
-
         <!--
           Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
           and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
@@ -423,20 +415,6 @@
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${owasp.dependency-check.version}</version>
-                <configuration>
-                    <skip>${dependency-check.skip}</skip>
-                    <failBuildOnCVSS>7</failBuildOnCVSS>
-                    <suppressionFiles>
-                        <suppressionFile>dependency-check-suppressions.xml</suppressionFile>
-                    </suppressionFiles>
-                </configuration>
-                <executions>
-                    <execution>
-                        <id>dependency-check-verify</id>
-                        <phase>verify</phase>
-                        <goals><goal>check</goal></goals>
-                    </execution>
-                </executions>
             </plugin>
 
             <plugin>