Enable FindBugs analysis

Samsung · Sep 26, 2022 · 90993ff · 90993ff
1 parent bac3f49
commit 90993ff
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 6 deletions.
diff --git a/.github/workflows/findbugs.yml b/.github/workflows/findbugs.yml
@@ -0,0 +1,34 @@
+name: FindBugs Analysis
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+  pull-requests: write
+
+jobs:
+  test-suite:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
+    - name: Set up JDK 11
+      uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3
+      with:
+        java-version: '11'
+        distribution: 'temurin'
+        cache: maven
+    - name: Build with Maven
+      run: mvn -B package --file pom.xml
+    - name: Generate report
+      run: mvn spotbugs:spotbugs
+    - name: Upload FindBugs report as a workflow artifact
+      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
+      with:
+        name: findbugs-report
+        path: target/spotbugsXml.xml
+      continue-on-error: true
diff --git a/README.md b/README.md
@@ -71,13 +71,11 @@ A template of the `licenses.json` file can be found in the repository at `src/ma
    # according to the template at 'src/main/resources/licenses.json')
    # > option "scanner": take conflicts from the scanner response
     license_conflict=json
-   
-   # Alternatively, you can supply all the necessary values associated with github
-   # and license using these env variables:
-   # LPVS_GITHUB_LOGIN, LPVS_GITHUB_TOKEN, LPVS_GITHUB_API_URL, LPVS_GITHUB_SECRET,
-   # LPVS_LICENSE_FILEPATH and LPVS_LICENSE_CONFLICT.
     ```
 
+   Alternatively, you can supply all the necessary values associated with GitHub and license using these env variables:
+   `LPVS_GITHUB_LOGIN`, `LPVS_GITHUB_TOKEN`, `LPVS_GITHUB_API_URL`, `LPVS_GITHUB_SECRET`, `LPVS_LICENSE_FILEPATH` and `LPVS_LICENSE_CONFLICT`.
+
 4. Build LPVS application with Maven, then run it:
     ```bash
     mvn clean install

diff --git a/pom.xml b/pom.xml
@@ -134,6 +134,21 @@
                     </compilerArgs>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+                <version>4.7.1.1</version>
+                <configuration>
+                    <includeFilterFile>spotbugs-security-include.xml</includeFilterFile>
+                    <plugins>
+                        <plugin>
+                            <groupId>com.h3xstream.findsecbugs</groupId>
+                            <artifactId>findsecbugs-plugin</artifactId>
+                            <version>1.12.0</version>
+                        </plugin>
+                    </plugins>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 

diff --git a/spotbugs-security-include.xml b/spotbugs-security-include.xml
@@ -0,0 +1,5 @@
+<FindBugsFilter>
+    <Match>
+        <Bug category="SECURITY"/>
+    </Match>
+</FindBugsFilter>
diff --git a/src/main/java/com/lpvs/controller/GitHubWebhooksController.java b/src/main/java/com/lpvs/controller/GitHubWebhooksController.java
@@ -102,7 +102,7 @@ public boolean wrongSecret(String signature, String payload) throws Exception {
         SecretKeySpec key = new SecretKeySpec(GITHUB_SECRET.getBytes("utf-8"), ALGORITHM);
         Mac mac = Mac.getInstance(ALGORITHM);
         mac.init(key);
-        String githubSecret = Hex.encodeHexString(mac.doFinal(payload.getBytes()));
+        String githubSecret = Hex.encodeHexString(mac.doFinal(payload.getBytes("utf-8")));
 
         LOG.info("lpvs   signature: " + lpvsSecret);
         LOG.info("github signature: " + githubSecret);