From a9619ec73854b5141ab7962076853433df3fed4d Mon Sep 17 00:00:00 2001 From: Carsten Hammer Date: Sat, 28 Sep 2024 20:50:39 +0200 Subject: [PATCH] Formaster (#13) * Formaster2 (#12) * Create codeql-analysis.yml * Create codeql-analysis2.yml * Create dependency-review.yml * Create SECURITY.md * Delete codeql-analysis2.yml * Create sonarcloud.yml * Delete sonarcloud.yml * Create pmd.yml * Update README.md * Update codeql-analysis.yml * Create codacy.yml * Update pmd.yml * Create dependabot.yml * Update pom.xml * Bump tycho.version from 2.3.0 to 2.7.3 Bumps `tycho.version` from 2.3.0 to 2.7.3. Updates `tycho-compiler-plugin` from 2.3.0 to 2.7.3 - [Release notes](https://github.com/eclipse/tycho/releases) - [Changelog](https://github.com/eclipse/tycho/blob/master/RELEASE_NOTES.md) - [Commits](https://github.com/eclipse/tycho/compare/tycho-2.3.0...tycho-2.7.3) Updates `tycho-p2-extras-plugin` from 2.3.0 to 2.7.3 Updates `tycho-custom-bundle-plugin` from 2.3.0 to 2.7.3 Updates `tycho-p2-plugin` from 2.3.0 to 2.7.3 Updates `tycho-surefire-plugin` from 2.3.0 to 2.7.3 --- updated-dependencies: - dependency-name: org.eclipse.tycho:tycho-compiler-plugin dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.eclipse.tycho.extras:tycho-p2-extras-plugin dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.eclipse.tycho.extras:tycho-custom-bundle-plugin dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.eclipse.tycho:tycho-p2-plugin dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.eclipse.tycho:tycho-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Delete codacy.yml * Create maven.yml * Bump tycho.version from 2.7.3 to 3.0.1 Bumps `tycho.version` from 2.7.3 to 3.0.1. Updates `tycho-compiler-plugin` from 2.7.3 to 3.0.1 - [Release notes](https://github.com/eclipse/tycho/releases) - [Changelog](https://github.com/eclipse-tycho/tycho/blob/tycho-3.0.1/RELEASE_NOTES.md) - [Commits](https://github.com/eclipse/tycho/compare/tycho-2.7.3...tycho-3.0.1) Updates `tycho-p2-extras-plugin` from 2.7.3 to 3.0.1 Updates `tycho-custom-bundle-plugin` from 2.7.3 to 3.0.1 Updates `tycho-p2-plugin` from 2.7.3 to 3.0.1 Updates `tycho-surefire-plugin` from 2.7.3 to 3.0.1 --- updated-dependencies: - dependency-name: org.eclipse.tycho:tycho-compiler-plugin dependency-type: direct:production update-type: version-update:semver-major - dependency-name: org.eclipse.tycho.extras:tycho-p2-extras-plugin dependency-type: direct:production update-type: version-update:semver-major - dependency-name: org.eclipse.tycho.extras:tycho-custom-bundle-plugin dependency-type: direct:production update-type: version-update:semver-major - dependency-name: org.eclipse.tycho:tycho-p2-plugin dependency-type: direct:production update-type: version-update:semver-major - dependency-name: org.eclipse.tycho:tycho-surefire-plugin dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update maven.yml * Update dependabot.yml * Bump pmd/pmd-github-action from 1.2.0 to 1.3.0 Bumps [pmd/pmd-github-action](https://github.com/pmd/pmd-github-action) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/pmd/pmd-github-action/releases) - [Changelog](https://github.com/pmd/pmd-github-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/pmd/pmd-github-action/compare/967a81f8b657c87f7c3e96b62301cb1a48efef29...f47ab08ac718d79f712f556dd11d6448245643bc) --- updated-dependencies: - dependency-name: pmd/pmd-github-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Bump actions/setup-java from 2 to 3 Bumps [actions/setup-java](https://github.com/actions/setup-java) from 2 to 3. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](https://github.com/actions/setup-java/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Bump actions/dependency-review-action from 1 to 3 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1 to 3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/v1...v3) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Bump cirrus-actions/rebase from 1.7 to 1.8 Bumps [cirrus-actions/rebase](https://github.com/cirrus-actions/rebase) from 1.7 to 1.8. - [Release notes](https://github.com/cirrus-actions/rebase/releases) - [Commits](https://github.com/cirrus-actions/rebase/compare/1.7...1.8) --- updated-dependencies: - dependency-name: cirrus-actions/rebase dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update pom.xml --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/dependabot.yml | 13 +++-- .github/workflows/codeql-analysis.yml | 72 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 20 +++++++ .github/workflows/maven.yml | 26 +++++++++ .github/workflows/pmd.yml | 41 ++++++++++++++ README.md | 3 ++ SECURITY.md | 21 ++++++++ pom.xml | 1 + 8 files changed, 193 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/maven.yml create mode 100644 .github/workflows/pmd.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 71607d0c3c2..f68a6a09856 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,11 @@ version: 2 updates: -- package-ecosystem: github-actions - directory: "/" - schedule: - interval: daily + - package-ecosystem: "maven" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: daily + diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000000..ae1a4b57016 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,72 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '43 16 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..34b14c395b9 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml new file mode 100644 index 00000000000..55677f94415 --- /dev/null +++ b/.github/workflows/maven.yml @@ -0,0 +1,26 @@ +# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven + +name: Java CI with Maven + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'adopt' + cache: maven + - name: Build with Maven + run: mvn -B package -Pbuild-individual-bundles --file pom.xml diff --git a/.github/workflows/pmd.yml b/.github/workflows/pmd.yml new file mode 100644 index 00000000000..6e1c21fe165 --- /dev/null +++ b/.github/workflows/pmd.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '26 4 * * 3' + +permissions: + contents: read + +jobs: + pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@f47ab08ac718d79f712f556dd11d6448245643bc + with: + rulesets: 'rulesets/java/quickstart.xml' + analyzeModifiedFilesOnly: false + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: pmd-report.sarif diff --git a/README.md b/README.md index 7d2e3321197..71fead88ec7 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,9 @@ This is the core part of Eclipse's Java development tools. It contains the non-U For more information and important links, refer to the [JDT wiki page](https://github.com/eclipse-jdt/eclipse.jdt.core/wiki) or the [JDT project overview page](https://projects.eclipse.org/projects/eclipse.jdt). +[![CodeQL](https://github.com/carstenartur/eclipse.jdt.core/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/carstenartur/eclipse.jdt.core/actions/workflows/codeql-analysis.yml) + + ## Snapshot builds - Latest nightly, milestone and release SDK and ECJ builds are available at https://download.eclipse.org/eclipse/downloads/ diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..034e8480320 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/pom.xml b/pom.xml index ed9b192c1f8..ceea57ded8c 100644 --- a/pom.xml +++ b/pom.xml @@ -25,6 +25,7 @@ scm:git:https://github.com/eclipse-jdt/eclipse.jdt.core.git + 4.0.3