Install FindSecBugs (#213)

(and update to the latest build conventions)

.github/dependabot.yml

@@ -17,7 +17,7 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
   - package-ecosystem: gradle
     directory: /
     registries:

.github/release.yml

@@ -4,6 +4,7 @@ changelog:
       - documentation
       - subtask
       - chore
+      - github_actions
   categories:
     - title: Breaking Changes 🛠
       labels: [ breaking-change ]

.github/workflows/build.yml

@@ -40,7 +40,7 @@ jobs:
       - name: Build
         env:
           COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
-        run: ./gradlew javadoc check coveralls
+        run: ./gradlew build coveralls
       - name: Publish
         if: github.event_name == 'push' || github.event.inputs.publish_artifacts == 'true'
         env:

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
           distribution: 'adopt'
           cache: gradle
       - name: Ensure build is green
-        run: ./gradlew check
+        run: ./gradlew build
       - name: Release
         run: |
           # The following command will trigger the build.yml workflow as it pushes a release tag

buildSrc/src/main/kotlin/creek-common-convention.gradle.kts

@@ -17,9 +17,11 @@
 /**
  * Standard configuration of Creek projects
  *
- * <p>Version: 1.2
- *
  * <p>Apply to all java modules, usually excluding the root project in multi-module sets.
+ *
+ * <p>Version: 1.4
+ *  - 1.4: Add findsecbugs-plugin
+ *  - 1.3: Fail on warnings for test code too.
  */
 
 plugins {
@@ -64,12 +66,16 @@ repositories {
     mavenCentral()
 }
 
+dependencies {
+    spotbugsPlugins("com.h3xstream.findsecbugs:findsecbugs-plugin:1.12.0")
+}
+
 configurations.all {
     // Reduce chance of build servers running into compilation issues due to stale snapshots:
     resolutionStrategy.cacheChangingModulesFor(15, TimeUnit.MINUTES)
 }
 
-tasks.compileJava {
+tasks.withType<JavaCompile> {
     options.compilerArgs.add("-Xlint:all,-serial,-requires-automatic,-requires-transitive-automatic,-module")
     options.compilerArgs.add("-Werror")
 }

buildSrc/src/main/kotlin/creek-plugin-publishing-convention.gradle.kts

@@ -17,11 +17,12 @@
 /**
  * Configuration for Creek Gradle plugin publishing.
  *
- * <p>Version: 1.2
+ * <p>Version: 1.3
+ *  - 1.3: Switch to setting 'system' from issue-management
  *
  * <p>Apply this plugin to any module publishing a Gradle plugin.
  *
- * <p>Do NOT ally the `creek-publishing-convention`.
+ * <p>Do NOT apply the `creek-publishing-convention`.
  */
 
 plugins {
@@ -115,7 +116,7 @@ publishing {
             }
 
             issueManagement {
-                name.set("GitHub issues")
+                system.set("GitHub issues")
                 url.set("https://github.com/creek-service/${rootProject.name}/issues")
             }
 

buildSrc/src/main/kotlin/creek-publishing-convention.gradle.kts

@@ -17,7 +17,8 @@
 /**
  * Standard configuration for Creek library publishing
  *
- * <p>Version: 1.2
+ * <p>Version: 1.3
+ *  - 1.3: Switch to setting 'system' from issue-management
  *
  * <p> Apply this plugin only to subprojects if in multi-module setup.
  *
@@ -97,11 +98,6 @@ publishing {
                     url.set("https://www.creekservice.org")
                 }
 
-                issueManagement {
-                    name.set("GitHub issues")
-                    url.set("https://github.com/creek-service/${rootProject.name}/issues")
-                }
-
                 developers {
                     developer {
                         name.set("Andy Coates")
@@ -116,6 +112,11 @@ publishing {
                     developerConnection.set("scm:git:ssh://github.com/creek-service/${rootProject.name}.git")
                     url.set("https://github.com/creek-service/${rootProject.name}")
                 }
+
+                issueManagement {
+                    system.set("GitHub issues")
+                    url.set("https://github.com/creek-service/${rootProject.name}/issues")
+                }
             }
         }
     }

executor/src/main/java/org/creekservice/internal/system/test/executor/cli/PicoCliParser.java

@@ -20,6 +20,7 @@
 import static org.creekservice.api.base.type.Preconditions.requireNonEmpty;
 import static org.creekservice.internal.system.test.executor.execution.debug.ServiceDebugInfo.DEFAULT_BASE_DEBUG_PORT;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.time.Duration;
@@ -360,6 +361,7 @@ private static final class Mount implements MountInfo {
             private final Path containerPath;
             private final boolean readOnly;
 
+            @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Trusted user input")
             Mount(final String hostPath, final String containerPath, final boolean readOnly) {
                 this.hostPath = Paths.get(requireNonEmpty(hostPath, "hostPath"));
                 this.containerPath = Paths.get(requireNonEmpty(containerPath, "containerPath"));

executor/src/test/java/org/creekservice/api/system/test/executor/SystemTestExecutorFunctionalTest.java

@@ -29,6 +29,7 @@
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.startsWith;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -536,6 +537,7 @@ private int runExecutor(final String[] cmdArgs) {
         return runExecutor(javaArgs, cmdArgs);
     }
 
+    @SuppressFBWarnings(value = "COMMAND_INJECTION", justification = "Test code")
     private int runExecutor(final String[] javaArgs, final String[] cmdArgs) {
         final List<String> cmd = buildCommand(javaArgs, cmdArgs);
 

parser/src/test/java/org/creekservice/api/system/test/parser/TestPackagesLoaderTest.java

@@ -189,6 +189,7 @@ void shouldFilterPackages() {
         }
     }
 
+    @SuppressWarnings("try")
     @Test
     void shouldLoadLazily() {
         // When: