From 4dcedc610b56839c04e64bfe007ec30dd870f96d Mon Sep 17 00:00:00 2001
From: arolfes <arolfes@users.noreply.github.com>
Date: Fri, 12 Feb 2021 12:07:32 +0100
Subject: [PATCH] Close #203: use spotbugs to identify possible code problems

* added spotbugs gradle plugin
* added seperate job in GHA continous-integration that spotbugs analysis is always executed when a PR is created
* defined exclude rule that all generated classes beginning with $ are ignored
---
 .github/workflows/continous-integration.yml   | 28 +++++++++++++++++++
 gradle.properties                             |  1 +
 micronaut-camunda-bpm-feature/build.gradle    | 26 +++++++++++++++++
 .../config/spotbugs/exclude.xml               |  6 ++++
 settings.gradle                               |  1 +
 5 files changed, 62 insertions(+)
 create mode 100644 micronaut-camunda-bpm-feature/config/spotbugs/exclude.xml

diff --git a/.github/workflows/continous-integration.yml b/.github/workflows/continous-integration.yml
index 5b01c0a65..9d47abd3f 100644
--- a/.github/workflows/continous-integration.yml
+++ b/.github/workflows/continous-integration.yml
@@ -40,3 +40,31 @@ jobs:
             ${{ runner.os }}-gradle-
       - name: Build with Gradle Wrapper
         run: ./gradlew build --warning-mode=fail -Pmicronaut.runtime=${{ matrix.runtime }}
+
+  spotbugs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v2
+      - name: Set up JDK 8
+        uses: actions/setup-java@v1
+        with:
+          java-version: 8
+      - name: Cache Dependencies #see https://github.com/actions/cache/blob/master/examples.md#java---gradle
+        uses: actions/cache@v2
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-spotbugs-gradle-${{ hashFiles('**/*.gradle*') }}
+          restore-keys: |
+            ${{ runner.os }}-spotbugs-gradle-
+      - name: Spotbugs Checks
+        id: spotbugs_checks
+        # ignoreFailures set to true that the xmlReport can parsed and uploaded by next step otherwise this step will fail and the findings are not visible
+        # xmlReport set to true that the next step can parse the xml and upload the findings
+        run: ./gradlew spotbugsMain -Pspotbugs.ignoreFailures=true -Pspotbugs.xmlReport=true
+      - name: Publish Spotbugs Results
+# TODO switch to orignial GHA when PR jwgmeligmeyling/spotbugs-github-action#10 is integrated
+        uses: arolfes/spotbugs-github-action@master
+        with:
+          path: '**/spotbugs/*.xml'
+          threshold: 0 # apply zero-warning policy
diff --git a/gradle.properties b/gradle.properties
index e1acabe90..01585392f 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -15,6 +15,7 @@ camundaVersion=7.14.0
 # Latest Jersey, that implements JAX-RS 2.1 API: see https://eclipse-ee4j.github.io/jersey/download.html
 jerseyVersion=2.33
 shadowJarVersion=6.1.0
+spotbugsVersion=4.6.0
 # Prevent upload of maven-metadata.xml.sha256/sha512 files to oss.sonatype.org
 # see https://issues.sonatype.org/browse/OSSRH-53695?focusedCommentId=887733&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-887733
 # see https://github.com/gradle/gradle/issues/11308#issuecomment-554317655
diff --git a/micronaut-camunda-bpm-feature/build.gradle b/micronaut-camunda-bpm-feature/build.gradle
index e2a5e2d18..69a0765dd 100644
--- a/micronaut-camunda-bpm-feature/build.gradle
+++ b/micronaut-camunda-bpm-feature/build.gradle
@@ -6,6 +6,7 @@ plugins {
     id("org.jetbrains.kotlin.plugin.allopen")
     id("maven-publish")
     id("signing")
+    id("com.github.spotbugs")
 }
 
 group = "info.novatec"
@@ -131,3 +132,28 @@ signing {
 configurations {
     testArtifacts
 }
+
+// When spotbugs is executed locally, it will fail when there is one finding
+// When spotbugs is executed in "continous integration" it will not fail and we can upload the spotbug results to PR
+boolean ignoreFailuresProperties = project.properties['spotbugs.ignoreFailures'] == 'true'
+// When spotbugs is executed locally, it will produce a nice HTML report
+// When spotbugs is executed in "continous integration" it will generate XML that can be parsed and uploaded to PR
+boolean xmlReport = project.properties['spotbugs.xmlReport'] == 'true'
+spotbugs {
+    ignoreFailures = ignoreFailuresProperties
+    effort = com.github.spotbugs.snom.Effort.MAX
+    excludeFilter = file("${projectDir}/config/spotbugs/exclude.xml")
+}
+// Example to configure HTML report
+spotbugsMain {
+    reports {
+        xml {
+            enabled = xmlReport
+        }
+        html {
+            enabled = !xmlReport
+            destination = file("$buildDir/reports/spotbugs/main/spotbugs.html")
+            stylesheet = 'fancy-hist.xsl' // comes from spotbugs
+        }
+    }
+}
\ No newline at end of file
diff --git a/micronaut-camunda-bpm-feature/config/spotbugs/exclude.xml b/micronaut-camunda-bpm-feature/config/spotbugs/exclude.xml
new file mode 100644
index 000000000..e2da548a8
--- /dev/null
+++ b/micronaut-camunda-bpm-feature/config/spotbugs/exclude.xml
@@ -0,0 +1,6 @@
+<FindBugsFilter>
+  <Match>
+    <!-- Exclude all Micronaut generated Classes from Annotations -->
+    <Class name="~.*\.\$.*" />
+  </Match>
+</FindBugsFilter>
diff --git a/settings.gradle b/settings.gradle
index a1eb9b564..ba22a2a9f 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -6,6 +6,7 @@ pluginManagement {
         id("com.github.johnrengelman.shadow") version "$shadowJarVersion"
         id("io.micronaut.application") version "$micronautApplicationPluginVersion"
         id("io.micronaut.library") version "$micronautLibraryPluginVersion"
+        id("com.github.spotbugs") version "$spotbugsVersion"
     }
 }