Adds the following analysis tools to the MMTC Gradle build:

rmseng · rmseng · commit f0ac7bd9112e · 2025-12-04T14:20:17.000-05:00
- SpotBugs (with FindSecBugs)
  - This is currently enabled for all subprojects, where it adds two new tasks (spotbugsMain and spotbugsTest) that generate reports
  - These task's configuration currently do not fail the build when issues are found; we will enable this and start pursuing incremental improvement in future changes
- A dependency checker, provided by OWASP
  - This is currently disabled, as it seems that the database it relies on (NVD) is essentially unavailable at this time

Also converted Asciidoctor task to a simpler JavaExec task that can run in a forked JVM, as its SnakeYAML dependency conflicts with a dependency of one of the new plugins.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,13 +1,11 @@
 import com.netflix.gradle.plugins.packaging.CopySpecEnhancement.permissionGroup
 import com.netflix.gradle.plugins.packaging.CopySpecEnhancement.user
 import com.netflix.gradle.plugins.rpm.Rpm
-import org.asciidoctor.gradle.jvm.pdf.AsciidoctorPdfTask
 
 plugins {
     distribution
     id("com.netflix.nebula.ospackage") version "11.11.2"
-    id("org.asciidoctor.jvm.convert") version "4.0.5"
-    id("org.asciidoctor.jvm.pdf") version "4.0.5"
+    id("mmtc.java-conventions")
 }
 
 allprojects {
@@ -29,27 +27,35 @@ allprojects {
     }
 }
 
-asciidoctorj {
-    fatalWarnings("Errno")
+val asciidoctorRuntime by configurations.creating
+
+dependencies {
+    asciidoctorRuntime("org.asciidoctor:asciidoctorj:2.5.7")
+    asciidoctorRuntime("org.asciidoctor:asciidoctorj-pdf:2.3.10")
 }
 
-val asciidoctor = tasks.register<AsciidoctorPdfTask>("userGuidePdf") {
+// runs in a separate JVM to hide its older snakeyaml dependency from conflicting with a newer snakeyaml dependency brought in by SCA plugins
+val asciidoctor = tasks.register<JavaExec>("userGuidePdf") {
     inputs.files("docs/MMTC_Users_Guide.adoc")
     inputs.files("docs/themes/basic/basic-theme.yml")
-
-    setBaseDir(file("docs"))
-    setSourceDir(file("docs"))
-    setOutputDir(file("build/docs"))
-    setTheme("basic")
-
     outputs.dir("build/docs")
-}
 
-pdfThemes {
-    local("basic") {
-        themeDir = file("docs/themes/basic")
-        themeName = "basic"
-    }
+    group = "documentation"
+    description = "Generate a PDF of MMTC's User Guide from its .adoc source"
+
+    classpath = asciidoctorRuntime
+    mainClass.set("org.asciidoctor.jruby.cli.AsciidoctorInvoker")
+
+    // read from https://github.com/asciidoctor/asciidoctorj/blob/main/asciidoctorj-cli/src/main/java/org/asciidoctor/cli/AsciidoctorCliOptions.java
+    args(
+        "-b", "pdf",                      // backend
+        "-B", "docs",                             // 'base' dir
+        "-R", "docs",                             // 'source' dir
+        "-D", "build/docs",                       // 'destination' dir
+        "-a", "pdf-theme=basic",                  // theme attrs
+        "-a", "pdf-themesdir=themes/basic",       // theme attrs
+        "docs/MMTC_Users_Guide.adoc"
+    )
 }
 
 val createDistDir = tasks.register("createDistDir") {
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -14,3 +14,7 @@ repositories {
     gradlePluginPortal()
 }
 
+dependencies {
+    implementation("com.github.spotbugs.snom:spotbugs-gradle-plugin:6.4.7")
+    implementation("org.owasp:dependency-check-gradle:12.1.9")
+}
diff --git a/buildSrc/src/main/kotlin/java-conventions.gradle.kts b/buildSrc/src/main/kotlin/java-conventions.gradle.kts
diff --git a/buildSrc/src/main/kotlin/mmtc.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/mmtc.java-conventions.gradle.kts
@@ -0,0 +1,64 @@
+import com.github.spotbugs.snom.Confidence
+
+plugins {
+    `java-library`
+    jacoco
+    id("com.github.spotbugs")
+    id("org.owasp.dependencycheck")
+}
+
+java.sourceCompatibility = JavaVersion.VERSION_1_8
+
+tasks.withType<JavaCompile>() {
+    options.encoding = "UTF-8"
+}
+
+tasks.withType<Javadoc>() {
+    options.encoding = "UTF-8"
+}
+
+tasks.test {
+    extensions.configure(JacocoTaskExtension::class) {
+        includes = listOf("edu.jhuapl.*")
+    }
+}
+
+dependencies {
+    spotbugsPlugins("com.h3xstream.findsecbugs:findsecbugs-plugin:1.14.0")
+}
+
+// --------------------------------------------
+// SpotBugs configuration
+// --------------------------------------------
+
+spotbugs {
+    ignoreFailures.set(true)             // todo set to 'false' to fail build upon failures found in spotbugs tasks
+    reportLevel.set(Confidence.MEDIUM)
+}
+
+tasks.spotbugsMain {
+    enabled = true
+    reports.create("html") {
+        required.set(true)
+        outputLocation.set(file("$buildDir/reports/spotbugs.html"))
+        setStylesheet("fancy-hist.xsl")
+    }
+}
+
+tasks.spotbugsTest {
+    enabled = false    // disable SCA for test files, for now
+    reports.create("html") {
+        required.set(true)
+        outputLocation.set(file("$buildDir/reports/tests/spotbugsTest.html"))
+        setStylesheet("fancy-hist.xsl")
+    }
+}
+
+// --------------------------------------------
+// OWASP Dependency Check configuration
+// --------------------------------------------
+
+dependencyCheck {
+    failBuildOnCVSS = 7.toFloat() // range is 1 to 10, 7 and above is High and Critical
+    suppressionFile = file("../buildSrc/src/main/resources/owasp/owasp-dependency-check-suppressions.xml").toString()
+}
diff --git a/mmtc-core/build.gradle.kts b/mmtc-core/build.gradle.kts
@@ -2,7 +2,7 @@ import java.io.ByteArrayOutputStream
 import java.time.Instant
 
 plugins {
-    id("java-conventions")
+    id("mmtc.java-conventions")
     `maven-publish`
 }
 
diff --git a/mmtc-output-plugin-sdk/build.gradle.kts b/mmtc-output-plugin-sdk/build.gradle.kts
@@ -1,7 +1,7 @@
 import java.time.Instant
 
 plugins {
-    id("java-conventions")
+    id("mmtc.java-conventions")
 }
 
 dependencies {
diff --git a/mmtc-plugin-ampcs/build.gradle.kts b/mmtc-plugin-ampcs/build.gradle.kts
@@ -1,7 +1,7 @@
 import java.time.Instant
 
 plugins {
-    id("java-conventions")
+    id("mmtc.java-conventions")
 }
 
 val precompiledJniSpiceClasses by configurations.creating {
diff --git a/mmtc-tlm-source-plugin-sdk/build.gradle.kts b/mmtc-tlm-source-plugin-sdk/build.gradle.kts
@@ -1,7 +1,7 @@
 import java.time.Instant
 
 plugins {
-    id("java-conventions")
+    id("mmtc.java-conventions")
 }
 
 dependencies {

Original file line number	Diff line number	Diff line change
`@@ -14,3 +14,7 @@ repositories {`
`14`	`14`	`gradlePluginPortal()`
`15`	`15`	`}`
`16`	`16`
	`17`	`+dependencies {`
	`18`	`+ implementation("com.github.spotbugs.snom:spotbugs-gradle-plugin:6.4.7")`
	`19`	`+ implementation("org.owasp:dependency-check-gradle:12.1.9")`
	`20`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ import java.io.ByteArrayOutputStream`
`2`	`2`	`import java.time.Instant`
`3`	`3`
`4`	`4`	`plugins {`
`5`		`- id("java-conventions")`
	`5`	`+ id("mmtc.java-conventions")`
`6`	`6`	`maven-publish`
`7`	`7`	`}`
`8`	`8`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import java.time.Instant`
`2`	`2`
`3`	`3`	`plugins {`
`4`		`- id("java-conventions")`
	`4`	`+ id("mmtc.java-conventions")`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`dependencies {`