feat: fix linting

.github/workflows/openssf-scorecard.yml

@@ -21,6 +21,6 @@ jobs:
       contents: read
       security-events: write
       id-token: write
-    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
+    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@feat/branch-2.1
     with:
       publish-results: true

.github/workflows/pullrequest-workflow.yml

@@ -13,16 +13,19 @@ permissions:
 
 jobs:
   pr-checks:
-    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
+    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@feat/branch-2.1
     secrets: inherit # Pass org-level secrets (for private dependencies if any)
     permissions:
       contents: read # Clone repository and read source code
       packages: read # Access GitHub Packages for Maven dependencies
       security-events: write # Upload SpotBugs/dependency check results to Security tab
     with:
       project-type: maven
-      linters.megalint: false # Disable heavy MegaLinter
-      linters.justmiselint: true # Enable lightweight just+mise linting
+      workflows-ref: feat/branch-2.1 # Use feature branch with enhanced linting
+      linters.megalint: false # Deprecated - replaced by just+mise
+      linters.justmiselint: true # Use just+mise for all linting
+      linters.commitlint: false # Deprecated - handled by just+mise
+      linters.licenselint: false # Deprecated - handled by just+mise
 
   test:
     needs: [pr-checks]

.github/workflows/release-workflow.yml

@@ -22,7 +22,7 @@ permissions:
 
 jobs:
   release:
-    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
+    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@feat/branch-2.1
     permissions:
       contents: write # Create GitHub releases and tags
       packages: write # Publish to GitHub Packages (backup)

README.md

@@ -7,5 +7,6 @@
 
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/diggsweden/hash2curve-lib-java/badge?style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/diggsweden/hash2curve-lib-java)
 
-This library implements Hash2Curve and Hash2Scalar according to RFC 9380 for a number of common curves, including
-common NIST curves.
+This library implements Hash2Curve and Hash2Scalar according to RFC 9380 for a number of common curves, including common NIST curves.
+
+Test

development/sast/pmd_default_java.xml

@@ -60,7 +60,6 @@ SPDX-License-Identifier: EUPL-1.2
     <rule ref="category/java/errorprone.xml/UnconditionalIfStatement" />
     <rule ref="category/java/errorprone.xml/UnnecessaryConversionTemporary" />
     <rule ref="category/java/errorprone.xml/UnusedNullCheckInEquals" />
-    <rule ref="category/java/errorprone.xml/UselessOperationOnImmutable" />
 
     <rule ref="category/java/multithreading.xml/AvoidThreadGroup" />
     <rule ref="category/java/multithreading.xml/DontCallThreadRun" />

justfile

@@ -36,7 +36,7 @@ install:
     @mise install
     @printf '{{green}}{{checkmark}} All tools installed{{nc}}\n'
 
-# Run all quality verifications (replaces code_quality.sh)
+# Run all quality verifications
 verify: verify-deps lint test lint-license
     @printf '\n{{yellow}}======== QUALITY CHECK SUMMARY ========{{nc}}\n\n'
     @printf '{{green}}{{checkmark}} All checks completed{{nc}}\n'
@@ -64,47 +64,60 @@ verify-deps:
     fi
     printf '\n'
 
-# Run all linters
+# ** Run all linters
 lint: lint-java lint-markdown lint-yaml lint-actions lint-shell lint-commit lint-secrets
     @printf '{{green}}{{checkmark}} All linting passed{{nc}}\n'
 
+# Lint Java code (via Maven plugins)
+# linter-name: Java Code Quality
+# linter-tools: checkstyle, pmd, spotbugs
 # Lint Java code (via Maven plugins)
 lint-java:
     @printf '{{yellow}}************ JAVA LINTING ***********{{nc}}\n'
     @mvn {{maven_opts}} checkstyle:check pmd:check spotbugs:check
     @printf '{{green}}{{checkmark}} Java linting passed{{nc}}\n\n'
 
+# linter-name: Markdown
+# linter-tools: rumdl
 # Lint markdown files
 lint-markdown:
     @printf '{{yellow}}************ MARKDOWN LINTING ***********{{nc}}\n'
     @rumdl check . || exit 1
     @printf '{{green}}{{checkmark}} Markdown linting passed{{nc}}\n\n'
 
+# linter-name: YAML Formatting
+# linter-tools: yamlfmt
 # Lint YAML files
 lint-yaml:
     @printf '{{yellow}}************ YAML LINTING ***********{{nc}}\n'
     @yamlfmt -lint . || exit 1
     @printf '{{green}}{{checkmark}} YAML linting passed{{nc}}\n\n'
 
+# linter-name: GitHub Actions
+# linter-tools: actionlint
 # Lint GitHub Actions
 lint-actions:
     @printf '{{yellow}}************ ACTIONS LINTING ***********{{nc}}\n'
     @actionlint || exit 1
     @printf '{{green}}{{checkmark}} Actions linting passed{{nc}}\n\n'
 
+# linter-name: Shell Scripts
+# linter-tools: shellcheck, shfmt
 # Lint shell scripts
 lint-shell:
     #!/usr/bin/env bash
     set -euo pipefail
     printf '{{yellow}}************ SHELL LINTING ***********{{nc}}\n'
     if [ -n "$(find . -name '*.sh' -type f | head -1)" ]; then
         find . -name '*.sh' -type f | xargs shellcheck || exit 1
-        find . -name '*.sh' -type f | xargs shfmt -d || exit 1
+        find . -name '*.sh' -type f | xargs shfmt -d -i 2 || exit 1
     else
         printf 'No shell scripts found, skipping\n'
     fi
     printf '{{green}}{{checkmark}} Shell linting passed{{nc}}\n\n'
 
+# linter-name: License Headers
+# linter-tools: reuse
 # Check licenses with REUSE
 lint-license:
     @printf '{{yellow}}************ LICENSE CHECK (REUSE) ***********{{nc}}\n'
@@ -116,6 +129,8 @@ lint-license:
     @{{container_runtime}} run --rm --volume "$(pwd)":/data docker.io/fsfe/reuse:5.0.2-debian lint || exit 1
     @printf '{{green}}{{checkmark}} License check passed{{nc}}\n\n'
 
+# linter-name: Commit Messages
+# linter-tools: conform
 # Check commits with conform
 lint-commit:
     #!/usr/bin/env bash
@@ -131,6 +146,8 @@ lint-commit:
     fi
     printf '{{green}}{{checkmark}} Commit check passed{{nc}}\n\n'
 
+# linter-name: Secret Scanning
+# linter-tools: gitleaks
 # Scan for secrets
 lint-secrets:
     @printf '{{yellow}}************ SECRET SCANNING ***********{{nc}}\n'
@@ -143,13 +160,13 @@ format:
     @mvn formatter:format
     @printf '{{green}}{{checkmark}} Java code formatted{{nc}}\n\n'
 
-# Run tests (Maven verify)
+# ** Run tests (Maven verify)
 test:
     @printf '{{yellow}}************ RUNNING TESTS ***********{{nc}}\n'
     @mvn {{maven_opts}} clean verify
     @printf '{{green}}{{checkmark}} Tests passed{{nc}}\n\n'
 
-# Auto-fix linting issues where possible
+# ** Auto-fix linting issues where possible
 lint-fix: lint-markdown-fix lint-yaml-fix lint-shell-fix
     @printf '{{green}}{{checkmark}} Auto-fixes applied{{nc}}\n'
 
@@ -171,7 +188,7 @@ lint-shell-fix:
     set -euo pipefail
     printf '{{yellow}}************ FIXING SHELL ***********{{nc}}\n'
     if [ -n "$(find . -name '*.sh' -type f | head -1)" ]; then
-        find . -name '*.sh' -type f | xargs shfmt -w
+        find . -name '*.sh' -type f | xargs shfmt -w -i 2
     fi
     printf '{{green}}{{checkmark}} Shell scripts formatted{{nc}}\n\n'
 

pom.xml

@@ -136,6 +136,13 @@ SPDX-License-Identifier: EUPL-1.2
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>com.github.spotbugs</groupId>
+      <artifactId>spotbugs-annotations</artifactId>
+      <version>4.8.6</version>
+      <scope>provided</scope>
+    </dependency>
+
   </dependencies>
 
   <build>
@@ -219,7 +226,7 @@ SPDX-License-Identifier: EUPL-1.2
           <includeTestSourceDirectory>false</includeTestSourceDirectory>
           <consoleOutput>true</consoleOutput>
           <failsOnError>true</failsOnError>
-          <violationSeverity>error</violationSeverity>
+          <violationSeverity>warning</violationSeverity>
         </configuration>
         <executions>
           <execution>
@@ -243,6 +250,7 @@ SPDX-License-Identifier: EUPL-1.2
           </rulesets>
           <printFailingErrors>true</printFailingErrors>
           <failOnViolation>true</failOnViolation>
+          <linkXRef>false</linkXRef>
         </configuration>
         <executions>
           <execution>

src/main/java/se/digg/crypto/hashtocurve/H2cUtils.java

@@ -175,6 +175,10 @@ public static byte[] xor(final byte[] arg1, final byte[] arg2) {
    * @param order curve order
    * @return first non-square member of the curve order
    */
+  @SuppressWarnings("PMD.AvoidThrowingRawExceptionTypes")
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "THROWS_METHOD_THROWS_RUNTIMEEXCEPTION",
+      justification = "RuntimeException is appropriate for illegal field state")
   private static BigInteger getFirstNonSquare(final BigInteger order) {
     final BigInteger maxCount = new BigInteger("1000");
     BigInteger nonSquare = BigInteger.ONE;

src/main/java/se/digg/crypto/hashtocurve/HashToEllipticCurve.java

@@ -12,8 +12,7 @@
 /**
  * Main class for implementing hash to elliptic curve according to RFC 9380.
  *
- * <p>
- * <code>
+ * <p><code>
  * Steps:
  * 1. u = hash_to_field(msg, 2)
  * 2. Q0 = map_to_curve(u[0])

src/main/java/se/digg/crypto/hashtocurve/data/HashToCurveProfile.java

@@ -11,10 +11,10 @@
 /**
  * Supported profiles for hash to curve.
  *
- * <p>
- * _NU_ is identical to _RO_, * except that the encoding type is encode_to_curve. encode_to_curve is
- * not yet implemented in this lib, thus these options are not yet included.
+ * <p>_NU_ is identical to _RO_, * except that the encoding type is encode_to_curve.
+ * encode_to_curve is not yet implemented in this lib, thus these options are not yet included.
  */
+@SuppressWarnings({"checkstyle:MemberName", "checkstyle:AbbreviationAsWordInName"})
 @Getter
 @AllArgsConstructor
 public enum HashToCurveProfile {

src/main/java/se/digg/crypto/hashtocurve/data/MapToCurvePoints.java

@@ -10,7 +10,7 @@
  * The Hash to field points produced by hash_to_field(msg, 2).
  */
 public record MapToCurvePoints(
-        ECPoint q0,
-        ECPoint q1) {
+    ECPoint q0,
+    ECPoint q1) {
 
 }

src/main/java/se/digg/crypto/hashtocurve/data/SqrtRatio.java

@@ -9,7 +9,8 @@
 /**
  * The result of a sqrt_ration calculation.
  */
+@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
 public record SqrtRatio(
-        boolean isQR,
-        BigInteger ratio) {
+    boolean isQR,
+    BigInteger ratio) {
 }

src/main/java/se/digg/crypto/hashtocurve/impl/GenericHashToField.java

@@ -14,9 +14,13 @@
 /**
  * Generic implementation of hash to field.
  */
+@SuppressWarnings("checkstyle:MemberName")
 public class GenericHashToField implements HashToField {
 
   protected final byte[] dst;
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD",
+      justification = "ecParameterSpec is used internally by subclasses")
   protected final ECParameterSpec ecParameterSpec;
   protected final MessageExpansion messageExpansion;
   /** Security parameter for the suite. */
@@ -25,11 +29,16 @@ public class GenericHashToField implements HashToField {
   protected BigInteger p;
   protected final int count;
 
+  @SuppressWarnings("checkstyle:ParameterName")
   public GenericHashToField(final byte[] dst, final ECParameterSpec ecParameterSpec,
       final MessageExpansion messageExpansion, final int L) {
     this(dst, ecParameterSpec, messageExpansion, L, 2);
   }
 
+  @SuppressWarnings("checkstyle:ParameterName")
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "EI_EXPOSE_REP2",
+      justification = "dst byte array is intentionally stored for internal use")
   public GenericHashToField(final byte[] dst, final ECParameterSpec ecParameterSpec,
       final MessageExpansion messageExpansion, final int L,
       final int count) {

src/main/java/se/digg/crypto/hashtocurve/impl/GenericOPRFHashToScalar.java

@@ -13,6 +13,7 @@
 /**
  * Generic implementation of Hash to Scalar for OPRF.
  */
+@SuppressWarnings({"checkstyle:MemberName", "checkstyle:AbbreviationAsWordInName"})
 public class GenericOPRFHashToScalar implements HashToScalar {
 
   private final ECParameterSpec ecParameterSpec;

src/main/java/se/digg/crypto/hashtocurve/impl/GenericSqrtRatioCalculator.java

@@ -13,12 +13,18 @@
 /**
  * Generic implementation of the SqrtRatio calculator.
  */
+@SuppressWarnings({"checkstyle:MemberName", "checkstyle:AbbreviationAsWordInName"})
 public class GenericSqrtRatioCalculator implements SqrtRatioCalculator {
 
   private final BigInteger q;
 
   private final int c1;
-  private final BigInteger c2, c3, c4, c5, c6, c7;
+  private final BigInteger c2;
+  private final BigInteger c3;
+  private final BigInteger c4;
+  private final BigInteger c5;
+  private final BigInteger c6;
+  private final BigInteger c7;
 
   public GenericSqrtRatioCalculator(final ECParameterSpec ecParameterSpec, final BigInteger z) {
     this.q = ecParameterSpec.getCurve().getField().getCharacteristic();
@@ -32,6 +38,7 @@ public GenericSqrtRatioCalculator(final ECParameterSpec ecParameterSpec, final B
     this.c7 = z.modPow(this.c2.add(BigInteger.ONE).divide(BigInteger.TWO), q);
   }
 
+  @SuppressWarnings("checkstyle:LocalVariableName")
   private int calculateC1() {
     BigInteger qMinusOne = this.q.subtract(BigInteger.ONE);
     int c1 = 0;
@@ -43,6 +50,7 @@ private int calculateC1() {
   }
 
   @Override
+  @SuppressWarnings("checkstyle:VariableDeclarationUsageDistance")
   public SqrtRatio sqrtRatio(final BigInteger u, final BigInteger v) {
 
     BigInteger tv1 = this.c6;

src/main/java/se/digg/crypto/hashtocurve/impl/ShallueVanDeWoestijneMapToCurve.java

@@ -16,6 +16,7 @@
  * Implements the Shallue van de Woestijne Map to curve according to section 6.6.2 of RFC 9380 This
  * is the straight-line implementation optimized for Weierstrass curves as defined in section F.2.
  */
+@SuppressWarnings("checkstyle:MemberName")
 public class ShallueVanDeWoestijneMapToCurve implements MapToCurve {
 
   private final ECParameterSpec ecParameterSpec;
@@ -35,9 +36,9 @@ public ShallueVanDeWoestijneMapToCurve(final ECParameterSpec ecParameterSpec,
    * Woestijne algorithm, optimized for Weierstrass curves. This implementation adheres to the
    * specifications outlined in RFC 9380, section 6.6.2, and section F.2 for efficient computation.
    *
-   * <p>
-   * The method computes the x and y coordinates for the point on the elliptic curve, using modular
-   * arithmetic and auxiliary functions for square root computation and conditional assignments.
+   * <p>The method computes the x and y coordinates for the point on the elliptic curve, using
+   * modular arithmetic and auxiliary functions for square root computation and conditional
+   * assignments.
    *
    * @param u the input value to be mapped to a point on the elliptic curve
    * @return the computed point on the elliptic curve represented as an ECPoint

src/main/java/se/digg/crypto/hashtocurve/impl/XmdMessageExpansion.java

@@ -19,6 +19,7 @@
  * given message to a specified length in bytes while following cryptographic domain separation
  * principles. The implementation uses a selected hash function to achieve the expansion.
  */
+@SuppressWarnings("checkstyle:MemberName")
 public class XmdMessageExpansion implements MessageExpansion {
 
   private final Digest digest;
@@ -28,6 +29,9 @@ public class XmdMessageExpansion implements MessageExpansion {
 
   private final int hashOutputBytes;
 
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "CT_CONSTRUCTOR_THROW",
+      justification = "Constructor validation throws IllegalArgumentException by design")
   public XmdMessageExpansion(final Digest digest, final int k, final int s) {
     this.digest = digest;
     this.s = s;
@@ -45,6 +49,9 @@ public XmdMessageExpansion(final Digest digest, final int k, final int s) {
    * @param digest the cryptographic digest algorithm to be used
    * @param k the security parameter defining the required minimum security strength
    */
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "CT_CONSTRUCTOR_THROW",
+      justification = "Constructor validation throws IllegalArgumentException by design")
   public XmdMessageExpansion(final Digest digest, final int k) {
     this(digest, k, getInputBlockSize(digest));
   }