Add Coverity static analyzer scan (#25)

WE2-539

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

.github/workflows/maven-build.yml

@@ -25,3 +25,49 @@ jobs:
 
       - name: Test and package
         run: mvn --batch-mode package
+
+  coverity:
+    name: Run Coverity tests
+    if: contains(github.repository, 'web-eid/web-eid-authtoken-validation-java') && contains(github.ref, 'coverity_scan')
+    runs-on: ubuntu-latest
+
+    env:
+      TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+      PROJECTNAME: 'web-eid/web-eid-authtoken-validation-java'
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+
+      - name: Cache Maven packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v8
+
+      - name: Download Coverity Build Tool
+        run: |
+          curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+
+      - name: Build
+        run: |
+          export PATH=$PWD/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int mvn --batch-mode compile
+
+      - name: Submit the result to Coverity Scan
+        run: |
+          tar czvf upload.tgz cov-int
+          curl --silent \
+            --form project=$PROJECTNAME \
+            --form token=$TOKEN \
+            --form [email protected] \
+            --form [email protected] \
+            --form version=master \
+            --form description="Github Actions CI build" \
+            https://scan.coverity.com/builds?project=$PROJECTNAME

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -105,6 +105,9 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
             }
 
             final BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
+            if (basicResponse == null) {
+                throw new UserCertificateOCSPCheckFailedException("Missing Basic OCSP Response");
+            }
             verifyOcspResponse(basicResponse, ocspService, certificateId);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse);
@@ -173,6 +176,10 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
     private static void checkNonce(OCSPReq request, BasicOCSPResp response) throws UserCertificateOCSPCheckFailedException {
         final Extension requestNonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
         final Extension responseNonce = response.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
+        if (requestNonce == null || responseNonce == null) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP request or response nonce extension missing, " +
+                "possible replay attack");
+        }
         if (!requestNonce.equals(responseNonce)) {
             throw new UserCertificateOCSPCheckFailedException("OCSP request and response nonces differ, " +
                 "possible replay attack");