Bump org.jvnet.hudson.plugins:analysis-pom from 7.4.0 to 8.1.2

.github/workflows/ci.yml

@@ -3,7 +3,6 @@ name: 'GitHub CI'
 on:
   push:
     branches:
-      - master
       - main
   pull_request:
 
@@ -34,4 +33,4 @@ jobs:
       - name: Build with Maven
         env:
           BROWSER: chrome-container
-        run: mvn -V --color always -ntp clean verify --file pom.xml '-Djenkins.test.timeout=5000' '-Dgpg.skip'
+        run: mvn -V --color always -ntp clean verify '-Djenkins.test.timeout=5000' '-Pci'

.github/workflows/codeql.yml

@@ -49,7 +49,7 @@ jobs:
           queries: +security-and-quality
 
       - name: Build with Maven
-        run: mvn -V --color always -ntp clean verify --file pom.xml -Pskip
+        run: mvn -V --color always -ntp clean verify -Pskip
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3

.github/workflows/coverage.yml

@@ -3,7 +3,6 @@ name: 'CodeCov'
 on:
   push:
     branches:
-      - master
       - main
   pull_request:
 
@@ -27,7 +26,7 @@ jobs:
         with:
           maven-version: 3.9.6
       - name: Generate coverage with JaCoCo
-        run: mvn -V --color always -ntp clean verify '-Dgpg.skip'
+        run: mvn -V --color always -ntp clean verify -Pci
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v4.4.0
         with:

pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.jvnet.hudson.plugins</groupId>
     <artifactId>analysis-pom</artifactId>
-    <version>7.4.0</version>
+    <version>8.4.0</version>
     <relativePath />
   </parent>
 
@@ -138,6 +138,15 @@
 
   <build>
     <plugins>
+      <plugin>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-pmd-plugin</artifactId>
+      <configuration>
+        <excludeRoots combine.children="append">
+          <excludeRoot>src/main/webapp/js</excludeRoot>
+        </excludeRoots>
+      </configuration>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-clean-plugin</artifactId>

src/main/java/io/jenkins/plugins/prism/FilePermissionEnforcer.java

@@ -7,19 +7,21 @@
 import java.util.stream.Collectors;
 
 import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 import hudson.FilePath;
 
 /**
  * Enforces security restrictions for viewing files in Jenkins. Some plugins copy source code files to Jenkins' build
  * folder so that these files can be rendered in the user interface together with build results (coverage, warnings,
- * etc.). If these files are not part of the workspace of a build then Jenkins will not show them by default: otherwise
+ * etc.). If these files are not part of the workspace of a build, then Jenkins will not show them by default: otherwise
  * sensitive files could be shown by accident. You can provide a list of additional source code directories that are
  * allowed to be shown in Jenkins user interface here. Note, that such a directory must be an absolute path on the
  * <b>agent</b> that executes the build.
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "We are checking if a file is in a workspace")
 public class FilePermissionEnforcer {
     private static final PathUtil PATH_UTIL = new PathUtil();
 

src/main/java/io/jenkins/plugins/prism/PrismAppearanceConfiguration.java

@@ -2,18 +2,19 @@
 
 import edu.hm.hafner.util.VisibleForTesting;
 import edu.umd.cs.findbugs.annotations.NonNull;
+
+import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.verb.POST;
+import org.jenkinsci.Symbol;
 import hudson.Extension;
 import hudson.util.ListBoxModel;
-import io.jenkins.plugins.util.GlobalConfigurationFacade;
-import io.jenkins.plugins.util.GlobalConfigurationItem;
-import io.jenkins.plugins.util.JenkinsFacade;
 import jenkins.appearance.AppearanceCategory;
-import jenkins.model.GlobalConfiguration;
 import jenkins.model.GlobalConfigurationCategory;
 import jenkins.model.Jenkins;
-import org.jenkinsci.Symbol;
-import org.kohsuke.stapler.DataBoundSetter;
-import org.kohsuke.stapler.verb.POST;
+
+import io.jenkins.plugins.util.GlobalConfigurationFacade;
+import io.jenkins.plugins.util.GlobalConfigurationItem;
+import io.jenkins.plugins.util.JenkinsFacade;
 
 /**
  * Global system configuration for Prism. These configuration options are used globally for all jobs and require
@@ -71,7 +72,7 @@ public GlobalConfigurationCategory getCategory() {
      * @return the singleton instance
      */
     public static PrismAppearanceConfiguration getInstance() {
-        return GlobalConfiguration.all().get(PrismAppearanceConfiguration.class);
+        return all().get(PrismAppearanceConfiguration.class);
     }
 
     /**

src/main/java/io/jenkins/plugins/prism/PrismConfiguration.java

@@ -14,7 +14,6 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.jenkinsci.Symbol;
 import hudson.Extension;
-import jenkins.model.GlobalConfiguration;
 import jenkins.model.GlobalConfigurationCategory;
 
 import io.jenkins.plugins.util.GlobalConfigurationFacade;
@@ -89,7 +88,7 @@ protected void clearRepeatableProperties() {
      * @return the singleton instance
      */
     public static PrismConfiguration getInstance() {
-        return GlobalConfiguration.all().get(PrismConfiguration.class);
+        return all().get(PrismConfiguration.class);
     }
 
     /**

src/main/java/io/jenkins/plugins/prism/SourceDirectoryFilter.java

@@ -18,6 +18,7 @@
 
 import edu.hm.hafner.util.FilteredLog;
 import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 /**
  * Filters source code directories that are not approved in Jenkins' global configuration. A directory is considered
@@ -103,6 +104,7 @@ private boolean isValidDirectory(final String sourceDirectory) {
      * @return the matching paths
      * @see FileSystem#getPathMatcher(String)
      */
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "We are selecting relative files based on a pattern")
     private List<String> findRelative(final String directory, final String pattern, final FilteredLog log) {
         if (containsNoPathMatcherPattern(pattern)) {
             return List.of(PATH_UTIL.createAbsolutePath(directory, pattern));

src/test/java/io/jenkins/plugins/prism/FilePermissionEnforcerTest.java

@@ -5,6 +5,8 @@
 import org.junit.jupiter.api.Test;
 import org.junitpioneer.jupiter.Issue;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import hudson.FilePath;
 
 import static hudson.Functions.*;
@@ -16,6 +18,7 @@
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class FilePermissionEnforcerTest {
     private static final FilePath WORKSPACE_UNIX = new FilePath(new File("/workspace"));
     private static final FilePath WORKSPACE_WINDOWS = new FilePath(new File("C:\\workspace"));

src/test/java/io/jenkins/plugins/prism/PrismConfigurationTest.java

@@ -1,24 +1,28 @@
 package io.jenkins.plugins.prism;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-
-import edu.hm.hafner.util.FilteredLog;
-import edu.hm.hafner.util.PathUtil;
-import io.jenkins.plugins.util.GlobalConfigurationFacade;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
+
 import org.junit.jupiter.api.Test;
 
+import edu.hm.hafner.util.FilteredLog;
+import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+import io.jenkins.plugins.util.GlobalConfigurationFacade;
+
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
 /**
  * Tests the class {@link PrismConfiguration}.
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class PrismConfigurationTest {
     private static final PathUtil PATH_UTIL = new PathUtil();
 

src/test/java/io/jenkins/plugins/prism/SourceDirectoryValidationTest.java

@@ -4,6 +4,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import hudson.FilePath;
 import hudson.model.FreeStyleProject;
 import hudson.util.FormValidation;
@@ -20,6 +22,7 @@
  * @author Stephan Plöderl
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class SourceDirectoryValidationTest {
     @Test
     void shouldValidateRelativeWithoutWorkspace() {