Security analysis and Makefile (#156)

* - Add dependency-check as dependency
- Add Makefile for common commands (lint, security check, build, release, publish, etc)
- Add CI step (see notes)

* - Test GitHub CI security check

* - Fail on severe CVSs
- Fix CI security scan

* - Fix security report upload on CI

Author: nwithan8

.github/workflows/ci.yml

@@ -2,15 +2,15 @@ name: CI
 
 on:
   push:
-    branches: [master]
+    branches: [ master ]
   pull_request: ~
 
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        javaversion: ["8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18"]
+        javaversion: [ "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18" ]
     steps:
       - uses: actions/checkout@v3
       - name: Set up Java ${{ matrix.javaversion }}
@@ -31,3 +31,14 @@ jobs:
           fail_on_error: true
           checkstyle_config: easypost_java_style.xml
           tool_name: "style_enforcer"
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run security check
+        run: make scan
+      - name: Upload Test results
+        uses: actions/upload-artifact@master
+        with:
+          name: DependencyCheck report
+          path: ${{github.workspace}}/target/dependency-check-report.html

Makefile

@@ -0,0 +1,45 @@
+## help - Display help about make targets for this Makefile
+help:
+	@cat Makefile | grep '^## ' --color=never | cut -c4- | sed -e "`printf 's/ - /\t- /;'`" | column -s "`printf '\t'`" -t
+
+## build-release - Build the project for release
+# @parameters:
+# pass= - The GPG password to sign the release
+build-release:
+	mvn clean install -Dgpg.passphrase=${pass}
+
+## build-dev - Build the project for development
+build-dev:
+	mvn clean install -DskipTests=true -Dgpg.skip=true -Dcheckstyle.skip=true -Dcheckstyle.skip=true -Ddependency-check.skip=true -Djavadoc.skip=true
+
+## publish - Publish a release of the project
+# @parameters:
+# pass= - The GPG password to sign the release
+publish:
+	mvn clean deploy -Dgpg.passphrase=${pass}
+
+## test - Test the project
+test:
+	mvn --batch-mode install -Dgpg.skip=true -Dcheckstyle.skip=true -Dcheckstyle.skip=true -Ddependency-check.skip=true -Djavadoc.skip=true
+
+## clean - Clean the project
+clean:
+	mvn clean
+
+# install-checkstyle - Install CheckStyle
+install-checkstyle:
+	wget -O checkstyle.jar -q https://github.com/checkstyle/checkstyle/releases/download/checkstyle-10.3.1/checkstyle-10.3.1-all.jar
+
+## lint - Check if project follows CheckStyle rules (must run install-checkstyle first)
+lint:
+	java -jar checkstyle.jar src -c easypost_java_style.xml -d
+
+## scan - Scan the project for serious security issues
+scan:
+	mvn verify -DskipTests=true -Dgpg.skip=true -Dcheckstyle.skip=true -Djavadoc.skip=true -Ddependency-check.failBuildOnCVSS=7 -Ddependency-check.junitFailOnCVSS=7
+
+## scan-strict - Scan the project for any security issues (strict mode)
+scan-strict:
+	mvn verify -DskipTests=true -Dgpg.skip=true -Dcheckstyle.skip=true -Djavadoc.skip=true -Ddependency-check.failBuildOnCVSS=0 -Ddependency-check.junitFailOnCVSS=0
+
+.PHONY: help build-release build-dev publish test clean install-checkstyle lint scan scan-strict

pom.xml

@@ -59,6 +59,12 @@
             <version>2.2</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.jetbrains</groupId>
+            <artifactId>annotations</artifactId>
+            <version>23.0.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>com.easypost</groupId>
             <artifactId>easyvcr</artifactId>
@@ -252,6 +258,22 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>7.1.1</version>
+                <configuration>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <junitFailOnCVSS>7</junitFailOnCVSS>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>