Feature/pmd and spotbugs gateway

[simonhir]

Description

Add PMD and Spotbugs for refarch-gateway and fix warnings.

References Issue #57, #58

[github-actions[bot]]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

License Issues

refarch-gateway/pom.xml

Package	Version	License	Issue Type
com.h3xstream.findsecbugs:findsecbugs-plugin	1.13.0	LGPL-3.0	Incompatible License

Denied Licenses: GPL-1.0-or-later, LGPL-2.0-or-later, AGPL-1.0-or-later

Excluded from license check: pkg:npm/escape-string-regexp, pkg:npm/path-exists, pkg:npm/slash, pkg:npm/yocto-queue, pkg:npm/load-script, pkg:npm/node-forge, pkg:maven/com.puppycrawl.tools/checkstyle, pkg:maven/com.hazelcast/hazelcast-spring

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.github.spotbugs:spotbugs-maven-plugin	4.8.6.2	:green_circle: 5.6	Details Check Score Reason Maintained :green_circle: 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review :warning: 0 Found 0/11 approved changesets -- score normalized to 0 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing :warning: 0 project is not fuzzed Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Security-Policy :warning: 0 security policy file not detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts :green_circle: 10 no binaries found in the repo Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Packaging :green_circle: 10 packaging workflow detected SAST :green_circle: 10 SAST tool is run on all commits Vulnerabilities :green_circle: 8 2 existing vulnerabilities detected
maven/com.h3xstream.findsecbugs:findsecbugs-plugin	1.13.0	:green_circle: 5.5	Details Check Score Reason Code-Review :green_circle: 9 Found 11/12 approved changesets -- score normalized to 9 Maintained :green_circle: 6 6 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 6 CII-Best-Practices :warning: 2 badge detected: InProgress License :green_circle: 10 license file detected Signed-Releases :warning: 0 Project has not signed or included provenance with any releases. Packaging :warning: -1 packaging workflow not detected Security-Policy :green_circle: 9 security policy file detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Branch-Protection :warning: 0 branch protection not enabled on development/release branches Binary-Artifacts :green_circle: 10 no binaries found in the repo Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing :warning: 0 project is not fuzzed SAST :green_circle: 8 SAST tool detected but not run on all commits Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected
maven/org.apache.maven.plugins:maven-pmd-plugin	3.25.0	Unknown	Unknown

Scanned Manifest Files

refarch-gateway/pom.xml

• com.github.spotbugs:spotbugs-maven-plugin@4.8.6.2
• com.h3xstream.findsecbugs:findsecbugs-plugin@1.13.0
• org.apache.maven.plugins:maven-pmd-plugin@3.25.0