Merge branch 'master' into master

.github/workflows/jreleaser.yml

@@ -34,7 +34,7 @@ jobs:
           JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD: ${{ secrets.JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD }}
 
       - name: Sign artifacts with sigstore/cosign
-        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
         with:
           subject-path: './target/staging-deploy/**/*.jar'
 

.github/workflows/qodana.yml

@@ -22,7 +22,7 @@ jobs:
           with:
             args: --source-directory,./src/main/java , --fail-threshold, 0
             post-pr-comment: "false"
-        - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
           with:
             sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
     code-quality-spoon-javadoc:
@@ -37,7 +37,7 @@ jobs:
           with:
             args: --source-directory,./spoon-javadoc/src/main/java , --fail-threshold, 0
             post-pr-comment: "false"
-        - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
           with:
             sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
     code-quality-spoon-control-flow:
@@ -52,6 +52,6 @@ jobs:
           with:
             args: --source-directory,./spoon-control-flow/src/main/java , --fail-threshold, 0
             post-pr-comment: "false"
-        - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
           with:
             sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

.github/workflows/scorecards.yml

@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
         with:
           sarif_file: results.sarif

.github/workflows/tests.yml

@@ -120,7 +120,7 @@ jobs:
       - name: Time nix setup
         run: nix develop ${{ env.NIX_OPTIONS }} .#extraChecks --command true
       - name: Build spoon
-        run: nix develop ${{ env.NIX_OPTIONS }} .#extraChecks --command mvn -f spoon-pom -B install -Dmaven.test.skip=true -DskipDepClean
+        run: nix develop ${{ env.NIX_OPTIONS }} .#extraChecks --command mvn -f spoon-pom -B install -Dmaven.test.skip=true
       - name: Run Javadoc quality check
         run: nix develop ${{ env.NIX_OPTIONS }} .#extraChecks --command javadoc-quality
 

chore/check-reproducible-builds.sh

@@ -4,7 +4,7 @@
 set -e
 
 build() {
-  mvn -f spoon-pom clean package -DskipDepClean -DskipTests -Dmaven.javadoc.skip > /dev/null
+  mvn -f spoon-pom clean package -DskipTests -Dmaven.javadoc.skip > /dev/null
 }
 
 compare_files() {

doc/README.md

@@ -1,4 +1,9 @@
-This directory contains the source code of the Spoon website <http://spoon.gforge.inria.fr/>
+## Documentation for Spoon
+
+* CI/CD, see <https://github.com/INRIA/spoon/blob/master/doc/ci-cd.md>
+* Supply-chain, see <https://github.com/INRIA/spoon/blob/master/doc/SUPPLY-CHAIN.md>
+
+### Deploy the Website
 
 To deploy an instance of this website, we use a personal script because the structure of this project isn't standard. We can't have markdown files outside the working directory of Jekyll. So:
 

doc/SUPPLY-CHAIN.md

@@ -0,0 +1,60 @@
+# Supply chain
+## Attest build artifacts
+The Spoon CI/CD pipeline attests all released artifacts by publishing attestations to the [sigstore/rekor](https://www.sigstore.dev/) public-good instance as well as storing them in the [Github's attestation registry](https://github.com/INRIA/spoon/attestations). Attestations are published using Github's [attest-build-provenance](https://github.com/actions/attest-build-provenance) action as a step in the [jreleaser job](https://github.com/ludvigch/spoon/blob/master/.github/workflows/jreleaser.yml). A list of the attestations created for a release can be found in the summary of a job and the sigstore/rekor links for each attestation can be found in the log of the jreleaser job.
+
+## Finding attestations
+
+Rekor is searchable with the hash of an attested artifact, for example attestation for spoon-core-11.1.1-beta-11-jar-with-dependencies.jar can be found at 
+<https://search.sigstore.dev?hash=804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41>
+
+Github provides an [`attestations` tab](https://github.com/INRIA/spoon/attestations) for all repos and a [REST API Endpoint](https://docs.github.com/en/rest/users/attestations)
+
+## Verifying attestations
+
+The most straight-forward approach is to use GitHub CLI's [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) to verify the attestation of an artifact by running: 
+
+`gh attestation verify <artifact-name>.jar -R INRIA/spoon`
+
+For example, let's verify the [spoon-core-11.1.1-beta-11-jar-with-dependencies.jar](https://repo1.maven.org/maven2/fr/inria/gforge/spoon/spoon-core/11.1.1-beta-11/spoon-core-11.1.1-beta-11-jar-with-dependencies.jar) artifact.
+
+### Alternative 1: Using GitHub API
+
+Install `gh`, see doc at <https://cli.github.com/>
+
+```
+curl -O https://repo1.maven.org/maven2/fr/inria/gforge/spoon/spoon-core/11.1.1-beta-11/spoon-core-11.1.1-beta-11-jar-with-dependencies.jar
+gh attestation verify spoon-core-11.1.1-beta-11-jar-with-dependencies.jar -R INRIA/spoon
+```
+
+Output:
+```
+Loaded digest sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 for file://spoon-core-11.1.1-beta-11-jar-with-dependencies.jar
+Loaded 1 attestation from GitHub API
+✓ Verification succeeded!
+
+sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 was attested by:
+REPO         PREDICATE_TYPE                  WORKFLOW                                         
+INRIA/spoon  https://slsa.dev/provenance/v1  .github/workflows/jreleaser.yml@refs/heads/master
+
+```
+
+### Alternative 2: Using a downloaded attestation
+
+[Dowload the attestation.](https://github.com/INRIA/spoon/attestations/2750640/download)
+
+```
+curl -o ./INRIA-spoon-attestation-2750640.sigstore.json https://github.com/INRIA/spoon/attestations/2750640/download
+gh attestation verify spoon-core-11.1.1-beta-11-jar-with-dependencies.jar -R INRIA/spoon --bundle ./INRIA-spoon-attestation-2750640.sigstore.json
+```
+
+Output:
+```
+Loaded digest sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 for file://spoon-core-11.1.1-beta-11-jar-with-dependencies.jar
+Loaded 1 attestation from INRIA-spoon-attestation-2750640.sigstore.json
+✓ Verification succeeded!
+
+sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 was attested by:
+REPO         PREDICATE_TYPE                  WORKFLOW                                         
+INRIA/spoon  https://slsa.dev/provenance/v1  .github/workflows/jreleaser.yml@refs/heads/master
+
+```

flake.nix

@@ -115,16 +115,13 @@
             mvn -q checkstyle:checkstyle -Pcheckstyle-test
             # Check documentation links
             python3 ./chore/check-links-in-doc.py
-            # Analyze dependencies through DepClean in spoon-core
-            # mvn -q depclean:depclean
 
             pushd spoon-decompiler || exit 1
             mvn -q versions:use-latest-versions -DallowSnapshots=true -Dincludes=fr.inria.gforge.spoon
             mvn -q versions:update-parent -DallowSnapshots=true
             git diff
             mvn -q test
             mvn -q checkstyle:checkstyle license:check
-            # mvn -q depclean:depclean
             popd || exit 1
 
             pushd spoon-control-flow || exit 1
@@ -140,7 +137,6 @@
             mvn -q versions:update-parent -DallowSnapshots=true
             git diff
             mvn -q test
-            # mvn -q depclean:depclean
             popd || exit 1
 
             pushd spoon-smpl || exit 1
@@ -149,7 +145,6 @@
             git diff
             mvn -q -Djava.src.version=17 test
             mvn -q checkstyle:checkstyle license:check
-            # mvn -q depclean:depclean
             popd || exit 1
           '');
           extraRemote = pkgs.writeScriptBin "extra-remote" ''

pom.xml

@@ -91,7 +91,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.18.0</version>
+      <version>2.18.1</version>
     </dependency>
     <dependency>
       <!-- support for compressed serialized ASTs -->

spoon-control-flow/pom.xml

@@ -84,12 +84,6 @@
             <version>1.5.2</version>
         </dependency>
 
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>4.13.2</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
 </project>

spoon-dataflow/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

spoon-pom/pom.xml

@@ -194,24 +194,6 @@
                     <goals>deploy</goals>
                 </configuration>
             </plugin>
-                  <plugin>
-                    <!-- see https://github.com/castor-software/depclean -->
-                    <groupId>se.kth.castor</groupId>
-                    <artifactId>depclean-maven-plugin</artifactId>
-                    <version>2.0.6</version>
-                    <executions>
-                        <execution>
-                            <goals>
-                                <goal>depclean</goal>
-                            </goals>
-                            <configuration>
-                                <!-- the build should fail if there are unused direct dependencies -->
-                                <failIfUnusedDirect>true</failIfUnusedDirect>
-                                <skipDepClean>true</skipDepClean>
-                            </configuration>
-                        </execution>
-                    </executions>
-                </plugin>
         </plugins>
 
 
@@ -247,7 +229,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-javadoc-plugin</artifactId>
-                    <version>3.10.1</version>
+                    <version>3.11.1</version>
                 </plugin>
                 <plugin>
                     <artifactId>maven-project-info-reports-plugin</artifactId>
@@ -267,7 +249,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>3.5.1</version>
+                    <version>3.5.2</version>
                 </plugin>
 
                 <plugin>

src/main/java/spoon/reflect/factory/CodeFactory.java

@@ -369,7 +369,13 @@ public <T> CtCatchVariable<T> createCatchVariable(CtTypeReference<T> type, Strin
 	 * variable (strong referencing).
 	 */
 	public <T> CtCatchVariableReference<T> createCatchVariableReference(CtCatchVariable<T> catchVariable) {
-		return factory.Core().<T>createCatchVariableReference().setType(catchVariable.getType()).<CtCatchVariableReference<T>>setSimpleName(catchVariable.getSimpleName());
+		CtCatchVariableReference<T> ref = factory.Core().createCatchVariableReference();
+
+		ref.setType(catchVariable.getType() == null ? null : catchVariable.getType().clone());
+		ref.setSimpleName(catchVariable.getSimpleName());
+		ref.setParent(catchVariable);
+
+		return ref;
 	}
 
 	/**
@@ -429,7 +435,10 @@ public <T> CtVariableAccess<T> createVariableRead(CtVariableReference<T> variabl
 			va = factory.Core().createFieldRead();
 			// creates a this target for non-static fields to avoid name conflicts...
 			if (!isStatic) {
-				((CtFieldAccess<T>) va).setTarget(createThisAccess(((CtFieldReference<T>) variable).getDeclaringType()));
+				// We do not want to change the parent of the declaring type, so clone here
+				((CtFieldAccess<T>) va).setTarget(
+					createThisAccess(((CtFieldReference<T>) variable).getDeclaringType().clone())
+				);
 			}
 		} else {
 			va = factory.Core().createVariableRead();

src/main/java/spoon/reflect/visitor/CommentHelper.java

@@ -98,7 +98,7 @@ static void printCommentContent(PrinterHelper printer, CtComment comment, Functi
 			if (commentType == CtComment.CommentType.BLOCK) {
 				printer.write(transfo.apply(line));
 				if (hasMoreThanOneElement(content.lines())) {
-					printer.write(CtComment.LINE_SEPARATOR);
+					printer.writeln();
 				}
 			} else {
 				printer.write(transfo.apply(line)).writeln(); // removing spaces at the end of the space