[openrewrite] add JavaSecurityBestPractices

Author: Vincent Potucek

.github/workflows/claude.yml

@@ -22,15 +22,29 @@ jobs:
         with:
           script: |
             try {
+              // Get username - prioritize sender (the person who triggered the event)
+              const username = github.event.sender?.login ||
+                              github.event.comment?.user?.login;
+
+              if (!username) {
+                console.log('Could not determine username from event payload');
+                console.log(`Event type: ${github.event_name}`);
+                console.log(`Event payload keys: ${Object.keys(github.event).join(', ')}`);
+                return false;
+              }
+
+              console.log(`Checking team membership for user: ${username} (triggered by ${github.event_name} event)`);
+
               const { data } = await github.rest.teams.getMembershipForUserInOrg({
                 org: 'diffplug',
                 team_slug: 'spotless',
-                username: github.event.sender.login
+                username: username
               });
-              console.log(`User ${github.event.sender.login} membership status: ${data.state}`);
+              console.log(`User ${username} membership status: ${data.state}`);
               return data.state === 'active';
             } catch (error) {
-              console.log(`User ${github.event.sender.login} is not a member of the Spotless team`);
+              const username = github.event.sender?.login || github.event.comment?.user?.login || 'unknown user';
+              console.log(`User ${username} is not a member of the Spotless team or error occurred: ${error.message}`);
               return false;
             }
 

build.gradle

@@ -32,4 +32,8 @@ spotless {
 dependencies {
 	rewrite(platform("org.openrewrite.recipe:rewrite-recipe-bom:3.15.0"))
 	rewrite("org.openrewrite.recipe:rewrite-migrate-java:3.18.0")
+	rewrite('org.openrewrite.recipe:rewrite-java-security:3.19.0')
+	rewrite('org.openrewrite.recipe:rewrite-rewrite:0.13.0')
+	rewrite('org.openrewrite.recipe:rewrite-static-analysis:2.17.0')
+	rewrite('org.openrewrite.recipe:rewrite-third-party:0.27.0')
 }

gradle/rewrite.gradle

@@ -1,7 +1,37 @@
 apply plugin: 'org.openrewrite.rewrite'
 
 rewrite {
-	activeRecipe("org.openrewrite.java.migrate.UpgradeToJava17")
+	activeRecipe(
+			'org.openrewrite.gradle.GradleBestPractices',
+			'org.openrewrite.java.RemoveUnusedImports',
+			'org.openrewrite.java.migrate.UpgradeToJava17',
+			'org.openrewrite.java.recipes.JavaRecipeBestPractices',
+			'org.openrewrite.java.recipes.RecipeTestingBestPractices',
+			'org.openrewrite.java.security.JavaSecurityBestPractices',
+			'org.openrewrite.staticanalysis.JavaApiBestPractices',
+			'org.openrewrite.staticanalysis.LowercasePackage',
+			'org.openrewrite.staticanalysis.MissingOverrideAnnotation',
+			'org.openrewrite.staticanalysis.ModifierOrder',
+			'org.openrewrite.staticanalysis.NoFinalizer',
+			'org.openrewrite.staticanalysis.RemoveUnusedLocalVariables',
+			'org.openrewrite.staticanalysis.RemoveUnusedPrivateFields',
+			'org.openrewrite.staticanalysis.RemoveUnusedPrivateMethods'
+			// bugs
+			// 'org.openrewrite.staticanalysis.CodeCleanup',
+			// 'org.openrewrite.staticanalysis.CommonStaticAnalysis',
+			)
+	exclusions.addAll( // bugs
+			'**_gradle_node_plugin_example_**',
+			'**gradle/changelog.gradle',
+			'**gradle/java-publish.gradle',
+			'**idea/full.clean.java',
+			'**java-setup.gradle',
+			'**lib-extra/build.gradle',
+			'**lib/build.gradle',
+			'**package-info.java',
+			'**plugin-maven/build.gradle',
+			'**settings.gradle'
+			)
 	exportDatatables = true
 	failOnDryRunResults = true
 }

lib-extra/src/main/java/com/diffplug/spotless/extra/GitAttributesLineEndings.java

@@ -146,7 +146,7 @@ static class CachedEndings implements Serializable {
 		private static final long serialVersionUID = -2534772773057900619L;
 
 		/** this is transient, to simulate PathSensitive.RELATIVE */
-		transient final String rootDir;
+		final transient String rootDir;
 		/** the line ending used for most files */
 		final String defaultEnding;
 		/** any exceptions to that default, in terms of relative path from rootDir */

lib-extra/src/main/java/com/diffplug/spotless/extra/GitRatchet.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 DiffPlug
+ * Copyright 2020-2025 DiffPlug
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -132,9 +132,9 @@ private static boolean worktreeIsCleanCheckout(TreeWalk treeWalk) {
 		return treeWalk.idEqual(TREE, WORKDIR);
 	}
 
-	private final static int TREE = 0;
-	private final static int INDEX = 1;
-	private final static int WORKDIR = 2;
+	private static final int TREE = 0;
+	private static final int INDEX = 1;
+	private static final int WORKDIR = 2;
 
 	Map<File, Repository> gitRoots = new HashMap<>();
 	Table<Repository, String, ObjectId> rootTreeShaCache = HashBasedTable.create();

lib-extra/src/test/java/com/diffplug/spotless/extra/groovy/GrEclipseFormatterStepTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 DiffPlug
+ * Copyright 2016-2025 DiffPlug
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,8 +24,8 @@
 import com.diffplug.spotless.extra.eclipse.EquoResourceHarness;
 
 public class GrEclipseFormatterStepTest extends EquoResourceHarness {
-	private final static String INPUT = "class F{ def m(){} }";
-	private final static String EXPECTED = "class F{\n\tdef m(){}\n}";
+	private static final String INPUT = "class F{ def m(){} }";
+	private static final String EXPECTED = "class F{\n\tdef m(){}\n}";
 
 	public GrEclipseFormatterStepTest() {
 		super(GrEclipseFormatterStep.createBuilder(TestProvisioner.mavenCentral()));

lib-extra/src/test/java/com/diffplug/spotless/extra/wtp/EclipseWtpFormatterStepTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 DiffPlug
+ * Copyright 2016-2025 DiffPlug
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.Properties;
 import java.util.function.Consumer;
 import java.util.stream.Stream;
@@ -33,7 +34,7 @@
 import com.diffplug.spotless.extra.eclipse.EclipseResourceHarness;
 
 public class EclipseWtpFormatterStepTest {
-	private final static Jvm.Support<String> JVM_SUPPORT = Jvm.<String> support("Oldest Version").add(8, "4.8.0");
+	private static final Jvm.Support<String> JVM_SUPPORT = Jvm.<String> support("Oldest Version").add(8, "4.8.0");
 
 	private static class NestedTests extends EclipseResourceHarness {
 		private final String unformatted, formatted;
@@ -76,7 +77,7 @@ void multipleConfigurations() throws Exception {
 		private File createPropertyFile(Consumer<Properties> config) throws IOException {
 			Properties configProps = new Properties();
 			config.accept(configProps);
-			File tempFile = File.createTempFile("EclipseWtpFormatterStepTest-", ".properties");
+			File tempFile = Files.createTempFile("EclipseWtpFormatterStepTest-", ".properties").toFile();
 			OutputStream tempOut = new FileOutputStream(tempFile);
 			configProps.store(tempOut, "test properties");
 			tempOut.flush();

lib/src/jackson/java/com/diffplug/spotless/glue/json/JacksonJsonFormatterFunc.java

@@ -52,6 +52,7 @@ protected Class<?> inferType(String input) {
 	 * @return a {@link JsonFactory}. May be overridden to handle alternative formats.
 	 * @see <a href="https://github.com/FasterXML/jackson-dataformats-text">jackson-dataformats-text</a>
 	 */
+	@Override
 	protected JsonFactory makeJsonFactory() {
 		JsonFactory jsonFactory = new JsonFactoryBuilder().build();
 

lib/src/main/java/com/diffplug/spotless/FormatterProperties.java

@@ -33,6 +33,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -201,6 +202,21 @@ private Properties executeWithSupplier(Supplier<InputStream> isSupplier) throws
 			private Node getRootNode(final InputStream is) throws IOException, IllegalArgumentException {
 				try {
 					DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+					try {
+						dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+						dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+						dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+
+						dbf.setXIncludeAware(false);
+						dbf.setExpandEntityReferences(false);
+
+						dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+					} catch (ParserConfigurationException e) {
+						throw new IllegalStateException("Some features are not supported by your XML processor.", e);
+					}
 					/*
 					 * It is not required to validate or normalize attribute values for
 					 * the XMLs currently supported. Disabling validation is supported by

lib/src/main/java/com/diffplug/spotless/NoLambda.java

@@ -44,7 +44,7 @@ public interface NoLambda extends Serializable {
 	public byte[] toBytes();
 
 	/** An implementation of NoLambda in which equality is based on the serialized representation of itself. */
-	public static abstract class EqualityBasedOnSerialization implements NoLambda {
+	public abstract static class EqualityBasedOnSerialization implements NoLambda {
 		@Serial
 		private static final long serialVersionUID = 1733798699224768949L;