Update sonarqube.yml and removal of gradle keys (#2866)

# Description of Changes Please provide a summary of the changes, including: - What was changed - Why the change was made - Any challenges encountered Closes #(issue_number) --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#6-testing) for more details.
2025-02-07 00:17:07 +01:00 · 2025-02-04 10:18:02 +00:00 · 2025-02-04 10:18:02 +00:00 · 69d4b52b06
commit 69d4b52b06
parent 5e3612a9b0
15 changed files with 99 additions and 11437 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -37,12 +37,6 @@ jobs:
          java-version: ${{ matrix.jdk-version }}
          distribution: "temurin"
      - name: PR | Generate verification metadata with signatures and checksums for dependabot[bot]
        if: github.event.pull_request.user.login == 'dependabot[bot]'
        run: |
          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256 --refresh-dependencies help
          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp --refresh-keys --export-keys --refresh-dependencies help
      - name: Build with Gradle and no spring security
        run: ./gradlew clean build
        env:
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@ -8,30 +8,71 @@ on:
 permissions:
  pull-requests: read
  actions: read
 name: Run Sonarqube
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    steps:
      - name: Analyze with SonarCloud
-        # You can pin the exact commit or the version.
+
-        # uses: SonarSource/sonarcloud-github-action@v2.2.0
+      - name: Harden Runner
-        uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 #v2.2.0
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
        with:
-          # Additional arguments for the SonarScanner CLI
+          egress-policy: audit
-          args:
+
-            # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-            # mandatory
+        with:
-            -Dsonar.projectKey=Stirling-Tools_Stirling-PDF
+          fetch-depth: 0 
-            -Dsonar.organization=stirling-tools
+
-            # Comma-separated paths to directories containing main source files.
+      - name: Set up JDK
-            #-Dsonar.sources= # optional, default is project base directory
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
-            # Comma-separated paths to directories containing test source files.
+        with:
-            #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+          java-version: '17'
-            # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+          distribution: 'temurin'
-            #-Dsonar.verbose= # optional, default is false
+
-          # When you need the analysis to take place in a directory other than the one from which it was launched, default is .
+      - name: Cache SonarCloud packages
-          projectBaseDir: .
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Gradle packages
        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.gradle/caches
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
          restore-keys: ${{ runner.os }}-gradle
      - name: Build and analyze with Gradle
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          DOCKER_ENABLE_SECURITY: true
          STIRLING_PDF_DESKTOP_UI: true
        run: |
          ./gradlew clean build sonar \
            -Dsonar.projectKey=Stirling-Tools_Stirling-PDF \
            -Dsonar.organization=stirling-tools \
            -Dsonar.host.url=https://sonarcloud.io \
            -Dsonar.log.level=DEBUG \
            --info
      - name: Upload Problems Report on Failure
        if: failure()
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
        with:
          name: gradle-problems-report
          path: build/reports/problems/problems-report.html
          retention-days: 7
      - name: Upload Sonar Logs on Failure
        if: failure()
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
        with:
          name: sonar-logs
          path: |
            .scannerwork/report-task.txt
            build/sonar/
          retention-days: 7
--- a/.github/workflows/sync_files.yml
+++ b/.github/workflows/sync_files.yml
@ -104,16 +104,6 @@ jobs:
          git add README.md
          git diff --staged --quiet || git commit -m ":memo: Sync README.md" || echo "no changes"
      - name: Generate verification metadata with signatures and checksums
        run: |
          set -e
          if [ -f ./gradle/verification-metadata.xml ]; then
            rm ./gradle/verification-metadata.xml
          fi
          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256 help
          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp --refresh-keys --export-keys --refresh-dependencies help
          ./gradlew clean build
      - name: Run git add
        run: |
          git add gradle/verification-keyring.keys
--- a/DeveloperGuide.md
+++ b/DeveloperGuide.md
@ -585,41 +585,3 @@ In your Thymeleaf templates, use the `#{key}` syntax to reference the new transl
 ```
 Remember, never hard-code text in your templates or Java code. Always use translation keys to ensure proper localization.
 ## Managing Dependencies
 When adding new dependencies or updating existing ones in Stirling-PDF, follow these steps to ensure proper verification and security:
 1. Update the dependency in `build.gradle`:
 ```groovy
 dependencies {
    // Add or update your dependency
    implementation "com.example:new-library:1.2.3"
 }
 ```
 2. Generate new verification metadata and keys:
 ```bash
 # Generate verification metadata with signatures and checksums
 ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp
 # Export the .keys file
 ./gradlew --export-keys
 ```
 3. Files to commit:
   - `build.gradle` - Your dependency changes
   - `gradle/verification-metadata.xml` - Contains verification rules and checksums
   - `gradle/verification-keyring.keys` - Contains PGP keys in text format
 4. Verify the build works with the new verification:
 ```bash
 ./gradlew build
 ```
 5. Before committing, check:
   - Verify any new BOM files are properly handled in verification metadata
   - Review the changes in `verification-metadata.xml` to ensure they match your dependency updates
 This ensures dependencies are properly verified and secure while maintaining transparency in the repository.
--- a/build.gradle
+++ b/build.gradle
@ -9,6 +9,7 @@ plugins {
    id "com.github.jk1.dependency-license-report" version "2.9"
    //id "nebula.lint" version "19.0.3"
    id("org.panteleyev.jpackageplugin") version "1.6.0"
    id "org.sonarqube" version "6.0.1.5171"
 }
 import com.github.jk1.license.render.*
@ -34,7 +35,6 @@ java {
 repositories {
    mavenCentral()
    maven { url = "https://jitpack.io" }
    maven { url = "https://build.shibboleth.net/maven/releases" }
    maven { url = "https://maven.pkg.github.com/jcefmaven/jcefmaven" }
 }
@ -269,6 +269,17 @@ spotless {
    }
 }
 sonar {
    properties {
        property "sonar.projectKey", "Stirling-Tools_Stirling-PDF"
        property "sonar.organization", "stirling-tools"
        property "sonar.exclusions", "**/build-wrapper-dump.json, src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
        property "sonar.coverage.exclusions", "src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
        property "sonar.cpd.exclusions", "src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
    }
 }
 //gradleLint {
 //        rules=['unused-dependency']
 //    }
--- a/gradle/verification-keyring.gpg
+++ b/gradle/verification-keyring.gpg
--- a/gradle/verification-keyring.keys
+++ b/gradle/verification-keyring.keys
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
--- a/src/main/java/stirling/software/SPDF/controller/api/AdditionalLanguageJsController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/AdditionalLanguageJsController.java
@ -32,7 +32,10 @@ public class AdditionalLanguageJsController {
        response.setContentType("application/javascript");
        PrintWriter writer = response.getWriter();
        // Erstelle das JavaScript dynamisch
-        writer.println("const supportedLanguages = " + toJsonArray(new ArrayList<>(supportedLanguages)) + ";");
+        writer.println(
                "const supportedLanguages = "
                        + toJsonArray(new ArrayList<>(supportedLanguages))
                        + ";");
        // Generiere die `getDetailedLanguageCode`-Funktion
        writer.println(
                """
--- a/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertHtmlToPDF.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertHtmlToPDF.java
@ -13,8 +13,8 @@ import io.github.pixee.security.Filenames;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import stirling.software.SPDF.model.api.converters.HTMLToPdfRequest;
 import stirling.software.SPDF.model.ApplicationProperties;
 import stirling.software.SPDF.model.api.converters.HTMLToPdfRequest;
 import stirling.software.SPDF.service.CustomPDDocumentFactory;
 import stirling.software.SPDF.utils.FileToPdf;
 import stirling.software.SPDF.utils.WebResponseUtils;
@ -28,16 +28,16 @@ public class ConvertHtmlToPDF {
    private final CustomPDDocumentFactory pdfDocumentFactory;
-	private final ApplicationProperties applicationProperties;
+    private final ApplicationProperties applicationProperties;
    @Autowired
    public ConvertHtmlToPDF(
            CustomPDDocumentFactory pdfDocumentFactory,
            @Qualifier("bookAndHtmlFormatsInstalled") boolean bookAndHtmlFormatsInstalled,
-			ApplicationProperties applicationProperties) {
+            ApplicationProperties applicationProperties) {
        this.pdfDocumentFactory = pdfDocumentFactory;
        this.bookAndHtmlFormatsInstalled = bookAndHtmlFormatsInstalled;
-		this.applicationProperties = applicationProperties;
+        this.applicationProperties = applicationProperties;
    }
    @PostMapping(consumes = "multipart/form-data", value = "/html/pdf")
@ -60,7 +60,8 @@ public class ConvertHtmlToPDF {
            throw new IllegalArgumentException("File must be either .html or .zip format.");
        }
-		boolean disableSanitize = Boolean.TRUE.equals(applicationProperties.getSystem().getDisableSanitize());
+        boolean disableSanitize =
                Boolean.TRUE.equals(applicationProperties.getSystem().getDisableSanitize());
        byte[] pdfBytes =
                FileToPdf.convertHtmlToPdf(
@ -68,7 +69,7 @@ public class ConvertHtmlToPDF {
                        fileInput.getBytes(),
                        originalFilename,
                        bookAndHtmlFormatsInstalled,
-						disableSanitize);
+                        disableSanitize);
        pdfBytes = pdfDocumentFactory.createNewBytesBasedOnOldDocument(pdfBytes);
--- a/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertMarkdownToPdf.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertMarkdownToPdf.java
@ -23,8 +23,8 @@ import io.github.pixee.security.Filenames;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import stirling.software.SPDF.model.api.GeneralFile;
 import stirling.software.SPDF.model.ApplicationProperties;
 import stirling.software.SPDF.model.api.GeneralFile;
 import stirling.software.SPDF.service.CustomPDDocumentFactory;
 import stirling.software.SPDF.utils.FileToPdf;
 import stirling.software.SPDF.utils.WebResponseUtils;
@ -38,16 +38,16 @@ public class ConvertMarkdownToPdf {
    private final CustomPDDocumentFactory pdfDocumentFactory;
-	private final ApplicationProperties applicationProperties;
+    private final ApplicationProperties applicationProperties;
    @Autowired
    public ConvertMarkdownToPdf(
            CustomPDDocumentFactory pdfDocumentFactory,
            @Qualifier("bookAndHtmlFormatsInstalled") boolean bookAndHtmlFormatsInstalled,
-			ApplicationProperties applicationProperties) {
+            ApplicationProperties applicationProperties) {
        this.pdfDocumentFactory = pdfDocumentFactory;
        this.bookAndHtmlFormatsInstalled = bookAndHtmlFormatsInstalled;
-		this.applicationProperties = applicationProperties;
+        this.applicationProperties = applicationProperties;
    }
    @PostMapping(consumes = "multipart/form-data", value = "/markdown/pdf")
@ -81,7 +81,8 @@ public class ConvertMarkdownToPdf {
        String htmlContent = renderer.render(document);
-		boolean disableSanitize = Boolean.TRUE.equals(applicationProperties.getSystem().getDisableSanitize());
+        boolean disableSanitize =
                Boolean.TRUE.equals(applicationProperties.getSystem().getDisableSanitize());
        byte[] pdfBytes =
                FileToPdf.convertHtmlToPdf(
@ -89,7 +90,7 @@ public class ConvertMarkdownToPdf {
                        htmlContent.getBytes(),
                        "converted.html",
                        bookAndHtmlFormatsInstalled,
-						disableSanitize);
+                        disableSanitize);
        pdfBytes = pdfDocumentFactory.createNewBytesBasedOnOldDocument(pdfBytes);
        String outputFilename =
                originalFilename.replaceFirst("[.][^.]+$", "")
--- a/src/main/java/stirling/software/SPDF/service/LanguageService.java
+++ b/src/main/java/stirling/software/SPDF/service/LanguageService.java
@ -1,10 +1,10 @@
 package stirling.software.SPDF.service;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.Arrays;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
@ -21,8 +21,7 @@ public class LanguageService {
    private final PathMatchingResourcePatternResolver resourcePatternResolver =
            new PathMatchingResourcePatternResolver();
-    public LanguageService(
+    public LanguageService(ApplicationProperties applicationProperties) {
            ApplicationProperties applicationProperties) {
        this.applicationProperties = applicationProperties;
    }
--- a/src/main/java/stirling/software/SPDF/utils/FileToPdf.java
+++ b/src/main/java/stirling/software/SPDF/utils/FileToPdf.java
@ -27,7 +27,7 @@ public class FileToPdf {
            byte[] fileBytes,
            String fileName,
            boolean htmlFormatsInstalled,
-			boolean disableSanitize)
+            boolean disableSanitize)
            throws IOException, InterruptedException {
        Path tempOutputFile = Files.createTempFile("output_", ".pdf");
@ -36,7 +36,9 @@ public class FileToPdf {
        try {
            if (fileName.endsWith(".html")) {
                tempInputFile = Files.createTempFile("input_", ".html");
-                String sanitizedHtml = sanitizeHtmlContent(new String(fileBytes, StandardCharsets.UTF_8), disableSanitize);
+                String sanitizedHtml =
                        sanitizeHtmlContent(
                                new String(fileBytes, StandardCharsets.UTF_8), disableSanitize);
                Files.write(tempInputFile, sanitizedHtml.getBytes(StandardCharsets.UTF_8));
            } else if (fileName.endsWith(".zip")) {
                tempInputFile = Files.createTempFile("input_", ".zip");
@ -93,7 +95,8 @@ public class FileToPdf {
        return (!disableSanitize) ? CustomHtmlSanitizer.sanitize(htmlContent) : htmlContent;
    }
-    private static void sanitizeHtmlFilesInZip(Path zipFilePath, boolean disableSanitize) throws IOException {
+    private static void sanitizeHtmlFilesInZip(Path zipFilePath, boolean disableSanitize)
            throws IOException {
        Path tempUnzippedDir = Files.createTempDirectory("unzipped_");
        try (ZipInputStream zipIn =
                ZipSecurity.createHardenedInputStream(
--- a/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
+++ b/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
@ -587,9 +587,7 @@ public class GeneralUtils {
            for (byte b : hash) {
                fingerprint.append(String.format("%02x", b));
            }
            return fingerprint.toString();
        } catch (Exception e) {
            return "GenericID";
        }
--- a/testing/test.sh
+++ b/testing/test.sh
@ -84,12 +84,6 @@ main() {
 	SECONDS=0
    cd "$PROJECT_ROOT"
    # Run the gradlew build command and check if it fails
    if [[ "$VERIFICATION" == "true" ]]; then
        ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256 --refresh-dependencies help
        ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp --refresh-keys --export-keys --refresh-dependencies help
    fi
    export DOCKER_ENABLE_SECURITY=false
    # Run the gradlew build command and check if it fails