Initial commit

Author: abirismyname

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.github/pull_request_template.md

@@ -0,0 +1,60 @@
+<!--
+IMPORTANT:
+
+This repository contains configuration for what users see when they click on the `Actions` tab and the setup page for Code Scanning.
+
+It is not:
+* A playground to try out scripts
+* A place for you to create a workflow for your repository
+-->
+
+## Pre-requisites
+
+- [ ] Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: [partner.github.com/apply](https://partner.github.com/apply?partnershipType=Technology+Partner).
+
+---
+
+### **Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.**
+
+---
+
+## Tasks
+
+**For _all_ workflows, the workflow:**
+
+- [ ] Should be contained in a `.yml` file with the language or platform as its filename, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format (for example, [`docker-image.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-image.yml)).  Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").
+- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
+- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
+- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
+
+**For _CI_ workflows, the workflow:**
+
+- [ ] Should be preserved under [the `ci` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should include a matching `ci/properties/*.properties.json` file (for example, [`ci/properties/docker-publish.properties.json`](https://github.com/actions/starter-workflows/blob/main/ci/properties/docker-publish.properties.json)).
+- [ ] Should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`.
+- [ ] Packaging workflows should run on `release` with `types: [ created ]`.
+- [ ] Publishing workflows should have a filename that is the name of the language or platform, in lower case, followed by "-publish" (for example, [`docker-publish.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml)).
+
+**For _Code Scanning_ workflows, the workflow:**
+
+- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
+  - [ ] `name`: Name of the Code Scanning integration.
+  - [ ] `organization`: Name of the organization producing the Code Scanning integration.
+  - [ ] `description`: Short description of the Code Scanning integration.
+  - [ ] `categories`: Array of languages supported by the Code Scanning integration.
+  - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
+- [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)).
+
+**Some general notes:**
+
+- [ ] This workflow must _only_ use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or**
+- [ ] This workflow must _only_ use actions that are produced by the language or ecosystem that the workflow supports.  These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions).  We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag.  Additionally, workflows must include the following comment at the top of the workflow file:
+    ```
+    # This workflow uses actions that are not certified by GitHub.
+    # They are provided by a third-party and are governed by
+    # separate terms of service, privacy policy, and support
+    # documentation.
+    ```
+- [ ] Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
+- [ ] Automation and CI workflows cannot be dependent on a paid service or product.

.github/workflows/HelloWorld.jar

@@ -0,0 +1,22 @@
+name: Code Analysis (SpotBugs)
+
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+jobs:
+  spotbugs-analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Run SpotBugs
+        uses: abirismyname/spotbugs-github-action@main
+        with:
+          arguments: '-sarif'
+          target: './.github/workflows/HelloWorld.jar'
+          output: 'results.sarif'
+          spotbugs-version: 'latest'
+      - name: Show results.sarif
+        run: jq . results.sarif

.github/workflows/test.yml

@@ -0,0 +1,25 @@
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+spotbugs-*
+results.sarif
+.DS_STORE

.gitignore

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Abir Majumdar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

LICENSE

@@ -0,0 +1,30 @@
+# SpotBugs GitHub Action
+
+Run [SpotBugs](https://spotbugs.readthedocs.io/en/latest/) as a Github action.
+
+```yaml
+name: SpotBugs
+
+on: [push, pull_request]
+
+jobs:
+  spotbugs-analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run SpotBugs
+        uses: spotbugs/spotbugs-github-action@v1
+        with:
+          arguments: '-sarif'
+          target: './HelloWorld.jar'
+          output: 'results.sarif'
+          spotbugs-version: 'latest'
+
+      - name: Upload analysis results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{github.workspace}}/results.sarif
+```

README.md

@@ -0,0 +1,31 @@
+name: 'SpotBugs GitHub Action'
+description: 'Runs SpotBugs Static Analysis Tool for Java - https://spotbugs.github.io/'
+branding:
+  icon: 'check'  
+  color: 'blue'
+inputs:
+  spotbugs-version:
+    description: 'SpotBugs version to use.'
+    default: 'latest'
+    required: false  
+  arguments:
+    description: 'Command arguments to be sent to SpotBugs'
+    required: true
+    default: ''
+  output:
+    description: 'Output file name'
+    required: true
+  target:
+    description: 'Target of what you want to analyze'
+    required: true    
+runs:
+  using: "composite"
+  steps: 
+    - id: spotbot-analysis
+      run: ${{ github.action_path }}/analyze.sh
+      shell: bash
+      env:
+        SPOTBUGS_VERSION: ${{ inputs.spotbugs-version }}
+        OUTPUT: ${{ inputs.output }}
+        ARGUMENTS: ${{ inputs.arguments }}  
+        TARGET: ${{ inputs.target }}

action.yml

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Check whether to use latest version of PMD
+if [ "$SPOTBUGS_VERSION" == 'latest' ]; then
+    LATEST_TAG="$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/spotbugs/spotbugs/releases/latest | jq --raw-output '.tag_name')"
+    SPOTBUGS_VERSION=$LATEST_TAG
+fi
+
+# Download SpotBugs
+wget https://github.com/spotbugs/spotbugs/releases/download/"${SPOTBUGS_VERSION}"/spotbugs-"${SPOTBUGS_VERSION}".zip
+unzip spotbugs-"${SPOTBUGS_VERSION}".zip
+
+# Run SpotBugs
+SPOTBUGS_HOME=spotbugs-"${SPOTBUGS_VERSION}"
+SPOTBUGS=${SPOTBUGS_HOME}/bin/spotbugs
+sh $SPOTBUGS -textui -output "${OUTPUT}" "${ARGUMENTS}" "${TARGET}"