SCRUM-2729: Added support for OWASP SAST Tools

SonarQube
FindSecBugs
OWASP Dependency Check

.sonarlint/connectedMode.json

@@ -0,0 +1,4 @@
+{
+    "sonarQubeUri": "http://localhost:9900",
+    "projectKey": "wp2-be-audit-dm"
+}

CHANGELOG.md

@@ -28,6 +28,13 @@
 
 # [1.0.0] - 2025-10-10
 
+### [SCRUM-2729](https://itserr-wp2.atlassian.net/browse/SCRUM-2729)
+
+### Added
+
+- Added support for OWASP SAST Tools
+- SonarQube, FindSecBugs, OWASP Dependency Check
+
 ### [SCRUM-2283](https://itserr-wp2.atlassian.net/browse/SCRUM-2283)
 
 ### Fixed

pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>com.finconsgroup.itserr.marketplace</groupId>
         <artifactId>core</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.10-SNAPSHOT</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
@@ -26,6 +26,8 @@
     <properties>
         <revision>1.0.2-SNAPSHOT</revision>
         <itserr.audit-dm.version>${revision}</itserr.audit-dm.version>
+        <sonar.projectKey>wp2-be-audit-dm</sonar.projectKey>
+        <sonar.projectName>wp2-be-audit-dm</sonar.projectName>
     </properties>
 
     <dependencyManagement>

wp2-be-audit-dm-server/pom.xml

@@ -15,6 +15,7 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <sonar.scanner.javaOpts>${itserr.core.jpa.sonar.javaOpts}</sonar.scanner.javaOpts>
     </properties>
 
     <dependencies>
@@ -198,6 +199,33 @@
                 </executions>
             </plugin>
 
+            <!-- Copy findsecbugs files from core libraries jar -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>copy-findsecbugs-dependencies</id>
+                        <phase>compile</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>com.finconsgroup.itserr.marketplace</groupId>
+                                    <artifactId>core-data-jpa</artifactId>
+                                    <version>${itserr.core.version}</version>
+                                    <type>jar</type>
+                                    <overWrite>true</overWrite>
+                                </artifactItem>
+                            </artifactItems>
+                            <includes>findsecbugs/*.txt</includes>
+                            <outputDirectory>${project.build.outputDirectory}</outputDirectory>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>

wp2-be-audit-dm-server/src/main/resources/spotbugs-files/sb-exclude-filters.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter
+        xmlns="https://github.com/spotbugs/filter/4.8.4"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/4.8.4 https://raw.githubusercontent.com/spotbugs/spotbugs/4.8.4/spotbugs/etc/findbugsfilter.xsd">
+    <Match>
+        <Class name="~com\.finconsgroup\.itserr\.marketplace.*\.WireMockServerTest"/>
+        <Method name="getWireMockConfiguration"/>
+        <Bug pattern="UNENCRYPTED_SERVER_SOCKET"/>
+    </Match>
+    <Match>
+        <Class name="~com\.finconsgroup\.itserr\.marketplace.*\.DiagnosticsController"/>
+        <Method name="downloadLogs"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+</FindBugsFilter>