diff --git a/.github/workflows/findbugs.yml b/.github/workflows/findbugs.yml
new file mode 100644
index 00000000..3988bd40
--- /dev/null
+++ b/.github/workflows/findbugs.yml
@@ -0,0 +1,34 @@
+name: FindBugs Analysis
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+ pull-requests: write
+
+jobs:
+ test-suite:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
+ - name: Set up JDK 11
+ uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+ cache: maven
+ - name: Build with Maven
+ run: mvn -B package --file pom.xml
+ - name: Generate report
+ run: mvn spotbugs:spotbugs
+ - name: Upload FindBugs report as a workflow artifact
+ uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
+ with:
+ name: findbugs-report
+ path: target/spotbugsXml.xml
+ continue-on-error: true
diff --git a/README.md b/README.md
index 4136493e..c407c75a 100644
--- a/README.md
+++ b/README.md
@@ -71,13 +71,11 @@ A template of the `licenses.json` file can be found in the repository at `src/ma
# according to the template at 'src/main/resources/licenses.json')
# > option "scanner": take conflicts from the scanner response
license_conflict=json
-
- # Alternatively, you can supply all the necessary values associated with github
- # and license using these env variables:
- # LPVS_GITHUB_LOGIN, LPVS_GITHUB_TOKEN, LPVS_GITHUB_API_URL, LPVS_GITHUB_SECRET,
- # LPVS_LICENSE_FILEPATH and LPVS_LICENSE_CONFLICT.
```
+ Alternatively, you can supply all the necessary values associated with GitHub and license using these env variables:
+ `LPVS_GITHUB_LOGIN`, `LPVS_GITHUB_TOKEN`, `LPVS_GITHUB_API_URL`, `LPVS_GITHUB_SECRET`, `LPVS_LICENSE_FILEPATH` and `LPVS_LICENSE_CONFLICT`.
+
4. Build LPVS application with Maven, then run it:
```bash
mvn clean install
diff --git a/pom.xml b/pom.xml
index d6d3c22c..826f87d2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -134,6 +134,21 @@
+
+ com.github.spotbugs
+ spotbugs-maven-plugin
+ 4.7.1.1
+
+ spotbugs-security-include.xml
+
+
+ com.h3xstream.findsecbugs
+ findsecbugs-plugin
+ 1.12.0
+
+
+
+
diff --git a/spotbugs-security-include.xml b/spotbugs-security-include.xml
new file mode 100644
index 00000000..69e87f62
--- /dev/null
+++ b/spotbugs-security-include.xml
@@ -0,0 +1,5 @@
+
+
+
+
+
\ No newline at end of file
diff --git a/src/main/java/com/lpvs/controller/GitHubWebhooksController.java b/src/main/java/com/lpvs/controller/GitHubWebhooksController.java
index 2f0e5aef..3e66bec4 100644
--- a/src/main/java/com/lpvs/controller/GitHubWebhooksController.java
+++ b/src/main/java/com/lpvs/controller/GitHubWebhooksController.java
@@ -102,7 +102,7 @@ public boolean wrongSecret(String signature, String payload) throws Exception {
SecretKeySpec key = new SecretKeySpec(GITHUB_SECRET.getBytes("utf-8"), ALGORITHM);
Mac mac = Mac.getInstance(ALGORITHM);
mac.init(key);
- String githubSecret = Hex.encodeHexString(mac.doFinal(payload.getBytes()));
+ String githubSecret = Hex.encodeHexString(mac.doFinal(payload.getBytes("utf-8")));
LOG.info("lpvs signature: " + lpvsSecret);
LOG.info("github signature: " + githubSecret);