Add SpotBugs check to CI and expand PATH_TRAVERSAL_IN suppression#273
Merged
Conversation
…AVERSAL_IN spotbugs:check is bound to the Maven verify phase, which only the publish deploy goal reaches, so SpotBugs ran only at snapshot/release publish — a PATH_TRAVERSAL_IN finding red a release after every jar had already built. Add a SpotBugs step to the existing fast code-style job (after Spotless, before the informational jdeps step) so it runs on every PR/push and gates publish (publish-* already needs: code-style). Mirrors the existing early Spotless gate; no needs: change required. Provisionally suppress the PATH_TRAVERSAL_IN finding in OfflineModelGuard / ModelParameters (operator-supplied --model path; same threat model as the existing LlamaLoader suppression) and track an open deep-check in TODO.md for whether it — and the LlamaLoader suppression — can be genuinely resolved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0137c1LhUbNvW3kt4eF9Kqyb
…e positive) Deep-checked the two PATH_TRAVERSAL_IN sites flagged by findsecbugs: LlamaLoader (native-lib path from the lib.path / java.library.path / tmpdir JVM properties) and OfflineModelGuard.check (a read-only Files.exists on the configured model path). In both the tainted input is the operator's own process configuration set at launch, not untrusted input crossing a privilege boundary, and there is no allowed-root to validate against (pointing at an arbitrary GGUF/library anywhere on disk is the whole point). So it is a settled false positive for a JNI library and no code fix is appropriate. Consolidate the two suppression blocks into one finalized <Match> over all three classes with the reviewed rationale, drop the "provisional/under review" language, and close the deep-check item in TODO.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0137c1LhUbNvW3kt4eF9Kqyb
bernardladenthin
temporarily deployed
to
startgate
GitHub Actions
Inactive
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PATH_TRAVERSAL_INsuppression inspotbugs-exclude.xmlto coverOfflineModelGuardandModelParametersin addition toLlamaLoaderTest plan
Related issues / PRs
Checklist
CONTRIBUTING.mdandCODE_OF_CONDUCT.mdSECURITY.md)https://claude.ai/code/session_0137c1LhUbNvW3kt4eF9Kqyb