From 44901191b4e3935796952cf386bd4d157a560c76 Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Wed, 4 Feb 2026 10:41:55 +0100 Subject: [PATCH 1/6] #486: Updated changelog and version to 4.2.3. --- doc/changes/changes.md | 1 + doc/changes/changes_4.2.3.md | 11 +++++++++++ parent/pom.xml | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 doc/changes/changes_4.2.3.md diff --git a/doc/changes/changes.md b/doc/changes/changes.md index 29790f90..ea267619 100644 --- a/doc/changes/changes.md +++ b/doc/changes/changes.md @@ -1,5 +1,6 @@ # Changes +* [4.2.3](changes_4.2.3.md) * [4.2.2](changes_4.2.2.md) * [4.2.1](changes_4.2.1.md) * [4.2.0](changes_4.2.0.md) diff --git a/doc/changes/changes_4.2.3.md b/doc/changes/changes_4.2.3.md new file mode 100644 index 00000000..e4cd2094 --- /dev/null +++ b/doc/changes/changes_4.2.3.md @@ -0,0 +1,11 @@ +# OpenFastTrace 4.2.3, released 2025-02-?? + +Code name: OSSIndex in CI + +## Summary + +In this release we fixed the OSSIndex vulnerability scanner authentication in our CI. + +## Bugfixes + +* #486: Fixed OSSIndex authentication in CI diff --git a/parent/pom.xml b/parent/pom.xml index c7ee11b7..9b9a495c 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -10,7 +10,7 @@ Free requirement tracking suite https://github.com/itsallcode/openfasttrace - 4.2.2 + 4.2.3 17 6.1.0-M1 6.0.2 From 09f989dd976fbcc84c089e886bc815df2227296e Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Wed, 4 Feb 2026 10:52:19 +0100 Subject: [PATCH 2/6] #486: Moved setting OSSINDEX_USERNAME and OSSINDEX_TOKEN to step that sets up Java and Maven. --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d5fbd878..779d424c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,6 +48,9 @@ jobs: server-id: ossindex server-username: OSSINDEX_USERNAME server-password: OSSINDEX_TOKEN + env: + OSSINDEX_USERNAME: ${{ secrets.OSSINDEX_USERNAME }} + OSSINDEX_TOKEN: ${{ secrets.OSSINDEX_TOKEN }} - name: Cache SonarQube packages if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} @@ -61,9 +64,6 @@ jobs: run: | mvn --batch-mode -T 1C clean org.jacoco:jacoco-maven-plugin:prepare-agent install \ -Djava.version=${{ matrix.java }} - env: - OSSINDEX_USERNAME: ${{ secrets.OSSINDEX_USERNAME }} - OSSINDEX_TOKEN: ${{ secrets.OSSINDEX_TOKEN }} - name: Sonar analysis if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java && env.SONAR_TOKEN != null }} From 1000c8fe8e54be01aa4d9063e419829cafe13b50 Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Wed, 4 Feb 2026 11:11:22 +0100 Subject: [PATCH 3/6] #486: Add a debug step to print redacted settings.xml. --- .github/workflows/build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 779d424c..d10bef11 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,6 +52,25 @@ jobs: OSSINDEX_USERNAME: ${{ secrets.OSSINDEX_USERNAME }} OSSINDEX_TOKEN: ${{ secrets.OSSINDEX_TOKEN }} + # TODO: Remove this once OSSIndex CI issue is resolved + - name: Debug Maven settings.xml (redacted) + shell: bash + run: | + set -euo pipefail + SETTINGS="${HOME}/.m2/settings.xml" + if [[ ! -f "$SETTINGS" ]]; then + echo "No Maven settings.xml found at: $SETTINGS" + exit 0 + fi + + echo "Maven settings.xml at: $SETTINGS" + # Redact common sensitive tags + any if present + sed -E \ + -e 's#()[^<]*()#\1***REDACTED***\2#g' \ + -e 's#()[^<]*()#\1***REDACTED***\2#g' \ + -e 's#()[^<]*()#\1***REDACTED***\2#g' \ + "$SETTINGS" + - name: Cache SonarQube packages if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} uses: actions/cache@v5 From b5c2a29f7281014759fcc78a427183e2c1a0af01 Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Wed, 4 Feb 2026 11:51:21 +0100 Subject: [PATCH 4/6] #486: Show empty fields in settings.xml. --- .github/workflows/build.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d10bef11..60e8d6fc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,10 +66,13 @@ jobs: echo "Maven settings.xml at: $SETTINGS" # Redact common sensitive tags + any if present sed -E \ - -e 's#()[^<]*()#\1***REDACTED***\2#g' \ - -e 's#()[^<]*()#\1***REDACTED***\2#g' \ - -e 's#()[^<]*()#\1***REDACTED***\2#g' \ - "$SETTINGS" + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + -e 's#()()#\1***EMPTY***\2#g; s#()[^<]+()#\1***REDACTED***\2#g' \ + "$SETTINGS" - name: Cache SonarQube packages if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} From 60b32ec2715a041ec5fe8a08fdd3bcaa8eee02ef Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Wed, 4 Feb 2026 12:01:53 +0100 Subject: [PATCH 5/6] #486: Checked if correct Maven settings.xml are used. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 60e8d6fc..bb9a6c0c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,6 +84,11 @@ jobs: - name: Build with Java ${{ matrix.java }} run: | + # TODO: Remove this once OSSIndex CI issue is resolved. + echo "Checking whether the correct Maven settings.xml is used by examination of effective settings:" + mvn -q --batch-mode help:effective-settings -Doutput=effective-settings.xml + grep -n "ossindex" -n effective-settings.xml || true + mvn --batch-mode -T 1C clean org.jacoco:jacoco-maven-plugin:prepare-agent install \ -Djava.version=${{ matrix.java }} From 33b158dc2d9ba5f180b5c9c69ad8588c28baa9cb Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Thu, 5 Feb 2026 17:51:58 +0100 Subject: [PATCH 6/6] #488: Inject GHS for OSSIndex directly into server-username and server-password. --- .github/workflows/build.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bb9a6c0c..e92c5389 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,11 +46,8 @@ jobs: java-version: ${{ matrix.java }} cache: "maven" server-id: ossindex - server-username: OSSINDEX_USERNAME - server-password: OSSINDEX_TOKEN - env: - OSSINDEX_USERNAME: ${{ secrets.OSSINDEX_USERNAME }} - OSSINDEX_TOKEN: ${{ secrets.OSSINDEX_TOKEN }} + server-username: ${{ secrets.OSSINDEX_USERNAME }} + server-password: ${{ secrets.OSSINDEX_TOKEN }} # TODO: Remove this once OSSIndex CI issue is resolved - name: Debug Maven settings.xml (redacted)