merging feature-2 to main

[manij-20]

Summary by CodeRabbit

• New Features

  • Added a Simple Parcel Service web app with a welcome form and confirmation page for sending parcels.

• Documentation

  • Expanded README with environment setup, build/run instructions, and example CI workflow snippets.

• Chores

  • Added CI/CD workflows for build, artifact handling, run/stop validation, and static analysis; added project build configuration and editor settings to streamline development.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a minimal Spring Boot (Java 17) web app with Thymeleaf views, controller/service/model placeholders, Maven build configuration, editor settings, README examples, a Jenkinsfile, and multiple reusable GitHub Actions workflows for setup, build, run/validate/stop, artifact upload, and SonarCloud analysis.

Changes

Cohort / File(s)	Summary
CI workflows .github/workflows/main.yml, .github/workflows/setup-java-maven.yml, .github/workflows/build-and-artifact.yml, .github/workflows/springboot-run-stop.yml, .github/workflows/sonarcloud-analysis.yml, .github/main.yml	Adds reusable GitHub Actions workflows: Java/Maven setup, build & artifact upload, Spring Boot run/validate/stop, SonarCloud analysis, and a top-level orchestrator that wires them together.
CI pipeline (Jenkins) Jenkinsfile	Adds a Jenkins pipeline using a shared library with stages for checkout, build (Maven), and running the application (mvn spring-boot:run); some archive/alternate steps are commented out.
IDE settings .vscode/settings.json	Adds VSCode Java settings disabling null analysis and automatic build-configuration updates.
Maven project pom.xml	Adds/updates Maven POM for Java 17 + Spring Boot 2.5.4, Thymeleaf/web dependencies, SonarCloud properties, and plugins (spring-boot, sonar, compiler).
Application entry src/main/java/com/example/SimpleParcelServiceApp.java	New Spring Boot main application class annotated with @SpringBootApplication.
Web layer & templates src/main/java/com/example/controller/ParcelController.java, src/main/resources/templates/index.html, src/main/resources/templates/confirmation.html	Adds a controller with GET / (returns index) and POST /sendParcel (returns confirmation), plus Thymeleaf templates for form and confirmation pages.
Domain & service placeholders src/main/java/com/example/model/Parcel.java, src/main/java/com/example/service/ParcelService.java	Adds placeholder Parcel model class and ParcelService annotated with @Service (no methods yet).
Properties & build outputs src/main/resources/application.properties, target/classes/application.properties, target/classes/templates/index.html	Adds Thymeleaf configuration (prefix/suffix/cache=false) and includes compiled resource outputs in target/classes.
Documentation README.md	Expands README with environment setup, manual build/run commands, and example CI workflow snippets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect GitHub Actions for correct secret usage, workflow_call inputs, and intended runner types (self-hosted vs ubuntu).
• Verify the springboot-run-stop probe (public IP resolution and health check) and mvn spring-boot:stop usage.
• Review pom.xml for plugin and Java 17 configuration consistency (compiler, spring-boot-maven-plugin).
• Confirm controller parameter names match form input names and Thymeleaf expressions in templates.
• Check Jenkinsfile tool declarations and any commented archive/run alternatives.

Poem

🐰 I hopped through commits at dawn's soft light,
Scattered templates, workflows — what a sight,
Pipelines stitched and Maven sings,
Tiny app with parcel wings,
I thumped my foot and took a byte!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'merging feature-2 to main' is vague and generic, using non-descriptive language that does not convey meaningful information about the actual changes in the pull request.	Replace with a descriptive title that summarizes the main change, e.g., 'Add Parcel Service Spring Boot application with CI/CD workflows' or 'Implement Parcel Service app with GitHub Actions pipelines'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (9)

.vscode/settings.json (1)

1-4: Repo-level null analysis and build-config disabling may hide issues

Disabling java.compile.nullAnalysis.mode and java.configuration.updateBuildConfiguration at the repo level reduces IDE noise but also turns off helpful checks and automatic Maven config syncing for everyone. Confirm this is a conscious team decision; otherwise consider dropping these settings so each developer can control them locally.

src/main/resources/application.properties (1)

1-5: Thymeleaf configuration looks good; consider cache behavior for prod

The prefix/suffix configuration is standard and correct. spring.thymeleaf.cache=false is great for local development, but for production you’ll typically want caching enabled (or made profile-specific) for performance.

src/main/java/com/example/model/Parcel.java (1)

1-5: Model scaffold is fine for now

Empty Parcel as a placeholder is acceptable while the domain is being designed. Once requirements are clearer, either flesh this out with fields/accessors (or Lombok/etc.) or drop it until it’s actually needed to avoid dead code.

src/main/java/com/example/service/ParcelService.java (1)

1-8: Service scaffold is valid; expand or trim as the API emerges

ParcelService is correctly annotated and ready for DI. When you start adding behavior, consider defining a clear service interface (or at least concrete methods) so this class isn’t just a placeholder. If it stays unused for a while, you might also defer adding it to keep the codebase lean.

src/main/resources/templates/index.html (1)

1-10: Template is minimal and correctly wired to Thymeleaf.

HTML structure and the th:text="${message}" binding align with ParcelController.index and Thymeleaf defaults; this is fine for an initial landing page. Optionally add static fallback text inside the <h1> so something meaningful renders even if message is missing.

src/main/java/com/example/SimpleParcelServiceApp.java (1)

1-11: Spring Boot entry point looks correct.

@SpringBootApplication and SpringApplication.run(SimpleParcelServiceApp.class, args) are standard and should bootstrap the app as expected. Just ensure your Maven/Spring Boot plugin configuration (main class / start class) is consistent with this package and class name for executable jars.

src/main/java/com/example/controller/ParcelController.java (1)

1-15: Controller wiring for root path and model attribute is straightforward and correct.

Mapping "/" to the index view and adding "message" to the Model matches the Thymeleaf template and should render fine. As the app grows, consider externalizing the welcome string into a messages.properties bundle for easier localization and reuse.

.github/main.yml (1)

21-27: Maven installation and caching are heavier than necessary on a self‑hosted runner.

You install Maven each run via sudo apt install maven -y and also enable both setup-java@v3’s built‑in Maven cache and a separate actions/cache on ~/.m2. On a self‑hosted runner it’s usually better to:

• Preinstall Maven (drop the apt step), and
• Use either setup-java’s Maven cache or actions/cache, but not both.

Also applies to: 36-44

Jenkinsfile (1)

29-33: Background mvn spring-boot:run & in Jenkins can leave orphan processes.

Running the app in the background inside a sh step returns immediately and may leave the Spring Boot process running after the pipeline finishes. In Jenkins it’s safer to use a managed lifecycle (spring-boot:start/spring-boot:stop, a dedicated deploy job, or a stage with a bounded timeout that explicitly kills the process) rather than backgrounding it.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dfb9bca and 03b5c26.

⛔ Files ignored due to path filters (4)

• target/classes/com/example/SimpleParcelServiceApp.class is excluded by !**/*.class
• target/classes/com/example/controller/ParcelController.class is excluded by !**/*.class
• target/classes/com/example/model/Parcel.class is excluded by !**/*.class
• target/classes/com/example/service/ParcelService.class is excluded by !**/*.class

📒 Files selected for processing (13)

• .github/main.yml (1 hunks)
• .vscode/settings.json (1 hunks)
• Jenkinsfile (1 hunks)
• README.md (1 hunks)
• pom.xml (1 hunks)
• src/main/java/com/example/SimpleParcelServiceApp.java (1 hunks)
• src/main/java/com/example/controller/ParcelController.java (1 hunks)
• src/main/java/com/example/model/Parcel.java (1 hunks)
• src/main/java/com/example/service/ParcelService.java (1 hunks)
• src/main/resources/application.properties (1 hunks)
• src/main/resources/templates/index.html (1 hunks)
• target/classes/application.properties (1 hunks)
• target/classes/templates/index.html (1 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[style] ~31-~31: Using many exclamation marks might seem excessive (in this case: 4 exclamation marks for a text that’s 1445 characters long)
Context: ...dy set." fi # Step 2: Install Maven if ! mvn -version &>/dev/null; then echo...

(EN_EXCESSIVE_EXCLAMATION)

🪛 markdownlint-cli2 (0.18.1)

README.md

3-3: No space after hash on atx style heading

(MD018, no-missing-space-atx)

🪛 OSV Scanner (2.3.0)

pom.xml

[HIGH] 1-1: ch.qos.logback:logback-classic 1.2.5: logback serialization vulnerability

(GHSA-vmq6-5m68-f53m)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

(GHSA-25qh-j22f-pwp8)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: Deserialization of Untrusted Data in logback

(GHSA-668q-qrv7-99fm)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core Server-Side Request Forgery vulnerability

(GHSA-6v67-2wr5-gvf4)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core Expression Language Injection vulnerability

(GHSA-pr98-23f8-jwxv)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: logback serialization vulnerability

(GHSA-vmq6-5m68-f53m)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-core 2.12.4: jackson-core can throw a StackoverflowError when processing deeply nested data

(GHSA-h46c-h94j-95f3)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-core 2.12.4: Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation

(GHSA-wf8f-6423-gfxg)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

(GHSA-3x8x-79m2-3w2w)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Deeply nested json in jackson-databind

(GHSA-57j2-w4cx-62h2)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Uncontrolled Resource Consumption in Jackson-databind

(GHSA-jjjh-jjxp-wpff)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Uncontrolled Resource Consumption in FasterXML jackson-databind

(GHSA-rgv9-q543-rqg4)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

(GHSA-27hp-xhwr-wr2m)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat installer for Windows has an untrusted search path vulnerability

(GHSA-42wg-hm62-jcwg)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

(GHSA-5j33-cvvr-w245)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

(GHSA-7w75-32cg-r6g2)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

(GHSA-83qj-6fr2-vhqg)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Input Validation vulnerability

(GHSA-fccv-jmmp-qg76)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Incomplete Cleanup vulnerability

(GHSA-g8pj-r55q-5c2v)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Resource Shutdown or Release vulnerability

(GHSA-gqp3-2cvr-x8m3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - CGI security constraint bypass

(GHSA-h2fw-rfh5-95r3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - DoS in multipart upload

(GHSA-h3gc-qfqq-6h8f)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Commons FileUpload denial of service vulnerability

(GHSA-hfrx-6qgj-fp6c)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Improper Resource Shutdown or Release

(GHSA-hgrr-935x-pq79)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat may reject request containing invalid Content-Length header

(GHSA-p22x-g9px-3945)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Open Redirect vulnerability

(GHSA-q3mw-pvr8-9ggc)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: HTTP/2 Stream Cancellation Attack

(GHSA-qppj-fm5r-hxr3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Input Validation vulnerability

(GHSA-r6j3-px5g-cq3x)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat improperly escapes input from JsonErrorReportValve

(GHSA-rq2w-37h9-vg94)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences

(GHSA-vfww-5hm6-hx2j)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - Security constraint bypass for pre/post-resources

(GHSA-wc4r-xq3c-5cf3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - Denial of Service

(GHSA-wm9w-rjj3-j356)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Relative Path Traversal

(GHSA-wmwf-9ccg-fff5)

---

[HIGH] 1-1: org.springframework.boot:spring-boot 2.5.4: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

(GHSA-rc42-6c7j-7h5r)

---

[HIGH] 1-1: org.springframework.boot:spring-boot-autoconfigure 2.5.4: Spring Boot Welcome Page Denial of Service

(GHSA-xf96-w227-r7c4)

---

[CRITICAL] 1-1: org.springframework.boot:spring-boot-starter-web 2.5.4: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-beans 5.3.9: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-beans 5.3.9: Denial of service in Spring Framework

(GHSA-hh26-6xwr-ggv7)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4gc7-5j7h-4qph)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4wp7-92pw-q264)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Improper handling of case sensitivity in Spring Framework

(GHSA-g5mm-vmx4-3rg7)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Log entry injection in Spring Framework

(GHSA-6gf2-pvqw-37ph)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Spring Framework annotation detection mechanism may result in improper authorization

(GHSA-jmp9-x22r-554x)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Improper Output Neutralization for Logs in Spring Framework

(GHSA-rfmp-97jj-h8m6)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Allocation of Resources Without Limits or Throttling in Spring Framework

(GHSA-558x-2xjg-6232)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to denial of service via specially crafted SpEL expression

(GHSA-564r-hj7v-mcr5)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to Denial of Service

(GHSA-9cmq-m9j5-mvww)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to denial of service

(GHSA-wxqc-pxw9-g2p8)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework DoS via conditional HTTP request

(GHSA-2rmj-mq67-h97g)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework URL Parsing with Host Validation

(GHSA-2wrp-6fg6-hmc5)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4gc7-5j7h-4qph)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Pivotal Spring Framework contains unsafe Java deserialization methods

(GHSA-4wrc-f8pq-fpqp)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Web vulnerable to Open Redirect or Server Side Request Forgery

(GHSA-ccgv-vj62-xf9h)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework URL Parsing with Host Validation Vulnerability

(GHSA-hgjh-9rj2-g67j)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

(GHSA-7phw-cxx7-q9vq)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Path traversal vulnerability in functional web frameworks

(GHSA-cx7f-g6mp-7hqm)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework Path Traversal vulnerability

(GHSA-g5vr-rgqm-vf78)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework MVC Applications Path Traversal Vulnerability

(GHSA-r936-gwx5-v52f)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring MVC controller vulnerable to a DoS attack

(GHSA-w3c8-7r8f-9jp8)

---

[CRITICAL] 1-1: org.thymeleaf:thymeleaf-spring5 3.0.12.RELEASE: Template injection in thymeleaf-spring5

(GHSA-qcj6-jqrg-4wp2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: Uncontrolled Resource Consumption in snakeyaml

(GHSA-3mc7-4q67-w48m)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-98wm-3w3q-mw94)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-9w3m-gqgf-c4p9)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-c4r9-r8fh-9vj2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-hhhw-99gj-p3c3)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: SnakeYaml Constructor Deserialization Remote Code Execution

(GHSA-mjmj-j48q-9wg2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: Snakeyaml vulnerable to Stack overflow leading to denial of service

(GHSA-w37g-rhq8-7m4j)

🔇 Additional comments (3)

.github/main.yml (3)

4-9: pull_request trigger targets master while this repo uses main.

With PRs targeting main, this workflow will not run on pull_request events (only on push). Consider updating the branch filter:

-  pull_request:
-    branches:
-      - master
+  pull_request:
+    branches:
+      - main

---

57-65: File .github/main.yml does not exist in the repository.

The referenced file and lines (57-65, 95-99) are not present in this codebase. The repository currently only contains README.md. This review comment cannot be applied.

Likely an incorrect or invalid review comment.

---

68-79: The referenced file and code do not exist in the repository.

The review comment points to .github/main.yml (lines 68-79, 81-87), but this file does not exist. The .github directory is absent from the repository, and no files containing the ifconfig.me code pattern could be found. This review comment cannot be applied as the code being reviewed is not present in the codebase.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find and read the GitHub workflow file
find . -name "main.yml" -path "*/.github/*" | head -5

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# List files in .github directory
find .github -type f 2>/dev/null | head -20

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Check if .github directory exists and list root structure
ls -la | head -20

Repository: vikas0105/Parcel-service

Length of output: 436

---

🏁 Script executed:

# Search for any workflow files
find . -name "*.yml" -o -name "*.yaml" 2>/dev/null | grep -v ".git"

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Check git history to see if the file ever existed
git log --all --full-history -- ".github/main.yml" | head -20

Repository: vikas0105/Parcel-service

Length of output: 625

---

🏁 Script executed:

# Check current branch and HEAD
git branch -v
git show HEAD:.github/main.yml 2>/dev/null | head -150

Repository: vikas0105/Parcel-service

Length of output: 240

---

🏁 Script executed:

# Get the file from the commit that updated it
git show 41386f37cc56dbf01348db5c04b5cc63be79de94:.github/main.yml 2>/dev/null | cat -n | sed -n '101,127p'

Repository: vikas0105/Parcel-service

Length of output: 1168

---

🏁 Script executed:

# Get the full workflow file from the same commit
git show 41386f37cc56dbf01348db5c04b5cc63be79de94:.github/main.yml 2>/dev/null | cat -n | head -100

Repository: vikas0105/Parcel-service

Length of output: 3927

---

Fix SonarCloud env var wiring: use env vars instead of secrets for non-sensitive values.

The SONAR_ORG and SONAR_HOST_URL are defined in the env block but the Maven command references them via ${{ secrets.SONAR_ORG }} and ${{ secrets.SONAR_HOST_URL }}. Unless those are also created as secrets, these will be empty. Use:

       - name: SonarCloud Analysis
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_ORG: your-organization # Replace with your actual SonarCloud organization
           SONAR_HOST_URL: https://sonarcloud.io
         run: |
           mvn clean verify sonar:sonar \
-            -Dsonar.organization=${{ secrets.SONAR_ORG }} \
-            -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
+            -Dsonar.organization=$SONAR_ORG \
+            -Dsonar.host.url=$SONAR_HOST_URL \
             -Dsonar.login=${{ secrets.SONAR_TOKEN }}

Also note: the build job runs mvn clean install and the sonarcloud-analysis job runs mvn clean verify sonar:sonar. Both include test execution, so tests run twice. If build time becomes an issue, consider reusing coverage data from the build job instead of rebuilding.

🤖 Prompt for AI Agents

In .github/main.yml around lines 101 to 127, the SonarCloud job references
SONAR_ORG and SONAR_HOST_URL via secrets but they are set in the env block;
update the Maven command to use the env variables (e.g. ${ENV_VAR} or
$SONAR_ORG/$SONAR_HOST_URL depending on shell context) instead of secrets so the
values are actually passed, and remove or correct the secrets.* references;
additionally, to avoid running tests twice, change the build/sonar invocation to
stop re-running tests (e.g. reuse artifacts/coverage from the build job or run
sonar:sonar without a full rebuild/test) — implement one of these approaches
consistently and ensure env wiring and test-reuse are reflected in the workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Spring Boot 2.5.4 Java 17 compatibility known vulnerabilities CVEs

💡 Result:

Short answer

• Officially, Spring Boot 2.5.4’s system-requirements documentation lists compatibility up to Java 16 (so Java 17 is not an officially supported target for 2.5.4). [1]
• In practice many people report Spring Boot 2.5.x (2.5.2+) runs on Java 17, but that is community experience, not an official guarantee. Test carefully if you run 2.5.4 on Java 17. [2]

Known-security issues (high level)

• Many of the “CVE” exposures for a Spring Boot 2.5.4 application come from its managed/transitive dependencies (Tomcat, Spring Framework/Security, Jackson, etc.), not from the boot starter itself. Security scanners/Snyk/Maven listings for 2.5.4 show multiple dependency CVEs (examples surfaced for 2.5.x artifacts include Spring-related CVEs and Tomcat CVEs). You should scan your project dependencies and the exact versions in the 2.5.4 BOM to get the precise CVE list. [3][4]

Actionable next steps

• If you require official Java‑17 support and ongoing security fixes, upgrade to a supported Spring Boot line (2.7.x with commercial support or 3.x for open-source support) rather than staying on 2.5.4. [1][3]
• Run a dependency CVE scan (Snyk/Dependabot/OWASP Dependency-Check or your org’s scanner) against your built artifact to list the exact CVEs affecting your application and whether fixes are available. [3]
• If you must remain on 2.5.4, audit and update individual transitive dependencies (Tomcat, Spring Framework, Jackson, etc.) to patched versions where possible, or apply vendor hotfixes if available.

Sources

• Spring Boot 2.5.4 reference (system requirements). [1]
• Community reports about Java 17 compatibility for Spring Boot 2.5+. (StackOverflow). [2]
• Snyk / Maven listings showing known vulnerabilities for Spring Boot 2.5.4 artifacts and their dependencies. [3][4]

---

🌐 Web query:

Tomcat 9.0.52 CVE vulnerabilities RCE path traversal

💡 Result:

Short answer: Apache Tomcat 9.0.52 is affected by a relative path‑traversal vulnerability (CVE-2025-55752) that can allow attackers to bypass protections on /WEB-INF and /META-INF — and, if PUT is enabled, permit file upload leading to remote code execution. Upgrade to a fixed release (Tomcat 9.0.109 or later) or apply vendor patches. [1][2]

Details and actions:

• Issue: regression in URL rewrite handling (rewritten URL normalized before decode) allows crafted requests to bypass security constraints (can expose /WEB-INF, /META-INF). If PUT is enabled malicious files might be uploaded → possible RCE. Affects Tomcat 9.0.0.M11 through 9.0.108 (so 9.0.52 is affected). [1]
• Recommendation: upgrade Tomcat to 9.0.109 or later (or 10.1.45 / 11.0.11 for those series) or apply your OS/vendor security update. Disable/limit PUT handlers and any untrusted rewrite rules until patched. Validate vendor advisories for your distribution. [1][3]

References:

• NVD / CVE-2025-55752 (description, affected versions, fix versions). [1]
• Tomcat 9.0.52 vulnerability listing / changelog summary. [2]

---

🌐 Web query:

Spring Boot 2.5.4 end of life support status

💡 Result:

Spring Boot 2.5.4 is part of the 2.5.x line, which reached end-of-life in February 2023 — it is no longer supported. [1][2]

Sources:

• Spring Boot supported-versions (shows 2.5.x EOL = February 2023). [1]
• Spring support policy / enterprise timelines. [2]

---

🌐 Web query:

Spring Boot 2.7.x 3.x Java 17 security updates Tomcat Jackson Logback

💡 Result:

Short summary & recommended actions

1. Upgrade Spring Boot to a patched release (2.7.x or 3.x) — several security hotfixes have been published; install the latest 2.7.x or 3.x maintenance release for your line (examples: 2.7.25 / 3.2.14 / 3.3.x releases that include CVE fixes). [1][2]

2. Tomcat / Jakarta: if you run Spring Boot 3.x you must use servlet containers compatible with Jakarta EE (Tomcat 10+). For Boot 2.7.x you remain on Tomcat 9.x; ensure you use the Tomcat version that Spring Boot’s BOM manages or upgrade Tomcat only via Spring Boot/OS vendor guidance. Check the Spring Boot release notes for the exact managed Tomcat versions. [1][3]

3. Jackson (jackson-core / jackson-databind): upgrade to patched Jackson releases — fixes for deep‑nesting DoS (stack exhaustion) were added in jackson-core 2.15.0 and other advisories exist (e.g. CVE-2025-52999). Make sure your effective dependency (managed by Spring Boot) is at or above the fixed Jackson version. If you override Jackson versions, update them. [4]

4. Logback: multiple critical issues were disclosed (e.g. CVE-2024-12798 affecting JaninoEventEvaluator and related CVE advisories). Update Logback to a fixed non‑vulnerable release (upstream fixed commits/releases such as 1.5.13+ are referenced by vendors). Also remove/disable Janino-based evaluators or ensure logback config files cannot be tampered with by untrusted actors. [5][6]

5. Practical steps (priority order)

   • Run mvn dependency:tree / gradle dependencyInsight to see effective Tomcat, Jackson, Logback versions.
   • Upgrade Spring Boot to the latest maintenance release for your major line (2.7.x or 3.x) — this updates managed dependency versions. (Spring blog posts list security fixes per release). [1][2]
   • If you must stay on an older Boot line, apply vendor hotfixes or Spring commercial hotfixes where available (Spring provides commercial hotfix branches). [1][2]
   • Explicitly pin jackson-core >= 2.15.0 (or the fixed version listed in advisories) and logback to a fixed release (e.g. 1.5.13+ where the Janino issue was fixed), then rebuild and run tests. [4][5]
   • Check your logback configs for usage of JaninoEventEvaluator and remove/replace it if possible; ensure config files are write-protected in production.
   • Verify container compatibility: when moving to Spring Boot 3.x, test Jakarta migration (Tomcat 10+), and run full integration tests on Java 17 (supported by both Boot 2.7.x and 3.x but Boot 3 requires Jakarta-compatible servlet container). [3][1]

References

• Spring Boot security/hotfix release announcements and CVE fixes. [1][2]
• Spring Boot fix for loader signature forgery (example security advisory). [2]
• Spring Boot dependency management / managed dependency versions (Tomcat, Logback defaults). [3][7]
• Jackson advisories (jackson-core fixes for deep‑nesting DoS / CVE-2025-52999). [4]
• Logback security advisories (CVE-2024-12798 / JaninoEventEvaluator; fixes referenced in upstream releases). [5][6]

If you want, I can:

• list the exact latest safe Spring Boot versions for 2.7.x and 3.x (I’ll fetch current release numbers), and the minimum fixed Jackson/Logback/Tomcat versions for your project.

---

Spring Boot 2.5.4 is end-of-life and uses Java 17 without official support; critical security upgrade required

Spring Boot 2.5.4 reached end-of-life in February 2023, and its officially supported Java target is only up to Java 16 — Java 17 is not an officially tested combination. More critically, the transitive dependency stack (Tomcat 9.0.52, Jackson 2.12.4, Logback 1.2.5, Spring Framework 5.3.9, Thymeleaf 3.0.12, SnakeYAML 1.28) carries confirmed HIGH/CRITICAL CVEs including:

• Tomcat 9.0.52: CVE-2025-55752 (path traversal / RCE via /WEB-INF bypass if PUT is enabled)
• Jackson 2.12.4: Deep-nesting DoS (stack exhaustion)
• Logback 1.2.5: CVE-2024-12798 (JaninoEventEvaluator remote code execution)

Required action:

Upgrade <spring.boot.version> to the latest maintenance release in a supported line:

• Spring Boot 2.7.x for Java 11–17 (remains on Tomcat 9, active maintenance)
• Spring Boot 3.x for Java 17+ (migrates to Tomcat 10 / Jakarta EE, recommended for new projects)

This will pull in patched versions of Tomcat, Jackson, Logback, and other transitive dependencies. Rebuild and verify with your dependency scanner (mvn dependency:tree) that CVEs are cleared before deploying.

If you must remain on 2.5.4, apply Spring commercial hotfixes and explicitly pin transitive dependencies to patched versions (Jackson >= 2.15.0, Logback >= 1.5.13, etc.), but this is not recommended for a new service.

🧰 Tools

🪛 OSV Scanner (2.3.0)

[HIGH] 1-1: ch.qos.logback:logback-classic 1.2.5: logback serialization vulnerability

(GHSA-vmq6-5m68-f53m)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

(GHSA-25qh-j22f-pwp8)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: Deserialization of Untrusted Data in logback

(GHSA-668q-qrv7-99fm)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core Server-Side Request Forgery vulnerability

(GHSA-6v67-2wr5-gvf4)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: QOS.CH logback-core Expression Language Injection vulnerability

(GHSA-pr98-23f8-jwxv)

---

[HIGH] 1-1: ch.qos.logback:logback-core 1.2.5: logback serialization vulnerability

(GHSA-vmq6-5m68-f53m)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-core 2.12.4: jackson-core can throw a StackoverflowError when processing deeply nested data

(GHSA-h46c-h94j-95f3)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-core 2.12.4: Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation

(GHSA-wf8f-6423-gfxg)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

(GHSA-3x8x-79m2-3w2w)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Deeply nested json in jackson-databind

(GHSA-57j2-w4cx-62h2)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Uncontrolled Resource Consumption in Jackson-databind

(GHSA-jjjh-jjxp-wpff)

---

[HIGH] 1-1: com.fasterxml.jackson.core:jackson-databind 2.12.4: Uncontrolled Resource Consumption in FasterXML jackson-databind

(GHSA-rgv9-q543-rqg4)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

(GHSA-27hp-xhwr-wr2m)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat installer for Windows has an untrusted search path vulnerability

(GHSA-42wg-hm62-jcwg)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

(GHSA-5j33-cvvr-w245)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

(GHSA-7w75-32cg-r6g2)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

(GHSA-83qj-6fr2-vhqg)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Input Validation vulnerability

(GHSA-fccv-jmmp-qg76)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Incomplete Cleanup vulnerability

(GHSA-g8pj-r55q-5c2v)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Resource Shutdown or Release vulnerability

(GHSA-gqp3-2cvr-x8m3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - CGI security constraint bypass

(GHSA-h2fw-rfh5-95r3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - DoS in multipart upload

(GHSA-h3gc-qfqq-6h8f)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Commons FileUpload denial of service vulnerability

(GHSA-hfrx-6qgj-fp6c)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Improper Resource Shutdown or Release

(GHSA-hgrr-935x-pq79)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat may reject request containing invalid Content-Length header

(GHSA-p22x-g9px-3945)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Open Redirect vulnerability

(GHSA-q3mw-pvr8-9ggc)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: HTTP/2 Stream Cancellation Attack

(GHSA-qppj-fm5r-hxr3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Improper Input Validation vulnerability

(GHSA-r6j3-px5g-cq3x)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat improperly escapes input from JsonErrorReportValve

(GHSA-rq2w-37h9-vg94)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences

(GHSA-vfww-5hm6-hx2j)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - Security constraint bypass for pre/post-resources

(GHSA-wc4r-xq3c-5cf3)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat - Denial of Service

(GHSA-wm9w-rjj3-j356)

---

[CRITICAL] 1-1: org.apache.tomcat.embed:tomcat-embed-core 9.0.52: Apache Tomcat Vulnerable to Relative Path Traversal

(GHSA-wmwf-9ccg-fff5)

---

[HIGH] 1-1: org.springframework.boot:spring-boot 2.5.4: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

(GHSA-rc42-6c7j-7h5r)

---

[HIGH] 1-1: org.springframework.boot:spring-boot-autoconfigure 2.5.4: Spring Boot Welcome Page Denial of Service

(GHSA-xf96-w227-r7c4)

---

[CRITICAL] 1-1: org.springframework.boot:spring-boot-starter-web 2.5.4: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-beans 5.3.9: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-beans 5.3.9: Denial of service in Spring Framework

(GHSA-hh26-6xwr-ggv7)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4gc7-5j7h-4qph)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4wp7-92pw-q264)

---

[HIGH] 1-1: org.springframework:spring-context 5.3.9: Improper handling of case sensitivity in Spring Framework

(GHSA-g5mm-vmx4-3rg7)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Log entry injection in Spring Framework

(GHSA-6gf2-pvqw-37ph)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Spring Framework annotation detection mechanism may result in improper authorization

(GHSA-jmp9-x22r-554x)

---

[HIGH] 1-1: org.springframework:spring-core 5.3.9: Improper Output Neutralization for Logs in Spring Framework

(GHSA-rfmp-97jj-h8m6)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Allocation of Resources Without Limits or Throttling in Spring Framework

(GHSA-558x-2xjg-6232)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to denial of service via specially crafted SpEL expression

(GHSA-564r-hj7v-mcr5)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to Denial of Service

(GHSA-9cmq-m9j5-mvww)

---

[HIGH] 1-1: org.springframework:spring-expression 5.3.9: Spring Framework vulnerable to denial of service

(GHSA-wxqc-pxw9-g2p8)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework DoS via conditional HTTP request

(GHSA-2rmj-mq67-h97g)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework URL Parsing with Host Validation

(GHSA-2wrp-6fg6-hmc5)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework DataBinder Case Sensitive Match Exception

(GHSA-4gc7-5j7h-4qph)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Pivotal Spring Framework contains unsafe Java deserialization methods

(GHSA-4wrc-f8pq-fpqp)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Web vulnerable to Open Redirect or Server Side Request Forgery

(GHSA-ccgv-vj62-xf9h)

---

[CRITICAL] 1-1: org.springframework:spring-web 5.3.9: Spring Framework URL Parsing with Host Validation Vulnerability

(GHSA-hgjh-9rj2-g67j)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Remote Code Execution in Spring Framework

(GHSA-36p3-wjmg-h94x)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

(GHSA-7phw-cxx7-q9vq)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Path traversal vulnerability in functional web frameworks

(GHSA-cx7f-g6mp-7hqm)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework Path Traversal vulnerability

(GHSA-g5vr-rgqm-vf78)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring Framework MVC Applications Path Traversal Vulnerability

(GHSA-r936-gwx5-v52f)

---

[CRITICAL] 1-1: org.springframework:spring-webmvc 5.3.9: Spring MVC controller vulnerable to a DoS attack

(GHSA-w3c8-7r8f-9jp8)

---

[CRITICAL] 1-1: org.thymeleaf:thymeleaf-spring5 3.0.12.RELEASE: Template injection in thymeleaf-spring5

(GHSA-qcj6-jqrg-4wp2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: Uncontrolled Resource Consumption in snakeyaml

(GHSA-3mc7-4q67-w48m)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-98wm-3w3q-mw94)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-9w3m-gqgf-c4p9)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-c4r9-r8fh-9vj2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

(GHSA-hhhw-99gj-p3c3)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: SnakeYaml Constructor Deserialization Remote Code Execution

(GHSA-mjmj-j48q-9wg2)

---

[HIGH] 1-1: org.yaml:snakeyaml 1.28: Snakeyaml vulnerable to Stack overflow leading to denial of service

(GHSA-w37g-rhq8-7m4j)

🤖 Prompt for AI Agents

In pom.xml lines 1-63, the project pins Spring Boot to 2.5.4 (end-of-life) while
targeting Java 17 which leads to unpatched transitive CVEs; update the
<spring.boot.version> property to a supported release (either latest 2.7.x if
you want to stay on Spring Boot 2 line or migrate to Spring Boot 3.x if you can
move to Jakarta/Java 17+), adjust the <java.version> and any code/packages as
required for Spring Boot 3 (Jakarta namespace changes), then rebuild and run mvn
dependency:tree to verify transitive versions (Tomcat, Jackson, Logback) are
updated and no critical CVEs remain; if you cannot upgrade immediately,
explicitly override vulnerable transitive dependency versions to patched
releases as a temporary mitigation and plan the full Spring Boot upgrade
promptly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

actions/setup-java@v3 GitHub Actions valid parameters Maven caching

💡 Result:

Key inputs (valid parameters) for actions/setup-java@v3 (same inputs shown in the action README) — relevant ones for general setup and Maven caching:

• java-version — Java version (or range) to install.
• java-version-file — path to a file (.java-version or .tool-versions) containing the version.
• distribution — required; Java distribution (e.g., temurin, zulu, graalvm, etc.).
• java-package — package variant: jdk, jre, jdk+fx, jre+fx (default: jdk).
• architecture — target architecture: x86, x64, armv7, aarch64, ppc64le.
• jdkFile — local compressed JDK file to install.
• check-latest — boolean to force checking latest matching version.
• cache — enable built-in dependency caching; valid values: "maven", "gradle", or "sbt".
• cache-dependency-path — path(s) to dependency files used to compute cache key (e.g., **/pom.xml); supports wildcards and lists (useful for monorepos).
• overwrite-settings — (Maven) whether to overwrite ~/.m2/settings.xml (true/false).
• server-id — (Maven) distributionManagement repository id (default: github).
• server-username — env var name for Maven repo username (default: GITHUB_ACTOR).
• server-password — env var name for Maven repo password/token (default: GITHUB_TOKEN).
• settings-path — directory to write settings.xml (default: ~/.m2).
• gpg-private-key — GPG private key to import (for Maven signing).
• gpg-passphrase — environment variable name holding GPG passphrase (default: GPG_PASSPHRASE).
• mvn-toolchain-id — name for generated Maven toolchain id (overrides default).
• mvn-toolchain-vendor — vendor name for generated Maven toolchain entry (overrides default).

Maven caching usage (example pattern)

• Enable caching: with: cache: 'maven'
• Specify dependency file(s) to hash: with: cache-dependency-path: '**/pom.xml' (or explicit paths / list)
• Cache key format: setup-java-${{ platform }}-maven-${{ fileHash }}; workflow output cache-hit indicates a restore hit.

Sources: actions/setup-java README (inputs, Maven options, and caching details). [1][2]

References
[1] actions/setup-java README (inputs, Maven and cache docs).
[2] GitHub Marketplace / actions/setup-java (summary).

---

Fix README: add code fences, correct GitHub Actions setup-java usage, streamline start/stop pattern

1. Wrap shell script and workflow YAML in fenced code blocks
   The shell script and workflow YAML are currently plain text, causing # lines to render as Markdown headings. Use:

   ```bash
   #!/bin/bash
   ...

   and
   ```markdown
   ```yaml
   name: Build, Deploy, and Run
   ...
   

2. Fix GitHub Actions setup-java configuration
   The "Set up Maven" step uses distribution: 'maven', which is invalid. The distribution parameter only accepts JDK distributions (temurin, zulu, graalvm, etc.), not Maven. Maven is already available on GitHub-hosted runners. Replace both Java and Maven setup steps with a single step:

   - name: Set up Java 17
     uses: actions/setup-java@v3
     with:
       java-version: '17'
       distribution: 'temurin'
       cache: 'maven'

   This enables Maven dependency caching automatically.

3. Reconsider the app start/stop pattern
   nohup mvn spring-boot:run & followed by mvn spring-boot:stop do not pair correctly; the stop goal is designed for its corresponding start goal, which writes a PID file. For a CI smoke test, use either mvn spring-boot:start / mvn spring-boot:stop together, or run the built JAR directly (java -jar target/*.jar &) and track/kill the PID after validation.
   The explicit 5-minute sleep is also excessive for CI; shorten or remove it after the health check passes.

🧰 Tools

🪛 LanguageTool

[style] ~31-~31: Using many exclamation marks might seem excessive (in this case: 4 exclamation marks for a text that’s 1445 characters long)
Context: ...dy set." fi # Step 2: Install Maven if ! mvn -version &>/dev/null; then echo...

(EN_EXCESSIVE_EXCLAMATION)

🪛 markdownlint-cli2 (0.18.1)

3-3: No space after hash on atx style heading

(MD018, no-missing-space-atx)

🤖 Prompt for AI Agents

README.md lines 1-118: The README contains un-fenced shell and YAML blocks, an
incorrect Actions setup-java usage for Maven, and an unsafe start/stop pattern;
fix by wrapping the shell script in a bash code fence and the workflow in a yaml
code fence, replace the two setup steps with a single actions/setup-java@v3 step
using java-version: '17', distribution: 'temurin', and cache: 'maven' (remove
the invalid distribution: 'maven' entry), and change the CI run/stop flow to
either use mvn spring-boot:start paired with mvn spring-boot:stop or run the
built JAR with java -jar in the background and capture/kill its PID after health
checks; also remove or drastically shorten the 5-minute sleep to a brief wait
after the health check.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Remove built target/classes/application.properties from version control

This file is a compiled artifact under target/, duplicating the real source at src/main/resources/application.properties. Maven’s target/ directory should generally be ignored (via .gitignore) to avoid committing build outputs that quickly get out of date and create noisy diffs. Recommend deleting this file from the repo and ensuring target/ is fully ignored.

🤖 Prompt for AI Agents

In target/classes/application.properties lines 1-5: this file is a built
artifact and should be removed from version control; delete
target/classes/application.properties from the repo (git rm --cached
target/classes/application.properties or git rm
target/classes/application.properties if you want it removed from disk),
add/ensure target/ (or target/classes/) is listed in .gitignore to prevent
future commits, commit the change, and verify the canonical source remains at
src/main/resources/application.properties so the application behavior is
unchanged.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Do not commit generated template under target/classes/templates

This HTML file is the compiled copy of your Thymeleaf template and lives under target/, which is Maven’s build output directory. It should be generated on each build, not tracked in Git. Please delete it from version control and ensure target/ is ignored; the real source template should live only in src/main/resources/templates/index.html.

🤖 Prompt for AI Agents

In target/classes/templates/index.html (lines 1-11): this file is a generated
build artifact under Maven’s target/ directory and should not be committed;
remove this file from the repository, add target/ (or at least target/classes)
to .gitignore so generated files are not tracked, and ensure the real Thymeleaf
source template resides at src/main/resources/templates/index.html (commit that
source if missing) so future builds regenerate the file.

[coderabbitai]

Actionable comments posted: 12

🧹 Nitpick comments (5)

.github/workflows/setup-java-maven.yml (1)

29-35: Maven cache may not be effective across job boundaries.

Since this is a setup-only workflow that doesn't run builds, the cached dependencies won't be utilized within the same job. Each downstream job that calls this will need to also call the cache action to benefit from caching. Consider moving the cache action into the actual build job or ensure downstream jobs re-invoke caching.

Verify whether the Maven cache persists across jobs on your self-hosted runners, or consolidate caching into the job that performs the build (build-and-artifact.yml).

.github/workflows/build-and-artifact.yml (1)

13-13: Maven build doesn't inherit the cache from setup job.

The mvn clean install command runs without Maven caching from the setup-java-maven.yml job. Since caching doesn't persist across jobs on self-hosted runners, consider:

1. Re-invoking the cache action in this job to restore ~/.m2
2. Or consolidating Java/Maven setup and the build into a single job

Add Maven caching to this job:

 jobs:
   build-artifact:
     runs-on: self-hosted
 
     steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
       - name: Build with Maven
         run: mvn clean install

.github/workflows/springboot-run-stop.yml (1)

15-20: Hardcoded wait times may be insufficient or wasteful.

The 15-second startup wait and 3-minute hold time are arbitrary. Spring Boot startup time varies based on dependencies, configuration, and machine resources. The 3-minute wait serves no functional purpose and extends pipeline execution time unnecessarily.

Implement adaptive waiting with health check polls:

       # Wait for the Spring Boot app to fully start
       - name: Wait for Spring Boot App to Start
         run: |
-          echo "Waiting for the app to start..."
-          sleep 15
-          echo "App should now be running."
+          echo "Waiting for the app to start..."
+          for i in {1..30}; do
+            if curl -f http://localhost:8080/actuator/health 2>/dev/null; then
+              echo "App is healthy after $((i * 2)) seconds"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "App failed to become healthy within 60 seconds"
+          exit 1

Remove the unnecessary 3-minute wait:

-      # Wait for 3 minutes (180 seconds)
-      - name: Wait for 3 minutes
-        run: |
-          echo "App has been running for 3 minutes. Waiting..."
-          sleep 180
-
       # Gracefully Stop Spring Boot App

Also applies to: 37-41

src/main/resources/templates/index.html (1)

12-28: Add maxlength attributes to prevent excessively long inputs.

The text inputs lack length constraints, which could allow users to submit very large payloads, potentially causing performance issues or storage problems.

Apply this diff to add reasonable length limits:

-        <input type="text" id="recipientName" name="recipientName" required>
+        <input type="text" id="recipientName" name="recipientName" maxlength="100" required>
         <br>
 
         <label for="recipientAddress">Recipient's Address:</label>
-        <input type="text" id="recipientAddress" name="recipientAddress" required>
+        <input type="text" id="recipientAddress" name="recipientAddress" maxlength="200" required>
         <br>
 
         <label for="senderName">Sender's Name:</label>
-        <input type="text" id="senderName" name="senderName" required>
+        <input type="text" id="senderName" name="senderName" maxlength="100" required>
         <br>
 
         <label for="senderAddress">Sender's Address:</label>
-        <input type="text" id="senderAddress" name="senderAddress" required>
+        <input type="text" id="senderAddress" name="senderAddress" maxlength="200" required>
         <br>
 
         <label for="parcelContent">Parcel Content:</label>
-        <input type="text" id="parcelContent" name="parcelContent" required>
+        <input type="text" id="parcelContent" name="parcelContent" maxlength="500" required>

src/main/resources/templates/confirmation.html (1)

8-13: Add navigation link to send another parcel.

The confirmation page has no way for users to return to the home page or send another parcel without using the browser's back button or manually navigating to the URL.

Add a navigation link after the confirmation details:

     <p>Parcel Content: <span th:text="${parcelContent}"></span></p>
+    <br>
+    <a th:href="@{/}">Send Another Parcel</a>
 </body>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03b5c26 and ffb014b.

📒 Files selected for processing (9)

• .github/workflows/build-and-artifact.yml (1 hunks)
• .github/workflows/main.yml (1 hunks)
• .github/workflows/setup-java-maven.yml (1 hunks)
• .github/workflows/sonarcloud-analysis.yml (1 hunks)
• .github/workflows/springboot-run-stop.yml (1 hunks)
• Jenkinsfile (1 hunks)
• src/main/java/com/example/controller/ParcelController.java (1 hunks)
• src/main/resources/templates/confirmation.html (1 hunks)
• src/main/resources/templates/index.html (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Jenkinsfile

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/sonarcloud-analysis.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/setup-java-maven.yml

12-12: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

16-16: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

30-30: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/build-and-artifact.yml

17-17: the runner of "actions/upload-artifact@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (2)

.github/workflows/build-and-artifact.yml (1)

19-20: Artifact path pattern may fail silently if no JAR is produced.

The glob pattern target/*.jar will fail the upload step if no files match. Verify that the Maven build always produces a JAR file at this path, or add error handling.

Confirm that the Spring Boot build in pom.xml is configured to produce a JAR artifact in the target/ directory, or specify a more explicit path pattern.

src/main/resources/templates/confirmation.html (1)

9-13: Good use of th:text for XSS prevention.

The template correctly uses th:text instead of th:utext, which ensures that user-supplied content is HTML-escaped by Thymeleaf, preventing XSS attacks.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update GitHub Actions to v4.

Line 17 references an outdated action version. Update to v4 for the latest features, bug fixes, and security patches.

Apply this diff to update the action:

      - name: Upload Artifacts with Versioning
-       uses: actions/upload-artifact@v3
+       uses: actions/upload-artifact@v4
         with:
           name: my-app-artifact-${{ github.sha }}
           path: target/*.jar

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/upload-artifact@v3
	with:
	name: my-app-artifact-${{ github.sha }} # Artifact version based on commit SHA
	path: target/*.jar # Path to the built artifact (e.g., JAR file or other build outputs)
	uses: actions/upload-artifact@v4
	with:
	name: my-app-artifact-${{ github.sha }} # Artifact version based on commit SHA
	path: target/*.jar # Path to the built artifact (e.g., JAR file or other build outputs)

🧰 Tools

🪛 actionlint (1.7.9)

17-17: the runner of "actions/upload-artifact@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/build-and-artifact.yml lines 17-20: the workflow uses
actions/upload-artifact@v3 which is outdated; update the action reference to
actions/upload-artifact@v4 by replacing the @v3 tag with @v4 so the workflow
uses the latest release (ensure no other breaking changes in your workflow
inputs and run a test run to verify artifact upload still works).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Inconsistent branch triggers between push and pull_request.

The workflow triggers on push to all branches ('**') but only on pull_request to master. This creates an inconsistency: feature branches will run the full CI/CD pipeline on push, but pull requests to non-master branches won't trigger the workflow. This may lead to unexpected behavior.

Clarify the intended trigger scope:

 on:
   push:
-    branches:
-      - '**'
+    branches:
+      - 'main'
+      - 'master'
+      - 'develop'
   pull_request:
     branches:
-      - master
+      - main
+      - master
+      - develop
   workflow_dispatch:

🤖 Prompt for AI Agents

.github/workflows/main.yml lines 3-10: the workflow currently triggers on push
to all branches ('**') but only on pull_request to master, causing inconsistent
CI runs; update the pull_request trigger to match the push scope (e.g., set
pull_request branches to - '**') or explicitly set both push and pull_request to
the same branch list/globs you intend (for example restrict both to master or
include release/feature globs), ensuring the triggers are consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Parallel execution of springboot-run-stop and sonarcloud-analysis may cause race conditions.

Both jobs depend only on build-artifact, so they can run simultaneously. If springboot-run-stop fails (indicating a broken build), sonarcloud-analysis may still execute and report false results. Additionally, both jobs may interfere with each other on a self-hosted runner (port binding, resource contention).

Consider making sonarcloud-analysis depend on springboot-run-stop to ensure the application runs successfully before analysis:

   # Call the SonarCloud analysis workflow
   sonarcloud-analysis:
     uses: ./.github/workflows/sonarcloud-analysis.yml
-    needs: build-and-artifact
+    needs: [build-and-artifact, springboot-run-stop]
     secrets:

Alternatively, add a conditional check to skip analysis if tests fail:

   sonarcloud-analysis:
     uses: ./.github/workflows/sonarcloud-analysis.yml
     needs: [build-and-artifact, springboot-run-stop]
+    if: success()
     secrets:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Call the Spring Boot run and stop workflow
	springboot-run-stop:
	uses: ./.github/workflows/springboot-run-stop.yml # Reference to the Spring Boot workflow
	needs: build-and-artifact # Ensure the build is completed before running Spring Boot
	# Call the SonarCloud analysis workflow
	sonarcloud-analysis:
	uses: ./.github/workflows/sonarcloud-analysis.yml # Reference to the SonarCloud analysis workflow
	needs: build-and-artifact # Ensure the build job is completed before analysis
	secrets:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	SONAR_ORG: ${{ secrets.SONAR_ORG }}
	SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
	# Call the Spring Boot run and stop workflow
	springboot-run-stop:
	uses: ./.github/workflows/springboot-run-stop.yml # Reference to the Spring Boot workflow
	needs: build-and-artifact # Ensure the build is completed before running Spring Boot
	# Call the SonarCloud analysis workflow
	sonarcloud-analysis:
	uses: ./.github/workflows/sonarcloud-analysis.yml # Reference to the SonarCloud analysis workflow
	needs: [build-and-artifact, springboot-run-stop] # Ensure the build job is completed before analysis
	secrets:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	SONAR_ORG: ${{ secrets.SONAR_ORG }}
	SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

🤖 Prompt for AI Agents

.github/workflows/main.yml lines 22-34: both springboot-run-stop and
sonarcloud-analysis only depend on build-and-artifact which allows them to run
in parallel and may cause race conditions or false/contaminated analysis; update
the workflow so sonarcloud-analysis depends on springboot-run-stop (add
springboot-run-stop to the sonarcloud-analysis needs array) OR add a conditional
to sonarcloud-analysis (e.g., if: ${{ needs.springboot-run-stop.result ==
'success' }} or if: ${{ success() }}) to skip analysis when the run/stop job
fails, and if using self-hosted runners also ensure they don’t contend for
ports/resources (serialize on the same runner or add resource locking).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update GitHub Actions to v4.

Lines 12, 16, and 30 reference outdated action versions. Update to v4 for the latest features, bug fixes, and security patches.

Apply this diff to update the actions:

      - name: Checkout Code
-       uses: actions/checkout@v3
+       uses: actions/checkout@v3

      - name: Set up Java
-       uses: actions/setup-java@v3
+       uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
 
       # Cache Maven dependencies
       - name: Cache Maven dependencies
-       uses: actions/cache@v3
+       uses: actions/cache@v4

Also applies to: 15-19

🧰 Tools

🪛 actionlint (1.7.9)

12-12: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/setup-java-maven.yml lines 11-12 (and also apply changes to
lines 15-19 and line 30): the workflow references outdated GitHub Actions
versions (v3); update each "uses:" entry that points to actions/*@v3 to
actions/*@v4. Specifically replace uses: actions/checkout@v3 (and any other
actions/*@v3 occurrences on lines 15-19 and line 30) with the corresponding
actions/*@v4 to use the latest releases, ensuring syntax remains unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update GitHub Actions to v4.

Lines 20 and 24 reference outdated action versions. Update to v4 for the latest features, bug fixes, and security patches.

Apply this diff to update the actions:

      - name: Checkout Code
-       uses: actions/checkout@v3
+       uses: actions/checkout@v4
 
      - name: Set up Java
-       uses: actions/setup-java@v3
+       uses: actions/setup-java@v4

Also applies to: 23-27

🧰 Tools

🪛 actionlint (1.7.9)

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/sonarcloud-analysis.yml around lines 19-20 (and also
affecting lines 23-27), the workflow is using actions/checkout@v3 and other
referenced actions pinned to v3; update these action version pins to v4 to use
the latest releases. Edit the workflow to replace actions/checkout@v3 (and any
other actions pinned to v3 within lines 23-27) with actions/checkout@v4 (and
their v4 equivalents), ensuring the YAML syntax remains valid and testing the
workflow after the change.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Application validation will fail: using public IP to test localhost.

Line 26 fetches the runner's public IP address, but the Spring Boot application runs on localhost (127.0.0.1:8080), not on the public IP. The HTTP request to http://$IP_ADDRESS:8080 will fail because:

1. The app is bound to localhost, not the public interface
2. The runner's public IP won't route to the local service
3. Firewall rules may block external traffic to port 8080

This validation step will fail every time, rendering the entire test unreliable.

Use localhost or 127.0.0.1 for validation:

       - name: Validate App is Running
         run: |
           echo "Checking if the app is running..."
-          IP_ADDRESS=$(curl -s ifconfig.me)  # Fetch public IP address
           PORT=8080
-          RESPONSE=$(curl --write-out "%{http_code}" --silent --output /dev/null http://$IP_ADDRESS:$PORT)
+          RESPONSE=$(curl --write-out "%{http_code}" --silent --output /dev/null http://localhost:$PORT)
           if [ "$RESPONSE" -eq 200 ]; then
-            echo "The app is running successfully at http://$IP_ADDRESS:$PORT"
+            echo "The app is running successfully at http://localhost:$PORT"
           else
             echo "The app failed to start. HTTP response code: $RESPONSE"
             exit 1
           fi

🤖 Prompt for AI Agents

.github/workflows/springboot-run-stop.yml around lines 22 to 35: the validation
step incorrectly fetches the runner's public IP and tries to curl
http://$IP_ADDRESS:8080 which will fail because the Spring Boot app is bound to
localhost; replace the public IP logic with localhost (or 127.0.0.1) and point
the health check to http://localhost:8080 (remove the curl ifconfig.me line and
use HOST=localhost or directly use localhost in the URL), keeping the existing
HTTP status check and exit behavior unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add input validation to prevent malformed or malicious data.

The method accepts all parameters as plain strings without any validation for length, format, or content. This could allow:

• Excessively long strings causing memory/storage issues
• Empty strings despite being required in the HTML form (if form is bypassed)
• Potential injection attacks in downstream processing

Consider using Bean Validation with a DTO or the existing Parcel model:

@PostMapping("/sendParcel")
public String sendParcel(@Valid @ModelAttribute Parcel parcel, 
                        BindingResult result, 
                        Model model) {
    if (result.hasErrors()) {
        return "index";
    }
    // Process valid parcel
    model.addAttribute("parcel", parcel);
    return "confirmation";
}

Then add validation annotations to the Parcel model class:

public class Parcel {
    @NotBlank(message = "Recipient name is required")
    @Size(max = 100, message = "Recipient name must not exceed 100 characters")
    private String recipientName;
    
    @NotBlank(message = "Recipient address is required")
    @Size(max = 200, message = "Recipient address must not exceed 200 characters")
    private String recipientAddress;
    
    // Add similar validation for other fields
}

🤖 Prompt for AI Agents

In src/main/java/com/example/controller/ParcelController.java around lines 19 to
27, the POST handler accepts raw String params with no validation; replace the
primitive params with a validated DTO or the existing Parcel model annotated
with javax.validation constraints (e.g. @NotBlank, @Size for each field) and
change the signature to accept @Valid @ModelAttribute Parcel parcel plus a
BindingResult result and Model model; in the method check result.hasErrors() and
return the form view on validation failures, otherwise trim/sanitize fields as
needed, add the parcel to the model, and proceed to the confirmation view;
ensure necessary imports and that the Parcel class has appropriate validation
annotations for recipientName, recipientAddress, senderName, senderAddress, and
parcelContent.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use the existing Parcel model object instead of individual parameters.

The AI summary indicates that src/main/java/com/example/model/Parcel.java exists. Using individual @RequestParam annotations instead of a model object violates the MVC pattern and makes the code harder to maintain.

Refactor to use the Parcel model object with @ModelAttribute:

 @PostMapping("/sendParcel")
 public String sendParcel(
-        @RequestParam("recipientName") String recipientName,
-        @RequestParam("recipientAddress") String recipientAddress,
-        @RequestParam("senderName") String senderName,
-        @RequestParam("senderAddress") String senderAddress,
-        @RequestParam("parcelContent") String parcelContent,
+        @ModelAttribute Parcel parcel,
         Model model
 ) {
     // You can do something with the data, e.g., save it to a database
     // For now, let's just add it to the model and display a confirmation
-    model.addAttribute("recipientName", recipientName);
-    model.addAttribute("recipientAddress", recipientAddress);
-    model.addAttribute("senderName", senderName);
-    model.addAttribute("senderAddress", senderAddress);
-    model.addAttribute("parcelContent", parcelContent);
+    model.addAttribute("parcel", parcel);
     return "confirmation";
 }

This approach is cleaner, more maintainable, and aligns with Spring MVC best practices.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	public String sendParcel(
	@RequestParam("recipientName") String recipientName,
	@RequestParam("recipientAddress") String recipientAddress,
	@RequestParam("senderName") String senderName,
	@RequestParam("senderAddress") String senderAddress,
	@RequestParam("parcelContent") String parcelContent,
	Model model
	) {
	// You can do something with the data, e.g., save it to a database
	// For now, let's just add it to the model and display a confirmation
	model.addAttribute("recipientName", recipientName);
	model.addAttribute("recipientAddress", recipientAddress);
	model.addAttribute("senderName", senderName);
	model.addAttribute("senderAddress", senderAddress);
	model.addAttribute("parcelContent", parcelContent);
	return "confirmation";
	@PostMapping("/sendParcel")
	public String sendParcel(
	@ModelAttribute Parcel parcel,
	Model model
	) {
	// You can do something with the data, e.g., save it to a database
	// For now, let's just add it to the model and display a confirmation
	model.addAttribute("parcel", parcel);
	return "confirmation";
	}

🤖 Prompt for AI Agents

In src/main/java/com/example/controller/ParcelController.java around lines 20 to
35, the controller method accepts individual @RequestParam fields instead of
binding to the existing Parcel model; replace the multiple @RequestParam
parameters with a single @ModelAttribute("parcel") Parcel parcel parameter,
remove the individual model.addAttribute calls (or add the parcel as a single
attribute if needed), and update any view references to use parcel.* properties;
ensure Parcel has proper getters/setters and Spring can bind its fields (names
match form input names) and add any necessary validation annotations if
required.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Delegate business logic to the ParcelService layer.

The AI summary mentions that src/main/java/com/example/service/ParcelService.java exists as a service scaffold. Controllers should delegate business logic to the service layer rather than handling data directly.

Inject and use ParcelService:

+import com.example.service.ParcelService;
+
 @Controller
 @RequestMapping("/")
 public class ParcelController {
+
+    private final ParcelService parcelService;
+
+    public ParcelController(ParcelService parcelService) {
+        this.parcelService = parcelService;
+    }
 
     @GetMapping
     public String index() {

Then in sendParcel:

     ) {
-        // You can do something with the data, e.g., save it to a database
-        // For now, let's just add it to the model and display a confirmation
-        model.addAttribute("recipientName", recipientName);
-        model.addAttribute("recipientAddress", recipientAddress);
-        model.addAttribute("senderName", senderName);
-        model.addAttribute("senderAddress", senderAddress);
-        model.addAttribute("parcelContent", parcelContent);
+        Parcel processedParcel = parcelService.processParcel(parcel);
+        model.addAttribute("parcel", processedParcel);
         return "confirmation";
     }

This follows the separation of concerns principle and makes the code more testable and maintainable.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/main/java/com/example/controller/ParcelController.java around lines 28 to
35, the controller is handling parcel data directly; instead inject
ParcelService (prefer constructor injection or @Autowired) into the controller
and delegate the business operation by calling a service method (e.g.,
parcelService.saveParcel(...) or parcelService.processParcel(...)) with the
recipient/sender/content parameters or a DTO before populating the model; keep
the model attributes for the view but remove business logic from the controller
and ensure ParcelService has the corresponding method signature.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use th:action for proper CSRF protection.

The form uses a plain action attribute instead of th:action. If Spring Security is enabled (or added later), CSRF tokens will not be automatically included, causing form submissions to fail with 403 errors.

Apply this diff:

-    <form action="/sendParcel" method="post">
+    <form th:action="@{/sendParcel}" method="post">

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<form action="/sendParcel" method="post">
	<form th:action="@{/sendParcel}" method="post">

🤖 Prompt for AI Agents

In src/main/resources/templates/index.html around line 10, the form uses a
static action attribute which prevents Thymeleaf from injecting Spring Security
CSRF tokens; replace the plain action with a Thymeleaf expression and set the
method via Thymeleaf: change to th:action="@{/sendParcel}" and th:method="post"
(remove the plain action/method attributes) so the CSRF hidden input is
generated automatically.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

Jenkinsfile (1)

21-44: Remove commented-out code or convert to documentation.

Lines 21–44 contain multiple commented-out blocks (shell scripts, directory paths, archive stages), which suggests design uncertainty and creates maintenance burden. This code should either be:

1. Deleted if no longer needed
2. Uncommented and fixed if still intended
3. Moved to a README or ADR documenting why these approaches were considered but rejected

For example, the Archive Artifact stage (lines 30–34) is useful for retaining the built JAR and should be uncommented:

+        stage('Archive Artifact') {
+            steps {
+                archiveArtifacts artifacts: 'target/*.jar', fingerprint: true
+            }
+        }

Then remove all orphaned comments:

-        //sh 'mvn clean package -DskipTests=false'
-               script {
-                   // dir('hello-world-war') {
-                    build 'package'
-                }
-            }
-            }
-      //  }
-
-       // stage('Archive Artifact') {
-          //  steps {
-              //  archiveArtifacts artifacts: 'target/*.jar', fingerprint: true
-           // }
-      //  }
-
-        stage('Run Application') {
-            steps {
-                  sh 'mvn spring-boot:run'
-               //   dir('/var/lib/jenkins/workspace/Parcel_service_feature-1/target') {
-                 //  sh """
-                     //   nohup java -jar simple-parcel-service-app-1.0-SNAPSHOT.jar > app.log 2>&1 &
-                        //echo "Application started"
-                  // """
-              //  }
-            }
-        }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba110fd and 1bce923.

📒 Files selected for processing (1)

• Jenkinsfile (1 hunks)

🔇 Additional comments (2)

Jenkinsfile (2)

1-1: Verify the shared library Jenkins_library exists and is accessible.

Line 1 imports a custom shared library. Ensure this library is configured in your Jenkins instance and contains the functions referenced in this pipeline (e.g., build).

In Jenkins, verify:

• Navigate to Manage Jenkins > Configure System > Global Pipeline Libraries
• Confirm Jenkins_library is listed and points to the correct repository/branch

If the library is not present or has been removed, this pipeline will fail at runtime.

---

6-9: Verify tool names JDK17 and maven are configured in Jenkins.

The tools block references JDK17 and Maven by name. These must be pre-configured in your Jenkins Global Tool Configuration. If the names don't match exactly, the pipeline will fail.

In Jenkins, verify:

• Navigate to Manage Jenkins > Global Tool Configuration
• Confirm JDK installations includes an entry named exactly JDK17
• Confirm Maven installations includes an entry named exactly maven

Consider using more specific version identifiers (e.g., maven-3.9.0) if multiple Maven versions are available.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling and validation between stages.

There is no validation that the Build stage succeeded before proceeding to the Run Application stage. If the Maven build fails, the pipeline should halt immediately rather than attempting to run a non-existent or broken application.

Add explicit error handling or rely on Jenkins' native set -e behavior by using sh scripts (already default). Ensure that if Maven exits with a non-zero status, the entire pipeline fails:

         stage('Build') {
             steps {
-                //sh 'mvn clean package -DskipTests=false'
-               script {
-                   // dir('hello-world-war') {
-                    build 'package'
-                }
+               sh 'mvn clean package'
             }

This makes Maven failures immediately halt the pipeline.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	stage('Build') {
	steps {
	//sh 'mvn clean package -DskipTests=false'
	script {
	// dir('hello-world-war') {
	build 'package'
	}
	}
	}
	stage('Build') {
	steps {
	sh 'mvn clean package'
	}
	}

🤖 Prompt for AI Agents

Jenkinsfile around lines 19-27: the Build stage currently calls build 'package'
with no validation and can allow the pipeline to continue if the build fails;
replace that with an explicit shell Maven invocation (e.g., sh 'mvn clean
package -DskipTests=false') so Jenkins will fail the stage on non‑zero exit, or
if you need custom handling run sh with returnStatus and explicitly error out
(throw or error step) when the status is non‑zero; ensure no downstream stages
run by failing the pipeline immediately when the Maven build fails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, explore the repository structure to locate the Jenkins shared library
find . -type f -name "*.groovy" | head -20

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Search for the Jenkins_library or shared library references
find . -type d -name "vars" -o -type d -name "shared" -o -type d -name "library" | head -20

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Look for the Jenkinsfile location and examine it
find . -name "Jenkinsfile" -type f

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

git ls-files | head -50

Repository: vikas0105/Parcel-service

Length of output: 77

---

🏁 Script executed:

# Check if there are any pipeline or Jenkins-related files
git ls-files | grep -i jenkins

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Look for any groovy files
git ls-files | grep -i groovy

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# List the top-level structure
ls -la

Repository: vikas0105/Parcel-service

Length of output: 287

---

🏁 Script executed:

# Check all branches for Jenkinsfile
git branch -a

Repository: vikas0105/Parcel-service

Length of output: 180

---

🏁 Script executed:

# Search git history for any Jenkinsfile reference
git log --all --pretty=format: --name-only | grep -i jenkinsfile | sort -u

Repository: vikas0105/Parcel-service

Length of output: 109

---

🏁 Script executed:

# Check git log to see commits
git log --oneline --all | head -20

Repository: vikas0105/Parcel-service

Length of output: 676

---

🏁 Script executed:

git checkout main
git ls-files | grep -i jenkinsfile

Repository: vikas0105/Parcel-service

Length of output: 156

---

🏁 Script executed:

# Now read the Jenkinsfile
cat Jenkinsfile

Repository: vikas0105/Parcel-service

Length of output: 111

---

🏁 Script executed:

git checkout coderabbit_6
git ls-files | grep -i jenkinsfile

Repository: vikas0105/Parcel-service

Length of output: 130

---

🏁 Script executed:

# List all files in this branch
git ls-files

Repository: vikas0105/Parcel-service

Length of output: 958

---

🏁 Script executed:

cat -n Jenkinsfile

Repository: vikas0105/Parcel-service

Length of output: 1549

---

🏁 Script executed:

# Check if there's a shared library defined locally
find . -name "vars" -o -name "*library*" -type d

Repository: vikas0105/Parcel-service

Length of output: 50

---

🏁 Script executed:

# Search for Jenkins_library references or @Library annotations
grep -r "Jenkins_library\|@Library" .

Repository: vikas0105/Parcel-service

Length of output: 111

---

🏁 Script executed:

# Search for any documentation or comments about the Jenkins_library
grep -r "Jenkins_library" .

Repository: vikas0105/Parcel-service

Length of output: 111

---

🏁 Script executed:

# Check README for any Jenkins/library documentation
cat README.md

Repository: vikas0105/Parcel-service

Length of output: 3243

---

🏁 Script executed:

# Check pom.xml to understand Maven goals and test configuration
cat pom.xml | head -50

Repository: vikas0105/Parcel-service

Length of output: 1975

---

Replace the opaque custom build 'package' function with explicit Maven invocation or add documentation.

Line 24 invokes build 'package' from the Jenkins_library shared library, which obscures the actual build behavior. The commented-out code on line 21 (mvn clean package -DskipTests=false) shows tests were explicitly executed, but the custom function's test handling is unclear. Additionally, line 38 uses direct sh 'mvn spring-boot:run' invocation, creating inconsistency in how Maven is called.

Either replace with direct Maven invocation (preserving test execution):

-               script {
-                   // dir('hello-world-war') {
-                    build 'package'
-                }
+               sh 'mvn clean package -DskipTests=false'

Or document the shared library function's contract (Maven goals, test behavior, failure handling).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	script {
	// dir('hello-world-war') {
	build 'package'
	}
	sh 'mvn clean package -DskipTests=false'

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: mvn spring-boot:run will block the pipeline indefinitely.

The mvn spring-boot:run command starts an embedded Tomcat server that runs indefinitely, preventing the Jenkins build from completing. This will cause the pipeline to hang and timeout.

Replace this with one of the following approaches:

Option 1: Run application in background (for smoke tests/validation):

-                sh 'mvn spring-boot:run'
+                sh '''
+                  nohup mvn spring-boot:run > app.log 2>&1 &
+                  sleep 5
+                  if ! curl -f http://localhost:8080/health; then
+                    echo "Application failed to start"
+                    exit 1
+                  fi
+                '''

Option 2: Remove this stage (recommended for typical CI/CD builds):
If the goal is only to build and package the application (not run it), delete this entire stage. The packaged JAR will be available in target/ for deployment pipelines.

-        stage('Run Application') {
-            steps {
-                  sh 'mvn spring-boot:run'
-               //   dir('/var/lib/jenkins/workspace/Parcel_service_feature-1/target') {
-                 //  sh """
-                     //   nohup java -jar simple-parcel-service-app-1.0-SNAPSHOT.jar > app.log 2>&1 &
-                        //echo "Application started"
-                  // """
-              //  }
-            }
-        }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sh 'mvn spring-boot:run'
	sh '''
	nohup mvn spring-boot:run > app.log 2>&1 &
	sleep 5
	if ! curl -f http://localhost:8080/health; then
	echo "Application failed to start"
	exit 1
	fi
	'''

🤖 Prompt for AI Agents

In Jenkinsfile around line 38, the pipeline currently runs "mvn spring-boot:run"
which starts the app and blocks the job indefinitely; either replace this step
with a non-blocking approach (run the JVM process in the background for
transient smoke tests, e.g., start the app in background, run tests against it,
then kill the process) or remove the stage entirely if you only need to
build/package in CI (leave mvn package or mvn verify instead so the JAR is
produced in target/ and the pipeline completes).