refactor: JUnit Jupiter migration from JUnit 4.x

.github/actions/project-security-label-threshold-action/Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y git jupyter python3-pandas python3-yaml cowsay
 
-ENV PATH $PATH:/usr/games
+ENV PATH=$PATH:/usr/games
 
 COPY entrypoint.sh /opt/entrypoint.sh
 

.github/actions/project-security-report-action/Dockerfile

@@ -1,20 +1,9 @@
-FROM openjdk:8
+FROM maven:3.9.5-sapmachine-17
 
 RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y git jq
 
-RUN wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz && \
-    HASH=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0 && \
-    echo "$HASH apache-maven-3.6.3-bin.tar.gz" | sha512sum --check --status && \
-    tar xf apache-maven-3.6.3-bin.tar.gz -C /opt
-
-ENV M2_HOME="/opt/apache-maven-3.6.3"
-ENV MAVEN_HOME="/opt/apache-maven-3.6.3"
-ENV PATH="${MAVEN_HOME}/bin:${PATH}"
-
-RUN mvn -version
-
 COPY build_fosstars.sh /opt/build_fosstars.sh
 COPY cleanup_for_config_if_necessary.sh /opt/cleanup_for_config_if_necessary.sh
 COPY entrypoint.sh /opt/entrypoint.sh

.github/workflows/cli-tests.yml

@@ -15,12 +15,13 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-    - uses: actions/[email protected]
-    - name: Set up JDK 1.8
-      uses: actions/setup-java@v3
+    - name: Checkout repository
+      uses: actions/[email protected]
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
       with:
-        distribution: 'adopt'
-        java-version: 8
+        distribution: 'sapmachine'
+        java-version: '17'
     - name: Build
       run: mvn -B -ntp --file pom.xml -DskipTests package
       env:
@@ -29,3 +30,5 @@ jobs:
       run: bash src/test/shell/tool/github/run_tests.sh
       env:
         TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        #once this credential is available, this could allow for fast pipeline runs
+        #NVD_API_KEAY: ${{ secrets.NVD_API_KEY }}

.github/workflows/codeql-analysis.yml

@@ -23,9 +23,15 @@ jobs:
     - name: Checkout repository
       uses: actions/[email protected]
 
+    - name: Set up SapMachine 17
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'sapmachine'
+        java-version: '17'
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
@@ -34,4 +40,4 @@ jobs:
         MAVEN_OPTS: -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/maven.yml

@@ -18,11 +18,11 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
     - uses: actions/[email protected]
-    - name: Set up JDK 1.8
-      uses: actions/setup-java@v3
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
       with:
-        distribution: 'adopt'
-        java-version: 8
+        distribution: 'sapmachine'
+        java-version: '17'
     - name: Build with Maven
       run: mvn -B -ntp package --file pom.xml
       env:

.gitignore

@@ -9,4 +9,5 @@ src/test/shell/tool/github/*.log
 .classpath
 .project
 .settings
-.checkstyle
+.checkstyle
+.DS_Store

README.md

@@ -24,8 +24,8 @@ can be found in the [docs](https://sap.github.io/fosstars-rating-core/oss_securi
 
 ## Requirements
 
-*  Java 8+
-*  Maven 3.6.0+
+*  Java 17+
+*  Maven 3.6.3+
 *  Python 3.6.8+
 *  Jupyter Notebook 4.4.0+
 
@@ -87,13 +87,18 @@ If `--interactive` option is specified, the tool becomes a bit interactive,
 and may ask the user a couple of questions.
 You can also find more details in the [docs](https://sap.github.io/fosstars-rating-core/getting_oss_security_rating.html).
 
+## NVD API Key Highly Recommended
+The reuse of the open source library org.owasp:dependency-check-core now needs an api key to not have artificial slow-downs.
+This is documented [here](https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#nvd-api-key-highly-recommended). 
+Once you have a key you can set the environment variable `NVD_API_KEY` and potentially also `NVD_API_DELAY` (in milliseconds), if necessary.
+
 ## Running CLI in Docker
 
 You can also run the CLI in a Docker container:
 
 ```
 docker build --tag fosstars --file src/main/docker/cli/Dockerfile .
-docker run -v $(pwd):/work fosstars --rating security --token $TOKEN --url https://github.com/apache/poi
+docker run -v $(pwd):/work fosstars --rating security --token $TOKEN -e NVD_API_KEY=<some-api-key> --url https://github.com/apache/poi
 ```
 
 ## Known issues

pom.xml

@@ -69,44 +69,59 @@
   </distributionManagement>
 
   <properties>
+    <java.version>17</java.version>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <version.jackson>2.15.2</version.jackson>
+    <version.jackson>2.18.1</version.jackson>
     <version.commons-math3>3.6.1</version.commons-math3>
     <version.commons-cli>1.5.0</version.commons-cli>
-    <version.github-api>1.315</version.github-api>
+    <version.github-api>1.326</version.github-api><!-- 1.315 -->
     <version.nist-data-mirror>1.6.0</version.nist-data-mirror>
     <version.maven-model>3.9.4</version.maven-model>
     <version.log4j>2.20.0</version.log4j>
     <version.httpclient>4.5.14</version.httpclient>
-    <version.junit>4.13.2</version.junit>
-    <version.mockito>4.11.0</version.mockito>
+    <version.junit>5.11.3</version.junit>
+    <version.mockito>5.14.2</version.mockito>
     <version.packageurl-java>1.4.1</version.packageurl-java>
     <version.commons-collections4>4.4</version.commons-collections4>
     <version.org.eclipse.jgit>5.13.2.202306221912-r</version.org.eclipse.jgit>
     <version.commons-text>1.10.0</version.commons-text>
     <version.maven-artifact>3.9.4</version.maven-artifact>
-    <version.dependency-check-core>8.3.1</version.dependency-check-core>
+    <version.dependency-check-core>11.1.0</version.dependency-check-core>
     <version.slf4j-simple>2.0.7</version.slf4j-simple>
     <version.javax.annotation-api>1.3.2</version.javax.annotation-api>
     <version.jsoup>1.16.1</version.jsoup>
     <version.okhttp>4.11.0</version.okhttp>
+    <version.hamcrest>3.0</version.hamcrest>
+    <version.maven-gpg-plugin>3.1.0</version.maven-gpg-plugin>
+    <version.nexus-staging-maven-plugin>1.6.13</version.nexus-staging-maven-plugin>
+    <version.maven-compiler-plugin>3.11.0</version.maven-compiler-plugin>
+    <version.maven-source-plugin>3.3.0</version.maven-source-plugin>
+    <version.maven-javadoc-plugin>3.5.0</version.maven-javadoc-plugin>
+    <version.maven-surefire-plugin>3.1.2</version.maven-surefire-plugin>
+    <version.jacoco-maven-plugin>0.8.10</version.jacoco-maven-plugin>
+    <version.maven-assembly-plugin>3.6.0</version.maven-assembly-plugin>
+
+    <version.maven-checkstyle-plugin>3.1.2</version.maven-checkstyle-plugin>
+    <checkstyleVersion>8.29</checkstyleVersion>
   </properties>
 
   <build>
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.11.0</version>
+        <version>${version.maven-compiler-plugin}</version>
         <configuration>
-          <source>8</source>
-          <target>8</target>
+          <source>${maven.compiler.source}</source>
+          <target>${maven.compiler.target}</target>
         </configuration>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
-        <version>3.3.0</version>
+        <version>${version.maven-source-plugin}</version>
         <executions>
           <execution>
             <id>attach-sources</id>
@@ -119,10 +134,9 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-javadoc-plugin</artifactId>
-        <version>3.5.0</version>
+        <version>${version.maven-javadoc-plugin}</version>
         <configuration>
-          <source>8</source>
-          <target>8</target>
+          <source>${maven.compiler.source}</source>
           <failOnError>true</failOnError>
           <failOnWarnings>true</failOnWarnings>
           <additionalOptions>-Xdoclint:none</additionalOptions>
@@ -139,15 +153,16 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.1.2</version>
+        <version>${version.maven-surefire-plugin}</version>
         <configuration>
           <trimStackTrace>false</trimStackTrace>
+          <argLine>-Duser.language=en -Duser.region=US</argLine>
         </configuration>
       </plugin>
       <plugin>
         <groupId>org.jacoco</groupId>
         <artifactId>jacoco-maven-plugin</artifactId>
-        <version>0.8.10</version>
+        <version>${version.jacoco-maven-plugin}</version>
         <executions>
           <execution>
             <goals>
@@ -161,7 +176,7 @@
       </plugin>
       <plugin>
         <artifactId>maven-assembly-plugin</artifactId>
-        <version>3.6.0</version>
+        <version>${version.maven-assembly-plugin}</version>
         <configuration>
           <finalName>fosstars-github-rating</finalName>
           <archive>
@@ -186,7 +201,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-checkstyle-plugin</artifactId>
-        <version>3.1.2</version>
+        <version>${version.maven-checkstyle-plugin}</version>
         <configuration>
           <configLocation>google_checks.xml</configLocation>
           <encoding>UTF-8</encoding>
@@ -220,7 +235,7 @@
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-gpg-plugin</artifactId>
-            <version>3.1.0</version>
+            <version>${version.maven-gpg-plugin}</version>
             <executions>
               <execution>
                 <id>sign-artifacts</id>
@@ -234,7 +249,7 @@
           <plugin>
             <groupId>org.sonatype.plugins</groupId>
             <artifactId>nexus-staging-maven-plugin</artifactId>
-            <version>1.6.13</version>
+            <version>${version.nexus-staging-maven-plugin}</version>
             <extensions>true</extensions>
             <configuration>
               <serverId>ossrh</serverId>
@@ -251,6 +266,7 @@
         <checkstyle.skip>true</checkstyle.skip>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <skipAssembly>true</skipAssembly>
+        <spotless.apply.skip>true</spotless.apply.skip>
       </properties>
     </profile>
     <profile>
@@ -260,6 +276,7 @@
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <skipAssembly>false</skipAssembly>
         <skipTests>true</skipTests>
+        <spotless.apply.skip>true</spotless.apply.skip>
       </properties>
     </profile>
   </profiles>
@@ -315,18 +332,6 @@
       <artifactId>httpclient</artifactId>
       <version>${version.httpclient}</version>
     </dependency>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>${version.junit}</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.mockito</groupId>
-      <artifactId>mockito-inline</artifactId>
-      <version>${version.mockito}</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
@@ -377,5 +382,23 @@
       <artifactId>okhttp</artifactId>
       <version>${version.okhttp}</version>
     </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <version>${version.junit}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest</artifactId>
+      <version>${version.hamcrest}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>${version.mockito}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 </project>

src/main/docker/cli/Dockerfile

@@ -1,22 +1,5 @@
-FROM openjdk:8
+FROM sapmachine:17
 
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install -y git jq
+ADD target/fosstars-github-rating-calc.jar opt/fosstars-github-rating-calc.jar
 
-RUN wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz && \
-    HASH=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0 && \
-    echo "$HASH apache-maven-3.6.3-bin.tar.gz" | sha512sum --check --status && \
-    tar xf apache-maven-3.6.3-bin.tar.gz -C /opt
-
-ENV M2_HOME="/opt/apache-maven-3.6.3"
-ENV MAVEN_HOME="/opt/apache-maven-3.6.3"
-ENV PATH="${MAVEN_HOME}/bin:${PATH}"
-
-ADD . /fosstars
-RUN cd /fosstars && mvn package -ntp -DskipTests -Dcheckstyle.skip -Dmaven.javadoc.skip
-
-RUN mkdir /work
-WORKDIR /work
-
-ENTRYPOINT [ "java", "-jar", "/fosstars/target/fosstars-github-rating-calc.jar" ]
+ENTRYPOINT [ "java", "-jar", "opt/fosstars-github-rating-calc.jar" ]

src/main/java/com/sap/oss/phosphor/fosstars/advice/oss/OssRulesOfPlayAdvisor.java

@@ -23,7 +23,7 @@
 import org.apache.logging.log4j.Logger;
 
 /**
- * An advisor for {@link com.sap.oss.phosphor.fosstars.model.rating.oss.OssRulesOfPlayRating}.
+ * An advisor for {@link OssRulesOfPlayRating}.
  */
 public class OssRulesOfPlayAdvisor extends AbstractOssAdvisor {
 

src/main/java/com/sap/oss/phosphor/fosstars/advice/oss/OwaspDependencyCheckAdvisor.java

@@ -59,7 +59,7 @@ protected List<Advice> adviceFor(
 
   /**
    * Checks if a value is
-   * {@link com.sap.oss.phosphor.fosstars.model.value.OwaspDependencyCheckUsageValue}
+   * {@link OwaspDependencyCheckUsageValue}
    * and it is equal to
    * {@link com.sap.oss.phosphor.fosstars.model.value.OwaspDependencyCheckUsage#MANDATORY}.
    *