Bump github/codeql-action from 2.1.18 to 2.1.19

.github/workflows/build.yml

@@ -27,14 +27,14 @@ jobs:
     # -------------------------
     # Java JDK 11
     - name: Set up JDK 11
-      uses: actions/setup-java@16cca5479d7c6b6843f6a6515640ba33c6501543 # v3.3.0
+      uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.3.0
       with:
         java-version: 11
         distribution: 'temurin'
         cache: 'maven'
     - name: Initialize CodeQL
       if: github.event_name == 'push'
-      uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 # v2.1.11
+      uses: github/codeql-action/init@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.11
       with:
         languages: java
     # -------------------------
@@ -50,7 +50,7 @@ jobs:
         mvn -Prelease -Preporting verify
     - name: Perform CodeQL Analysis
       if: github.event_name == 'push'
-      uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 # v2.1.11
+      uses: github/codeql-action/analyze@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.11
   deploy-snapshot:
     name: Deploy SNAPSHOT Release
     if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'develop'
@@ -66,7 +66,7 @@ jobs:
     # -------------------------
     # Java JDK 11
     - name: Set up JDK 11
-      uses: actions/setup-java@16cca5479d7c6b6843f6a6515640ba33c6501543 # v3.3.0
+      uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.3.0
       with:
         java-version: 11
         distribution: 'temurin'
@@ -81,7 +81,7 @@ jobs:
     # -------------------------
     - name: Deploy Maven Artifact SNAPSHOTs
       run: |
-        mvn -Pgpg -Preporting deploy
+        mvn -s $GITHUB_WORKSPACE/settings.xml -Pgpg -Preporting deploy
       env:
         MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
         MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_PASSWORD }}

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
     # -------------------------
     # Java JDK 11
     - name: Set up JDK 11
-      uses: actions/setup-java@16cca5479d7c6b6843f6a6515640ba33c6501543 # v3.3.0
+      uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.3.0
       with:
         java-version: 11
         distribution: 'temurin'
@@ -46,8 +46,7 @@ jobs:
     # -------------------------
     - name: Deploy Maven Artifacts
       run: |
-        mvn -Prelease -Preporting deploy
-        # mvn -s $GITHUB_WORKSPACE/settings.xml -Pgpg -Prelease -Preporting install # deploy
+        mvn -s $GITHUB_WORKSPACE/settings.xml -Pgpg -Prelease -Preporting deploy
         # mvn -Pgpg -Prelease nexus-staging:close -DstagingDescription="closing to release"
       env:
         MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}

cli-core/pom.xml

@@ -1,10 +1,12 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>gov.nist.secauto.oscal.tools.oscal-cli</groupId>
 		<artifactId>cli-parent</artifactId>
-		<version>0.1.1-SNAPSHOT</version>
+		<version>0.2.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>cli-core</artifactId>
@@ -26,6 +28,12 @@
 			<groupId>gov.nist.secauto.metaschema</groupId>
 			<artifactId>metaschema-schema-generator</artifactId>
 		</dependency>
+
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-core</artifactId>
+		</dependency>
+
 		<dependency>
 			<!-- For console log color -->
 			<groupId>org.fusesource.jansi</groupId>
@@ -43,6 +51,10 @@
 			<groupId>com.github.erosb</groupId>
 			<artifactId>everit-json-schema</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>com.github.spotbugs</groupId>
+			<artifactId>spotbugs-annotations</artifactId>
+		</dependency>
 	</dependencies>
 
 	<properties>
@@ -190,21 +202,22 @@
 				<artifactId>license-maven-plugin</artifactId>
 				<version>2.0.0</version>
 				<executions>
-				  <execution>
-					<id>third-party-license</id>
-					<goals>
-						<goal>add-third-party</goal>
-					  </goals>
-					<configuration>
-					  <outputDirectory>${project.build.directory}/generated-distro</outputDirectory>
-					  <thirdPartyFilename>LICENSE-THIRD-PARTY.txt</thirdPartyFilename>
-					  <licenseMerges>
-						<licenseMerge>The Apache Software License, Version 2.0|Apache License, Version 2.0|Apache Public License 2.0</licenseMerge>
-					  </licenseMerges>
-					</configuration>
-				  </execution>
+					<execution>
+						<id>third-party-license</id>
+						<goals>
+							<goal>add-third-party</goal>
+						</goals>
+						<configuration>
+							<outputDirectory>${project.build.directory}/generated-distro</outputDirectory>
+							<thirdPartyFilename>LICENSE-THIRD-PARTY.txt</thirdPartyFilename>
+							<licenseMerges>
+								<licenseMerge>The Apache Software License, Version 2.0|Apache
+									License, Version 2.0|Apache Public License 2.0</licenseMerge>
+							</licenseMerges>
+						</configuration>
+					</execution>
 				</executions>
-			  </plugin>
+			</plugin>
 		</plugins>
 	</build>
 </project>

cli-core/src/main/java/gov/nist/secauto/oscal/tools/cli/core/CLI.java

@@ -36,19 +36,17 @@
 import gov.nist.secauto.oscal.tools.cli.core.commands.ssp.SystemSecurityPlanCommand;
 import gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor;
 
-import java.io.IOException;
-
 public class CLI { // NOPMD - intentional
 
   private final CLIProcessor cliProcessor;
 
-  public static void main(String... args) throws IOException {
+  public static void main(String... args) {
     System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
     int exitCode = new CLI().parse(args);
     System.exit(exitCode);
   }
 
-  public CLI() throws IOException {
+  public CLI() {
     this.cliProcessor = new CLIProcessor("oscal-cli", new Version());
     cliProcessor.addCommandHandler(new CatalogCommand());
     cliProcessor.addCommandHandler(new ProfileCommand());

cli-core/src/main/java/gov/nist/secauto/oscal/tools/cli/core/commands/AbstractConvertSubcommand.java

@@ -46,8 +46,6 @@
 import org.apache.commons.cli.Options;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -59,6 +57,10 @@
 import java.util.List;
 import java.util.Locale;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 public abstract class AbstractConvertSubcommand
     extends AbstractTerminalCommand {
   private static final Logger LOGGER = LogManager.getLogger(AbstractConvertSubcommand.class);
@@ -92,6 +94,7 @@ public void gatherOptions(Options options) {
   }
 
   @Override
+  @SuppressFBWarnings(value = "EI_EXPOSE_REP", justification = "unmodifiable collection and immutable item")
   public List<ExtraArgument> getExtraArguments() {
     return EXTRA_ARGUMENTS;
   }
@@ -148,10 +151,13 @@ public ExitStatus executeCommand(CLIProcessor processor, CommandContext context)
           return ExitCode.FAIL.exitMessage("The provided destination '" + destination + "' is not writable.");
         }
       } else {
-        try {
-          Files.createDirectories(destination.getParent());
-        } catch (IOException ex) {
-          return ExitCode.INVALID_TARGET.exit().withThrowable(ex);
+        Path parent = destination.getParent();
+        if (parent != null) {
+          try {
+            Files.createDirectories(parent);
+          } catch (IOException ex) {
+            return ExitCode.INVALID_TARGET.exit().withThrowable(ex);
+          }
         }
       }
     }
@@ -168,7 +174,7 @@ public ExitStatus executeCommand(CLIProcessor processor, CommandContext context)
     return ExitCode.OK.exit();
   }
 
-  protected void performConvert(@NotNull Path source, @Nullable Path destination, @NotNull Format toFormat)
+  protected void performConvert(@NonNull Path source, @Nullable Path destination, @NonNull Format toFormat)
       throws BindingException, FileNotFoundException, IOException {
     IBindingContext context = OscalBindingContext.instance();
     IBoundLoader loader = context.newBoundLoader();
@@ -184,12 +190,12 @@ protected void performConvert(@NotNull Path source, @Nullable Path destination,
   }
 
   protected <CLASS> void convert(
-      @NotNull Path source,
+      @NonNull Path source,
       @Nullable Path destination,
-      @NotNull Format fromFormat,
-      @NotNull Format toFormat,
-      @NotNull Class<CLASS> rootClass,
-      @NotNull IBindingContext context) throws FileNotFoundException, IOException {
+      @NonNull Format fromFormat,
+      @NonNull Format toFormat,
+      @NonNull Class<CLASS> rootClass,
+      @NonNull IBindingContext context) throws FileNotFoundException, IOException {
     IDeserializer<CLASS> deserializer = context.newDeserializer(fromFormat.getBindingFormat(), rootClass);
 
     CLASS object = deserializer.deserialize(source);

cli-core/src/main/java/gov/nist/secauto/oscal/tools/cli/core/commands/AbstractRenderSubcommand.java

@@ -42,12 +42,17 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 
 import javax.xml.transform.TransformerException;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 public abstract class AbstractRenderSubcommand
     extends AbstractTerminalCommand {
   private static final Logger LOGGER = LogManager.getLogger(AbstractRenderSubcommand.class);
@@ -74,6 +79,7 @@ public void gatherOptions(Options options) {
   }
 
   @Override
+  @SuppressFBWarnings(value = "EI_EXPOSE_REP", justification = "unmodifiable collection and immutable item")
   public List<ExtraArgument> getExtraArguments() {
     return EXTRA_ARGUMENTS;
   }
@@ -98,30 +104,30 @@ public void validateOptions(CLIProcessor processor, CommandContext context)
   @Override
   public ExitStatus executeCommand(CLIProcessor processor, CommandContext context) {
     List<String> extraArgs = context.getExtraArguments();
-    File destination = new File(extraArgs.get(1)); //.toAbsolutePath();
+    Path destination = resolvePathAgainstCWD(Paths.get(extraArgs.get(1))); // .toAbsolutePath();
 
-    if (destination.exists()) {
+    if (Files.exists(destination)) {
       if (!context.getCmdLine().hasOption("overwrite")) {
-        return ExitCode.FAIL.exitMessage("The provided destination '" + destination.getPath()
+        return ExitCode.FAIL.exitMessage("The provided destination '" + destination
             + "' already exists and the --overwrite option was not provided.");
       }
-      if (!destination.canWrite()) {
-        return ExitCode.FAIL.exitMessage("The provided destination '" + destination.getPath() + "' is not writable.");
+      if (!Files.isWritable(destination)) {
+        return ExitCode.FAIL.exitMessage("The provided destination '" + destination + "' is not writable.");
       }
     }
 
-    File input = new File(extraArgs.get(0));
+    Path input = resolvePathAgainstCWD(Paths.get(extraArgs.get(0)));
     try {
       performRender(input, destination);
     } catch (IOException | TransformerException ex) {
       return ExitCode.FAIL.exit().withThrowable(ex);
     }
 
     if (LOGGER.isInfoEnabled()) {
-      LOGGER.info("Generated HTML file: " + destination.getPath());
+      LOGGER.info("Generated HTML file: " + destination.toString());
     }
     return ExitCode.OK.exit();
   }
 
-  protected abstract void performRender(File input, File result) throws IOException, TransformerException;
+  protected abstract void performRender(Path input, Path result) throws IOException, TransformerException;
 }

cli-core/src/main/java/gov/nist/secauto/oscal/tools/cli/core/commands/AbstractValidationSubcommand.java

@@ -74,6 +74,8 @@
 
 import javax.xml.transform.Source;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 public abstract class AbstractValidationSubcommand
     extends AbstractTerminalCommand {
   private static final Logger LOGGER = LogManager.getLogger(AbstractValidationSubcommand.class);
@@ -100,6 +102,7 @@ public void gatherOptions(Options options) {
   }
 
   @Override
+  @SuppressFBWarnings(value = "EI_EXPOSE_REP", justification = "unmodifiable collection and immutable item")
   public List<ExtraArgument> getExtraArguments() {
     return EXTRA_ARGUMENTS;
   }
@@ -176,14 +179,19 @@ public ExitStatus executeCommand(CLIProcessor processor, CommandContext context)
     IBoundLoader loader = bindingContext.newBoundLoader();
 
     List<String> extraArgs = context.getExtraArguments();
-    Path source = Paths.get(extraArgs.get(0));
+    Path source = resolvePathAgainstCWD(Paths.get(extraArgs.get(0)));
     Format asFormat;
     if (context.getCmdLine().hasOption("as")) {
       try {
         String toFormatText = context.getCmdLine().getOptionValue("as");
         asFormat = Format.valueOf(toFormatText.toUpperCase(Locale.ROOT));
       } catch (IllegalArgumentException ex) {
-        return ExitCode.FAIL.exitMessage("Invalid '--as' argument. The format must be one of: " + Format.values()).withThrowable(ex);
+        return ExitCode.FAIL
+            .exitMessage("Invalid '--as' argument. The format must be one of: "
+                + Arrays.stream(Format.values())
+                    .map(format -> format.name())
+                    .collect(CustomCollectors.joiningWithOxfordComma("or")))
+            .withThrowable(ex);
       }
     } else {
       // attempt to determine the format
@@ -197,7 +205,9 @@ public ExitStatus executeCommand(CLIProcessor processor, CommandContext context)
       } catch (IllegalArgumentException ex) {
         return ExitCode.FAIL.exitMessage(
             "Source file has unrecognizable format. Use '--as' to specify the format. The format must be one of: "
-                + Format.values());
+                + Arrays.stream(Format.values())
+                    .map(format -> format.name())
+                    .collect(CustomCollectors.joiningWithOxfordComma("or")));
       }
     }
 
@@ -243,7 +253,7 @@ public ExitStatus executeCommand(CLIProcessor processor, CommandContext context)
 
     try {
       IDocumentNodeItem nodeItem = loader.loadAsNodeItem(source);
-      validator.visit(nodeItem);
+      validator.validate(nodeItem);
       validator.finalizeValidation();
 
       if (!handler.isPassing()) {