Skip to content

ci: add Trivy security scanning and Docker dependabot#606

Merged
david-waltermire merged 3 commits intometaschema-framework:developfrom
david-waltermire:feature/trivy-scanning
Dec 31, 2025
Merged

ci: add Trivy security scanning and Docker dependabot#606
david-waltermire merged 3 commits intometaschema-framework:developfrom
david-waltermire:feature/trivy-scanning

Conversation

@david-waltermire
Copy link
Contributor

@david-waltermire david-waltermire commented Dec 30, 2025
edited by coderabbitai bot
Loading

Summary

  • Add Trivy filesystem vulnerability scanner job to the build workflow
  • Publish SARIF results to GitHub Security tab for develop/release branches and PRs targeting those branches
  • Unify SARIF upload control with UPLOAD_SCAN_SARIF environment variable (used by both CodeQL and Trivy)
  • Add Docker ecosystem to dependabot for container dependency updates

Changes

Build Workflow

  • New trivy-scan job that scans the filesystem for vulnerabilities
  • Outputs SARIF format and uploads to GitHub Security tab
  • Runs independently (in parallel with other jobs)
  • Scans all severity levels: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN

Dependabot

  • Added Docker ecosystem to maintain container base image dependencies

Test plan

  • Verify build workflow runs successfully
  • Verify Trivy scan results appear in GitHub Security tab after merge to develop
  • Verify CodeQL continues to work with the new UPLOAD_SCAN_SARIF variable

Summary by CodeRabbit

  • Chores
    • Added Dependabot Docker updates, appended a license URL to the link-ignore list, and excluded generated package-info files from certain analyses.
  • CI / Workflows
    • Introduced a unified SARIF gating variable, added Trivy SARIF scans alongside CodeQL, and improved scan and link-check summaries and gating.
  • Build
    • Ensure generated Java sources are discovered and automatically license-formatted during the build.
  • Refactor
    • Broad formatting and Javadoc cleanup across generated bindings; added a few metadata accessors and improved object string representations.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 30, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Updates CI to gate SARIF uploads via a new UPLOAD_SCAN_SARIF variable and add Trivy SARIF scanning and summaries; adjusts link-checker outputs; adds Dependabot Docker entry and one lychee ignore URL; introduces license/formatter plugin configs in bootstrap POMs; widespread formatting-only edits and several added getMetaschemaData/toString accessors in generated bindings.

Changes

Cohort / File(s) Change Summary
CI / Workflows
\.github/workflows/build.yml		 Replace UPLOAD_CODEQL with UPLOAD_SCAN_SARIF; CodeQL step uses upload: 'never' and exposes codeql-results; add Trivy SARIF scan + Trivy summary; conditional SARIF uploads for CodeQL/Trivy; link-checker steps now use steps.linkchecker.outputs.exit_code.
Dependabot config
\.github/dependabot.yml		 Add docker package-ecosystem entry for / with daily updates targeting develop.
Link-check ignore
.lycheeignore		 Add http://www.gnu.org/software/classpath/license.html to ignore list.
Bootstrap POMs: license & formatter plugins
databind/pom-bootstrap-config.xml, databind/pom-bootstrap-model.xml, metaschema-testing/pom-bootstrap.xml		 Add <sourceDirectory>; configure com.mycila:license-maven-plugin and net.revelc.code.formatter:formatter-maven-plugin to run in generate-sources for generated Java sources.
Top-level POM plugin excludes
pom.xml		 Exclude **/package-info.java from maven-jxr-plugin and maven-pmd-plugin analyses.
Generated binding classes — new accessors / toString
databind/.../ConstraintLetExpression.java, databind/.../ConstraintValueEnum.java, databind/.../FlagConstraints.java, databind/.../FlagReference.java, databind/.../KeyConstraintField.java, metaschema-testing/.../GenerateSchema.java		 Add public IMetaschemaData getMetaschemaData() returning __metaschemaData; add public String toString() in KeyConstraintField.
Generated binding classes — formatting-only
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/*, metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/*, **/package-info.java		 Large-scale whitespace, Javadoc and annotation reflows across many generated binding files; no behavioral/API changes aside from accessors above.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Repo as Repository
    participant Runner as Actions Runner
    participant CodeQL as CodeQL Analyzer
    participant Trivy as Trivy Scanner
    participant LinkChk as Link Checker
    participant Uploader as SARIF Uploader
    participant GHSec as GitHub Security Tab

    rect rgb(250,250,255)
    Repo->>Runner: push / PR triggers workflow
    end

    rect rgb(240,255,245)
    Runner->>CodeQL: run CodeQL analysis (produce codeql.sarif)
    alt UPLOAD_SCAN_SARIF == true
        Runner->>Uploader: upload codeql.sarif (category: codeql)
        Uploader-->>GHSec: deliver CodeQL SARIF
    else
        Note right of Runner: CodeQL SARIF not uploaded
    end
    end

    rect rgb(255,250,240)
    Runner->>Trivy: run Trivy filesystem scan (produce trivy.sarif)
    alt UPLOAD_SCAN_SARIF == true
        Runner->>Uploader: upload trivy.sarif (category: trivy)
        Uploader-->>GHSec: deliver Trivy SARIF
    else
        Note right of Runner: Trivy SARIF not uploaded
    end
    end

    rect rgb(245,245,255)
    Runner->>LinkChk: run link checker (produce html-link-report.md)
    Runner->>Runner: evaluate steps.linkchecker.outputs.exit_code
    alt exit_code != 0
        Runner->>Repo: create issue / fail step (based on exit_code)
    else
        Note right of Runner: no link-check action needed
    end
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • aj-stein
  • wandmagic
  • aj-stein-gsa

Poem

🐇 I hopped through Javadoc, spaces, and tags,
I nudged CI gates and listened to flags,
Trivy and CodeQL hum softly in tow,
Docker updates queued where the green lights glow,
A tidy hop — the repo's ready to go.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: add Trivy security scanning and Docker dependabot' directly reflects the main changes: Trivy scanning integration and Docker Dependabot configuration.
Docstring Coverage ✅ Passed Docstring coverage is 99.20% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca8f339 and a940d00.

📒 Files selected for processing (1)
  • .github/workflows/build.yml
🧰 Additional context used
🧠 Learnings (4)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All changes require PR review with CODEOWNERS enforcement

Applied to files:

  • .github/workflows/build.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Website
  • GitHub Check: Code
🔇 Additional comments (6)
.github/workflows/build.yml (6)

41-42: LGTM! SARIF upload gating logic is correct.

The condition properly handles both direct pushes to develop/release branches and PRs targeting those branches. The github.base_ref comparisons correctly use branch names rather than full ref paths, fixing the critical issue identified in previous reviews.

107-135: LGTM! CodeQL analysis and summary implementation is solid.

The approach of disabling upload during analysis and handling it in a separate step (lines 175-180) is clean and maintainable. The summary provides helpful visibility into results/rules counts and clearly indicates upload status based on branch/PR context.

139-174: LGTM! Trivy scan configuration and summary are well-structured.

The scan configuration appropriately covers all severity levels and excludes directories that are either independently scanned or contain test artifacts. The severity mapping (error=Critical, warning=High, note=Medium/Low) correctly aligns with Trivy's SARIF level generation, as confirmed by the fix in commit 1661134.

175-186: LGTM! SARIF upload steps are correctly implemented.

Both upload steps use proper conditional checks (env.UPLOAD_SCAN_SARIF == 'true') and distinct categories for clear organization in the Security tab. The hardcoded java.sarif filename on line 179 is acceptable given the current single-language configuration, though adding multiple languages in the future would require updating this step.

257-279: LGTM! Link Checker Summary improves workflow visibility.

The collapsible details section keeps the workflow summary clean while providing clear error reporting when issues are found. The grep error handling is appropriate, and the status messages effectively communicate link validation results.

287-287: LGTM! Link checker integration is now consistent.

The updates correctly reference the step output (steps.linkchecker.outputs.exit_code) and use the proper report filename (html-link-report.md) that matches the lychee-action configuration on line 251. These changes improve maintainability by eliminating hardcoded references.

Also applies to: 291-291, 296-296

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac5f680 and 49d50c5.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/workflows/build.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Code
  • GitHub Check: Website
🔇 Additional comments (2)
.github/dependabot.yml (1)

16-21: LGTM!

The Docker ecosystem configuration is correctly structured and consistent with the existing GitHub Actions and Maven configurations. This will enable automated dependency updates for Docker base images.

.github/workflows/build.yml (1)

113-137: LGTM! Trivy scan job is well-structured.

The Trivy security scan job is correctly configured with:

  • Appropriate permissions for SARIF upload
  • Filesystem scanning covering all severity levels as intended
  • Proper conditional upload using string comparison (== 'true')
  • Pinned action versions with SHA for security

The job runs independently and in parallel as stated in the PR objectives.

coderabbitai[bot]
coderabbitai bot reviewed Dec 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (2)
.github/workflows/build.yml (2)

41-42: Critical bug: Fix the github.base_ref condition (already flagged in previous review).

As noted in the previous review, github.base_ref contains only the branch name (e.g., develop), not the full ref path (e.g., refs/heads/develop). This means SARIF uploads will never work for pull requests targeting develop or release branches, breaking a key objective of this PR.

🔎 Proposed fix 
  # Upload security scan SARIF results if the branch is 'develop' or 'release/*' or a pull request targeting these branches.
- UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'refs/heads/develop' || startsWith(github.base_ref, 'refs/heads/release/'))) }}
+ UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'develop' || startsWith(github.base_ref, 'release/'))) }}

107-107: Critical bug: Fix the CodeQL upload condition (already flagged in previous review).

As noted in the previous review, the expression treats UPLOAD_SCAN_SARIF as a truthy/falsy value. Since the string 'false' is truthy in JavaScript expressions, this will always evaluate to 'always' even when UPLOAD_SCAN_SARIF is 'false'. This means CodeQL results will always be uploaded regardless of branch or PR target.

🔎 Proposed fix 
-        upload: ${{ env.UPLOAD_SCAN_SARIF && 'always' || 'never' }}
+        upload: ${{ env.UPLOAD_SCAN_SARIF == 'true' && 'always' || 'never' }}
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0626f48 and bccb83b.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/workflows/build.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/dependabot.yml
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
🔇 Additional comments (3)
.github/workflows/build.yml (3)

108-130: LGTM: CodeQL output and summary implementation.

The addition of the CodeQL output directory and summary step provides good visibility into scan results. The summary correctly uses string comparison (== "true") for the conditional upload message, unlike the upload condition on line 107.

180-185: LGTM: Trivy SARIF upload implementation.

The upload step correctly uses string comparison (env.UPLOAD_SCAN_SARIF == 'true') in the conditional, and the SARIF upload is properly configured with a distinct category: 'trivy' to separate results from CodeQL in the Security tab.

136-185: LGTM: Trivy job structure aligns with PR objectives.

The trivy-scan job is correctly configured to run independently in parallel with other jobs (no dependencies), has appropriate permissions, and implements the full scan-summarize-upload workflow as intended.

@david-waltermire david-waltermire force-pushed the feature/trivy-scanning branch 2 times, most recently from 9fdb617 to b2bbc4e Compare December 30, 2025 14:44
coderabbitai[bot]
coderabbitai bot reviewed Dec 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (3)
.github/workflows/build.yml (3)

41-42: Fix the github.base_ref condition - critical bug.

The condition incorrectly checks github.base_ref == 'refs/heads/develop' and startsWith(github.base_ref, 'refs/heads/release/'). However, github.base_ref contains only the branch name (e.g., develop), not the full ref path. This means SARIF uploads will never work for pull requests targeting develop or release branches, breaking a key objective of this PR.

🔎 Proposed fix 
  # Upload security scan SARIF results if the branch is 'develop' or 'release/*' or a pull request targeting these branches.
- UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'refs/heads/develop' || startsWith(github.base_ref, 'refs/heads/release/'))) }}
+ UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'develop' || startsWith(github.base_ref, 'release/'))) }}

107-107: Fix the CodeQL upload condition - critical bug.

The expression ${{ env.UPLOAD_SCAN_SARIF && 'always' || 'never' }} treats UPLOAD_SCAN_SARIF as truthy/falsy. Since UPLOAD_SCAN_SARIF is the string 'true' or 'false', and non-empty strings are truthy in GitHub Actions expressions, this will always evaluate to 'always' even when UPLOAD_SCAN_SARIF is 'false'. This means CodeQL results will always be uploaded regardless of branch or PR target.

🔎 Proposed fix 
-        upload: ${{ env.UPLOAD_SCAN_SARIF && 'always' || 'never' }}
+        upload: ${{ env.UPLOAD_SCAN_SARIF == 'true' && 'always' || 'never' }}

150-158: Fix incorrect severity classification logic — Trivy SARIF uses different field mappings.

The severity variable assignments are misaligned with Trivy's SARIF level mapping:

  • level == "error" = CRITICAL (not HIGH)
  • level == "warning" = HIGH (not MEDIUM)
  • level == "note" = MEDIUM/LOW (not just LOW)

This causes the summary table to show incorrect counts: the "Critical/High" row on line 155 displays only CRITICAL results (stored in $HIGH), while actual HIGH-severity findings are shown as MEDIUM, and so on.

🔎 Proposed fix 
          TOTAL=$(jq -r '.runs[0].results | length' trivy-results.sarif 2>/dev/null || echo "0")
-         HIGH=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-         MEDIUM=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-         LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+         CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+         HIGH=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+         MEDIUM_LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
          echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
          echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-         echo "| :red_circle: Critical/High | $HIGH |" >> $GITHUB_STEP_SUMMARY
-         echo "| :orange_circle: Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
-         echo "| :yellow_circle: Low | $LOW |" >> $GITHUB_STEP_SUMMARY
+         echo "| :red_circle: Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+         echo "| :orange_circle: High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+         echo "| :yellow_circle: Medium/Low | $MEDIUM_LOW |" >> $GITHUB_STEP_SUMMARY
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

160-161: Consider renaming ARTIFACTS to RULES for clarity.

The variable ARTIFACTS is used to count rules (line 160: '.runs[0].tool.driver.rules | length'), but the name suggests it counts build artifacts. Renaming it to RULES would improve code readability and align with the displayed message.

🔎 Proposed refactor 
-         ARTIFACTS=$(jq -r '.runs[0].tool.driver.rules | length' trivy-results.sarif 2>/dev/null || echo "0")
-         echo "**Rules checked:** $ARTIFACTS" >> $GITHUB_STEP_SUMMARY
+         RULES=$(jq -r '.runs[0].tool.driver.rules | length' trivy-results.sarif 2>/dev/null || echo "0")
+         echo "**Rules checked:** $RULES" >> $GITHUB_STEP_SUMMARY
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9fdb617 and b2bbc4e.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/workflows/build.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/dependabot.yml
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
🔇 Additional comments (2)
.github/workflows/build.yml (2)

109-130: CodeQL Summary implementation looks good, but note the inconsistency.

The summary step correctly uses string comparison (env.UPLOAD_SCAN_SARIF == "true") on line 126, which is the proper way to evaluate the boolean environment variable. However, line 107 uses a truthy check that will fail. Once line 107 is fixed to match this approach, the summary logic will work as intended.

171-176: LGTM - Upload step correctly implemented.

The upload step uses the correct string comparison (env.UPLOAD_SCAN_SARIF == 'true') and properly integrates with the GitHub Security tab using the trivy category to distinguish it from CodeQL results.

@david-waltermire david-waltermire force-pushed the feature/trivy-scanning branch 2 times, most recently from 2b1d462 to ae66dfa Compare December 31, 2025 16:14
coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (2)
.github/workflows/build.yml (2)

41-42: Critical: The github.base_ref condition is still incorrect.

As previously flagged, github.base_ref contains only the branch name (e.g., develop), not the full ref path (e.g., refs/heads/develop). This means SARIF uploads will never work for pull requests targeting develop or release branches, which breaks a key objective of this PR.

🔎 Proposed fix 
  # Upload security scan SARIF results if the branch is 'develop' or 'release/*' or a pull request targeting these branches.
-  UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'refs/heads/develop' || startsWith(github.base_ref, 'refs/heads/release/'))) }}
+  UPLOAD_SCAN_SARIF: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'develop' || startsWith(github.base_ref, 'release/'))) }}

107-107: Critical: The upload condition is still incorrect.

As previously flagged, the expression ${{ env.UPLOAD_SCAN_SARIF && 'always' || 'never' }} treats UPLOAD_SCAN_SARIF as truthy/falsy. Since it's set to the string 'true' or 'false', the string 'false' is truthy in JavaScript, so this will always evaluate to 'always' regardless of the branch or PR target.

🔎 Proposed fix 
-        upload: ${{ env.UPLOAD_SCAN_SARIF && 'always' || 'never' }}
+        upload: ${{ env.UPLOAD_SCAN_SARIF == 'true' && 'always' || 'never' }}
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

150-158: Consider renaming variables to match their actual severity content.

The variable names don't align with the SARIF levels they contain:

  • HIGH contains level == "error" (CRITICAL in Trivy)
  • MEDIUM contains level == "warning" (HIGH in Trivy)
  • LOW contains level == "note" (MEDIUM/LOW in Trivy)

While line 155's label "Critical/High" suggests intentional grouping, the variable naming is confusing. Consider either:

  1. Renaming variables to match SARIF levels: CRITICAL, HIGH, MEDIUM_LOW
  2. Or keeping names but adding comments explaining the mapping
🔎 Example refactor with clearer variable names 
-          HIGH=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          MEDIUM=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          HIGH=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          MEDIUM_LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
           echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| :red_circle: Critical/High | $HIGH |" >> $GITHUB_STEP_SUMMARY
-          echo "| :orange_circle: Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
-          echo "| :yellow_circle: Low | $LOW |" >> $GITHUB_STEP_SUMMARY
+          echo "| :red_circle: Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+          echo "| :orange_circle: High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+          echo "| :yellow_circle: Medium/Low | $MEDIUM_LOW |" >> $GITHUB_STEP_SUMMARY
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2b1d462 and ae66dfa.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/workflows/build.yml
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Code
  • GitHub Check: Website
🔇 Additional comments (4)
.github/dependabot.yml (1)

16-21: LGTM!

The Docker ecosystem configuration is correctly structured and aligns with the PR objective to maintain container base image dependencies. The daily update schedule and "develop" target branch are consistent with existing configurations.

.github/workflows/build.yml (3)

109-130: Nice addition of CodeQL summary reporting.

The summary step provides clear visibility into scan results, rules checked, and upload status. The shell script logic correctly handles missing directories and files, and uses proper string comparison for the UPLOAD_SCAN_SARIF check.

134-176: Trivy security scan integration looks good.

The Trivy scanner is properly configured with filesystem scanning, SARIF output, and comprehensive severity coverage. The summary generation and conditional upload logic work correctly.

254-254: Good fix: Link checker conditions now properly reference step outputs.

The conditions correctly use steps.linkchecker.outputs.exit_code to reference the output from the link checker step (defined on line 235), replacing the previous approach.

Also applies to: 263-263

coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
.github/workflows/build.yml (1)

41-42: The github.base_ref condition bug persists.

This issue was already flagged in a previous review. The condition incorrectly compares github.base_ref against full ref paths like 'refs/heads/develop', but github.base_ref only contains the branch name (e.g., 'develop'). SARIF uploads will not work for PRs targeting develop or release branches.

🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

144-152: Variable names are misleading relative to Trivy's SARIF level mapping.

Based on Trivy's SARIF output, the mapping is:

  • level == "error" → CRITICAL severity
  • level == "warning" → HIGH severity
  • level == "note" → MEDIUM/LOW/UNKNOWN severity

The current variable names (HIGH, MEDIUM, LOW) don't match what they actually capture. While the display label "Critical/High" on line 149 partially addresses this, $HIGH only contains CRITICAL results, and actual HIGH-severity findings are counted in $MEDIUM.

🔎 Proposed fix for clarity 
-          HIGH=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          MEDIUM=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          HIGH=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          MEDIUM_LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
           echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| :red_circle: Critical/High | $HIGH |" >> $GITHUB_STEP_SUMMARY
-          echo "| :orange_circle: Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
-          echo "| :yellow_circle: Low | $LOW |" >> $GITHUB_STEP_SUMMARY
+          echo "| :red_circle: Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+          echo "| :orange_circle: High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+          echo "| :yellow_circle: Medium/Low | $MEDIUM_LOW |" >> $GITHUB_STEP_SUMMARY
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 743db8d and 862e707.

📒 Files selected for processing (1)
  • .github/workflows/build.yml
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
🔇 Additional comments (4)
.github/workflows/build.yml (4)

107-124: Clean separation of CodeQL analysis and upload.

The refactored approach correctly separates the analysis (with upload: 'never') from the conditional upload step (lines 165-170). The summary logic properly handles missing directories and files with fallback values.

165-176: SARIF upload steps use correct string comparison.

The conditions properly use env.UPLOAD_SCAN_SARIF == 'true' for string comparison. The implementation correctly separates CodeQL and Trivy uploads with distinct categories.

Note: These steps will only work correctly once the github.base_ref bug on line 42 is fixed.

247-270: Link Checker Summary provides good visibility.

The summary step correctly handles the case where no report exists and extracts error counts safely. The collapsible details section for broken links is a nice UX touch.

277-287: Correct use of step outputs for link checker exit code.

The conditions properly reference steps.linkchecker.outputs.exit_code from the lychee-action step. This is the idiomatic way to access step outputs in GitHub Actions.

coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
.github/workflows/build.yml (2)

109-124: Consider specifying the exact SARIF file in the summary.

The loop processes all *.sarif files in the codeql-results directory, but the upload step specifically references codeql-results/java.sarif. If CodeQL generates multiple SARIF files, the summary might aggregate results across all files while only one is uploaded.

🔎 Proposed refinement to match the uploaded file 
-        if [ -d "codeql-results" ]; then
-          for sarif in codeql-results/*.sarif; do
-            if [ -f "$sarif" ]; then
-              RESULTS=$(jq -r '.runs[0].results | length' "$sarif" 2>/dev/null || echo "0")
-              RULES=$(jq -r '.runs[0].tool.driver.rules | length' "$sarif" 2>/dev/null || echo "0")
-              echo "- **Results found:** $RESULTS" >> $GITHUB_STEP_SUMMARY
-              echo "- **Rules checked:** $RULES" >> $GITHUB_STEP_SUMMARY
-            fi
-          done
+        if [ -f "codeql-results/java.sarif" ]; then
+          RESULTS=$(jq -r '.runs[0].results | length' "codeql-results/java.sarif" 2>/dev/null || echo "0")
+          RULES=$(jq -r '.runs[0].tool.driver.rules | length' "codeql-results/java.sarif" 2>/dev/null || echo "0")
+          echo "- **Results found:** $RESULTS" >> $GITHUB_STEP_SUMMARY
+          echo "- **Rules checked:** $RULES" >> $GITHUB_STEP_SUMMARY
         else
           echo "No CodeQL results directory found." >> $GITHUB_STEP_SUMMARY
         fi

128-165: LGTM! Trivy scanning correctly configured with accurate severity mapping.

The Trivy action is properly configured for filesystem scanning with all severity levels, and the summary correctly maps SARIF levels (error → CRITICAL, warning → HIGH, note → MEDIUM/LOW) as per Trivy's SARIF template.

Optional refinement: Consider whether MEDIUM and LOW severities should be reported separately in the summary table. Trivy groups them both as level == "note", but you could filter by properties.severity if the original Trivy severity strings are needed for separate reporting.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 862e707 and d3a0040.

📒 Files selected for processing (2)
  • .github/workflows/build.yml
  • .lycheeignore
✅ Files skipped from review due to trivial changes (1)
  • .lycheeignore
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Website
  • GitHub Check: Code
🔇 Additional comments (6)
.github/workflows/build.yml (6)

41-42: LGTM! The SARIF upload condition is now correct.

The github.base_ref checks have been fixed to compare against branch names without the refs/heads/ prefix, which correctly handles pull request targeting logic.

107-108: LGTM! CodeQL analysis correctly configured.

The analyze step now outputs results to a directory with upload disabled, allowing the separate conditional upload step to handle SARIF uploads based on UPLOAD_SCAN_SARIF.

166-177: LGTM! SARIF upload steps correctly configured.

Both CodeQL and Trivy uploads use proper string comparison for the conditional (env.UPLOAD_SCAN_SARIF == 'true') and have distinct categories to prevent conflicts in the Security tab.

248-271: LGTM! Link checker summary provides excellent visibility.

The summary step correctly parses the link check report, counts errors, and displays broken links in a collapsible section. The if: always() condition ensures the summary is generated even when the link checker fails.

279-279: LGTM! Condition correctly references linkchecker output.

The condition properly uses steps.linkchecker.outputs.exit_code to detect link check failures, which works correctly with the continue-on-error: true setting on the linkchecker step.

288-288: LGTM! Fail condition correctly implemented.

The condition properly checks the linkchecker exit code and respects the INPUT_FAIL_ON_ERROR environment variable to control whether link check failures should fail the workflow.

@github-advanced-security
Copy link

github-advanced-security bot commented Dec 31, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
databind/pom-bootstrap-config.xml (1)

31-130: Missing license header file cc0-dedication.txt — build will fail

The license-maven-plugin configuration references cc0-dedication.txt as the header file (line ~105), but this file does not exist in the repository. The build will fail when the plugin attempts to apply the license headers during the generate-sources phase.

Create the cc0-dedication.txt file in a location where the license-maven-plugin can find it, or update the <header> path to reference an existing license header file. This same issue exists in databind/pom-bootstrap-model.xml and metaschema-testing/pom-bootstrap.xml.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d3a0040 and fb8e7c6.

📒 Files selected for processing (58)
  • .github/workflows/build.yml
  • databind/pom-bootstrap-config.xml
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindingsModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyModel.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintValueEnum.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagIndexHasKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonValueKeyFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/METASCHEMA.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathNamespace.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetaConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetapath.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Property.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexHasKeyConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/UseName.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/pom-bootstrap.xml
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/ValidationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/package-info.java
✅ Files skipped from review due to trivial changes (25)
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/ValidationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Property.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindingsModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetaConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagIndexHasKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexHasKeyConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonValueKeyFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyReference.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyModel.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetapath.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/UseName.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathNamespace.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintValueEnum.java
🧰 Additional context used
📓 Path-based instructions (1)
**/*.java

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.java: All code changes must follow the Javadoc style guide (docs/javadoc-style-guide.md). New code requires 100% Javadoc coverage on public/protected members. Modified code must add/update Javadoc on any members touched. All Javadoc must include @param, @return, @throws tags in the correct order (BLOCKING)
Java target version must be Java 11. Use SpotBugs annotations (@nonnull, @nullable) for null safety in code.
Follow package naming convention gov.nist.secauto.metaschema.* for all Java packages
Follow Test-Driven Development (TDD) principles: write tests first before implementing functionality, verify tests fail with current implementation, implement minimal code to pass tests, then refactor while keeping tests green

Files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
🧠 Learnings (20)
📚 Learning: 2025-12-24T21:21:40.208Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/csrc/ns/metaschema/test_suite/_1_0/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:40.208Z
Learning: In metaschema-framework/metaschema-java, generated binding classes in package gov.nist.csrc.ns.metaschema.test_suite._1_0 (and similar generated binding packages) are pre-generated by metaschema-maven-plugin and checked into source control. Javadoc coverage issues in these generated classes should be tracked as code generator improvements rather than file-level issues, and improvements are deferred to generator enhancements.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • metaschema-testing/pom-bootstrap.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/pom-bootstrap-config.xml
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-24T21:22:07.082Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java:74-80
Timestamp: 2025-12-24T21:22:07.082Z
Learning: Files in the package gov.nist.secauto.metaschema.model.testing.testsuite in metaschema-testing are generated binding classes created from Metaschema definitions. Documentation and style improvements for these files should be made at the code generator level (metaschema-maven-plugin) rather than by manually editing the generated code.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • metaschema-testing/pom-bootstrap.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/pom-bootstrap-config.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-24T21:21:56.361Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:56.361Z
Learning: In metaschema-testing, generated binding classes under gov.nist.secauto.metaschema.model.testing.testsuite are produced by metaschema-maven-plugin from YAML metaschema definitions. Javadoc issues in these generated classes should not be flagged for manual fixes; improvements are tracked and handled through code generator enhancements rather than manual edits to the generated source.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • metaschema-testing/pom-bootstrap.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/pom-bootstrap-config.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-30T04:19:41.802Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: databind/src/main/java/gov/nist/secauto/metaschema/databind/codegen/typeinfo/DefaultMetaschemaClassFactory.java:480-484
Timestamp: 2025-12-30T04:19:41.802Z
Learning: In metaschema-framework/metaschema-java, when users configure custom superinterfaces via binding configuration, david-waltermire prefers both documentation (explaining how to add dependencies to the Maven plugin) and validation mechanisms (warnings when classes aren't on classpath) to prevent redundant IBoundObject interface additions during code generation.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • metaschema-testing/pom-bootstrap.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/pom-bootstrap-config.xml
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-19T04:01:37.408Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 550
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/format/JsonPointerFormatter.java:56-100
Timestamp: 2025-12-19T04:01:37.408Z
Learning: When overriding Java interface methods, rely on inherited Javadoc from the interface. Do not duplicate documentation in the implementing class unless there is implementation-specific behavior that warrants additional notes beyond the interface contract.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-27T16:52:04.509Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 590
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/DynamicContext.java:482-492
Timestamp: 2025-12-27T16:52:04.509Z
Learning: In Java, UncheckedIOException.getCause() is declared to return IOException. In methods that declare throws IOException, you can rethrow the underlying cause with throw e.getCause() where e is an UncheckedIOException, without a cast. Ensure the surrounding method signature includes throws IOException. This does not apply to other unchecked exceptions; verify that e is actually an UncheckedIOException before using this pattern.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
📚 Learning: 2025-12-24T21:21:59.692Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java:74-80
Timestamp: 2025-12-24T21:21:59.692Z
Learning: Do not manually edit generated binding classes produced from Metaschema definitions (e.g., in metaschema-testing's testing suite). Document and style improvements should be made at the code generator level (metaschema-maven-plugin) so that generated code remains consistent and regenerable. If you need to fix issues, adjust the generator templates or generation process rather than editing the generated .java files directly.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
📚 Learning: 2025-12-24T21:21:52.756Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:52.756Z
Learning: In metaschema-testing, generated binding classes under gov.nist.secauto.metaschema.model.testing.testsuite are produced by the metaschema-maven-plugin. Do not flag Javadoc issues in these generated classes for manual fixes; improvements should be tracked and implemented via code generator enhancements. Treat such issues as generator-related and avoid edits to generated source unless regenerating."

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
📚 Learning: 2025-12-30T04:37:04.935Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 0
File: :0-0
Timestamp: 2025-12-30T04:37:04.935Z
Learning: In metaschema-framework/metaschema-java, assert statements on loop variables (e.g., `assert item != null;`) are intentionally kept to satisfy Eclipse's null-safety analysis when the list elements have a `NonNull` contract, ensuring static analysis tools recognize the non-null guarantee for subsequent method calls.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to core/metaschema/schema/xml/** : XMLBeans code is generated from XSD schemas in core/metaschema/schema/xml during Maven build. Generated sources are placed in target/generated-sources/

Applied to files:

  • databind/pom-bootstrap-model.xml
  • metaschema-testing/pom-bootstrap.xml
  • databind/pom-bootstrap-config.xml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to **/*.{xmlbeans,antlr} : Generated code in *.xmlbeans and *.antlr packages is excluded from Javadoc and style checks. Generated sources are placed in target/generated-sources/

Applied to files:

  • databind/pom-bootstrap-model.xml
  • metaschema-testing/pom-bootstrap.xml
  • databind/pom-bootstrap-config.xml
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All changes require PR review with CODEOWNERS enforcement

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to **/*.java : Follow package naming convention gov.nist.secauto.metaschema.* for all Java packages

Applied to files:

  • databind/pom-bootstrap-config.xml
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
📚 Learning: 2024-11-14T17:07:03.586Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 245
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/IIPv4AddressItem.java:66-73
Timestamp: 2024-11-14T17:07:03.586Z
Learning: In the Metaschema Java codebase, differences in casting patterns across atomic type implementations are intentional and required; any differences in approach are significant and necessary.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
📚 Learning: 2025-12-30T19:01:22.713Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: databind/src/main/java/gov/nist/secauto/metaschema/databind/codegen/typeinfo/DefaultMetaschemaClassFactory.java:508-512
Timestamp: 2025-12-30T19:01:22.713Z
Learning: DefaultMetaschemaClassFactory.extendsIBoundObject logs a warning when a configured superinterface cannot be loaded from the classpath during code generation, advising users to add the class as a Maven plugin dependency to avoid redundant IBoundObject additions.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
📚 Learning: 2024-11-14T17:09:05.819Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 245
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/INonNegativeIntegerItem.java:116-124
Timestamp: 2024-11-14T17:09:05.819Z
Learning: In the interface `INonNegativeIntegerItem` (file `core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/INonNegativeIntegerItem.java`), the casting logic in the `cast` method is intentionally designed this way due to earlier discrepancies.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
📚 Learning: 2025-12-30T19:08:14.869Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: src/site/markdown/index.md.vm:3-3
Timestamp: 2025-12-30T19:08:14.869Z
Learning: In the metaschema-framework/metaschema-java repository, https://framework.metaschema.dev/ is the project's preferred and canonical documentation URL for the Metaschema framework. While https://pages.nist.gov/metaschema/ is an alternative, the project uses framework.metaschema.dev as the official reference in documentation and should not be changed to pages.nist.gov URLs.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
🧬 Code graph analysis (16)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java (4)
databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java (1)
  • MetaschemaField (1397-1485)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintValueEnum.java (1)
  • MetaschemaField (24-131)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/UseName.java (1)
  • MetaschemaField (25-112)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/METASCHEMA.java (1)
  • MetaschemaField (1164-1251)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Website
  • GitHub Check: Code

coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

109-127: Consider including filename in multi-file summary output.

The summary loop processes all SARIF files but doesn't identify which file each result belongs to. For the expected single java.sarif case this is fine, but if multiple SARIF files are ever present, the output would be ambiguous.

🔎 Optional enhancement to show filename 
           for sarif in codeql-results/*.sarif; do
             if [ -f "$sarif" ]; then
+              echo "### $(basename "$sarif")" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
               RESULTS=$(jq -r '.runs[0].results | length' "$sarif" 2>/dev/null || echo "0")
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70f431b and 5f2331b.

📒 Files selected for processing (1)
  • .github/workflows/build.yml
🧰 Additional context used
🧠 Learnings (4)
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All changes require PR review with CODEOWNERS enforcement

Applied to files:

  • .github/workflows/build.yml
🔇 Additional comments (7)
.github/workflows/build.yml (7)

41-42: LGTM! SARIF upload gating correctly implemented.

The unified UPLOAD_SCAN_SARIF variable correctly gates both CodeQL and Trivy SARIF uploads. The condition properly distinguishes between github.ref (uses full ref path) and github.base_ref (uses short branch name) per the fix from past reviews.

107-108: LGTM! CodeQL analysis correctly configured for deferred upload.

The upload: 'never' setting combined with the output directory allows SARIF results to be processed and summarized before conditional upload. This approach correctly addresses the past issue with string-based boolean evaluation.

131-166: LGTM! Trivy security scanning correctly configured and integrated.

The Trivy scan configuration is appropriate:

  • Filesystem scan covers all project dependencies
  • All severity levels included per PR objectives
  • Submodule and build artifacts correctly excluded via skip-dirs
  • SARIF level mappings correctly match Trivy's output format (error=CRITICAL, warning=HIGH, note=MEDIUM/LOW)

The summary provides clear visibility into security scan results with proper gating based on branch/PR target.

167-178: LGTM! SARIF upload steps correctly implemented with proper gating.

Both CodeQL and Trivy SARIF uploads use explicit env.UPLOAD_SCAN_SARIF == 'true' comparison, correctly addressing the past issue with string-based boolean evaluation. File paths align with the output locations, and distinct categories prevent conflicts in the GitHub Security tab.

249-272: LGTM! Link checker summary provides clear visibility into link validation results.

The summary block correctly uses if: always() to run even when link checking fails, and provides a well-formatted breakdown of broken links with appropriate collapsible sections for error details.

280-280: LGTM! Link checker exit code properly referenced.

The condition correctly uses steps.linkchecker.outputs.exit_code to detect broken links, providing explicit and clear control flow for issue creation.

289-289: LGTM! Link checker failure handling correctly implemented.

The condition properly uses steps.linkchecker.outputs.exit_code to determine when to fail the workflow, ensuring consistent behavior with the issue creation logic.

@david-waltermire
ci: add Trivy security scanning and CI job summaries
1661134 
Add Trivy filesystem vulnerability scanner to the build workflow with
GitHub Security integration. Includes comprehensive job summaries for
security scans and link checking.

Security Scanning:
- Add Trivy vulnerability scanning at all severity levels (SARIF output)
- Upload Trivy and CodeQL results to GitHub Security tab for
  develop/release branches and PRs targeting them
- Configure skip-dirs to exclude submodule (core/metaschema) and IT dirs
- Add Docker ecosystem to dependabot for container updates

Job Summaries:
- Add CodeQL summary with results count and rules checked
- Add Trivy summary with severity breakdown table
- Add Link Checker summary with collapsible broken links details

Build Fixes:
- Exclude package-info.java from PMD to match JXR behavior (JXR
  explicitly excludes these, causing broken xref links in PMD reports)
- Add license and formatter plugins to bootstrap POMs
- Regenerate binding classes with proper license headers

Configuration:
- Fix github.base_ref condition (remove refs/heads/ prefix)
- Add null safety to SARIF jq queries
- Add flaky GNU classpath license URL to lychee ignore list
@david-waltermire david-waltermire added this to the v3.0.0 Milestone 2 milestone Dec 31, 2025
coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/build.yml (1)

279-287: Incorrect file path for issue content.

The Create issue if bad links detected step references ./lychee/out.md but the Link Checker step (line 243) outputs to html-link-report.md. This mismatch means the created issue will either fail or have incorrect content.

🔎 Proposed fix 
     - name: Create issue if bad links detected
       if: ${{ !cancelled() && steps.linkchecker.outputs.exit_code != 0 && env.INPUT_ISSUE_ON_ERROR == 'true' }}
       uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710
       with:
         title: Scheduled Check of Website Content Found Bad Hyperlinks
-        content-filepath: ./lychee/out.md
+        content-filepath: ./html-link-report.md
         labels: |
           bug
           documentation
🧹 Nitpick comments (2)
.github/workflows/build.yml (2)

109-127: Consider handling empty glob pattern gracefully.

The loop for sarif in codeql-results/*.sarif may iterate once with the literal pattern if no .sarif files exist (depending on shell options). While the inner [ -f "$sarif" ] check handles this, adding shopt -s nullglob would be cleaner.

🔎 Proposed improvement 
     - name: CodeQL Summary
       run: |
         echo "## CodeQL Security Scan Results" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
         if [ -d "codeql-results" ]; then
+          shopt -s nullglob
           for sarif in codeql-results/*.sarif; do
             if [ -f "$sarif" ]; then

167-172: Consider using a glob pattern for CodeQL SARIF file to match the approach in the CodeQL Summary step.

The hardcoded codeql-results/java.sarif filename is correct for the current Java-only configuration. However, the CodeQL Summary step above (line 114) uses a more robust glob pattern (codeql-results/*.sarif) to discover SARIF files dynamically. For consistency and future-proofing, the upload step should follow the same pattern or use a shell script to locate the file rather than hardcoding the language-specific filename.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f2331b and 1661134.

📒 Files selected for processing (61)
  • .github/dependabot.yml
  • .github/workflows/build.yml
  • .lycheeignore
  • databind/pom-bootstrap-config.xml
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindingsModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyModel.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintValueEnum.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagIndexHasKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonValueKeyFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/METASCHEMA.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathNamespace.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetaConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetapath.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Property.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexHasKeyConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/UseName.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • metaschema-testing/pom-bootstrap.xml
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/ValidationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/package-info.java
  • pom.xml
✅ Files skipped from review due to trivial changes (5)
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonValueKeyFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindingsModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagMatches.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReport.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestCollection.java
🚧 Files skipped from review as they are similar to previous changes (35)
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineFlag.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetaConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagIndexHasKey.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaMetapath.java
  • .lycheeignore
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexHasKeyConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/UseName.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Any.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/MetaschemaTestSuiteModule.java
  • databind/pom-bootstrap-config.xml
  • .github/dependabot.yml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedReportConstraint.java
  • databind/pom-bootstrap-model.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagAllowedValues.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/JsonKey.java
  • metaschema-testing/pom-bootstrap.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineAssembly.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Property.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/ValidationCase.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/GroupingAs.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Remarks.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagExpect.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintLetExpression.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FieldConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/ConstraintValueEnum.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModelModule.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedHasCardinalityConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathNamespace.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/AssemblyModel.java
🧰 Additional context used
📓 Path-based instructions (1)
**/*.java

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.java: All code changes must follow the Javadoc style guide (docs/javadoc-style-guide.md). New code requires 100% Javadoc coverage on public/protected members. Modified code must add/update Javadoc on any members touched. All Javadoc must include @param, @return, @throws tags in the correct order (BLOCKING)
Java target version must be Java 11. Use SpotBugs annotations (@nonnull, @nullable) for null safety in code.
Follow package naming convention gov.nist.secauto.metaschema.* for all Java packages
Follow Test-Driven Development (TDD) principles: write tests first before implementing functionality, verify tests fail with current implementation, implement minimal code to pass tests, then refactor while keeping tests green

Files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
🧠 Learnings (21)
📚 Learning: 2025-12-24T21:21:56.361Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:56.361Z
Learning: In metaschema-testing, generated binding classes under gov.nist.secauto.metaschema.model.testing.testsuite are produced by metaschema-maven-plugin from YAML metaschema definitions. Javadoc issues in these generated classes should not be flagged for manual fixes; improvements are tracked and handled through code generator enhancements rather than manual edits to the generated source.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-24T21:21:40.208Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/csrc/ns/metaschema/test_suite/_1_0/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:40.208Z
Learning: In metaschema-framework/metaschema-java, generated binding classes in package gov.nist.csrc.ns.metaschema.test_suite._1_0 (and similar generated binding packages) are pre-generated by metaschema-maven-plugin and checked into source control. Javadoc coverage issues in these generated classes should be tracked as code generator improvements rather than file-level issues, and improvements are deferred to generator enhancements.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • pom.xml
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-30T04:19:41.802Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: databind/src/main/java/gov/nist/secauto/metaschema/databind/codegen/typeinfo/DefaultMetaschemaClassFactory.java:480-484
Timestamp: 2025-12-30T04:19:41.802Z
Learning: In metaschema-framework/metaschema-java, when users configure custom superinterfaces via binding configuration, david-waltermire prefers both documentation (explaining how to add dependencies to the Maven plugin) and validation mechanisms (warnings when classes aren't on classpath) to prevent redundant IBoundObject interface additions during code generation.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-24T21:22:07.082Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java:74-80
Timestamp: 2025-12-24T21:22:07.082Z
Learning: Files in the package gov.nist.secauto.metaschema.model.testing.testsuite in metaschema-testing are generated binding classes created from Metaschema definitions. Documentation and style improvements for these files should be made at the code generator level (metaschema-maven-plugin) rather than by manually editing the generated code.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-19T04:01:37.408Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 550
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/format/JsonPointerFormatter.java:56-100
Timestamp: 2025-12-19T04:01:37.408Z
Learning: When overriding Java interface methods, rely on inherited Javadoc from the interface. Do not duplicate documentation in the implementing class unless there is implementation-specific behavior that warrants additional notes beyond the interface contract.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-27T16:52:04.509Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 590
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/DynamicContext.java:482-492
Timestamp: 2025-12-27T16:52:04.509Z
Learning: In Java, UncheckedIOException.getCause() is declared to return IOException. In methods that declare throws IOException, you can rethrow the underlying cause with throw e.getCause() where e is an UncheckedIOException, without a cast. Ensure the surrounding method signature includes throws IOException. This does not apply to other unchecked exceptions; verify that e is actually an UncheckedIOException before using this pattern.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to **/*.{xmlbeans,antlr} : Generated code in *.xmlbeans and *.antlr packages is excluded from Javadoc and style checks. Generated sources are placed in target/generated-sources/

Applied to files:

  • pom.xml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Use SpotBugs, PMD, Checkstyle, and Jacoco for static analysis. Project enforces Checkstyle code style, PMD source analysis (fails on priority 2+ violations), SpotBugs bug detection (with spotbugs-exclude.xml exclusions), and Jacoco code coverage (target: 60% coverage)

Applied to files:

  • pom.xml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to **/metapath/**/*.java : Metapath is an implementation of XPath 3.1. Use the XPath 3.1 specification (https://www.w3.org/TR/xpath-31/) and XPath Functions 3.1 (https://www.w3.org/TR/xpath-functions-31/) as authoritative reference when implementing new functions, fixing bugs, or understanding error handling. Raise clarification before making changes if implementation differs from spec.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java
📚 Learning: 2025-12-24T21:21:59.692Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerationCase.java:74-80
Timestamp: 2025-12-24T21:21:59.692Z
Learning: Do not manually edit generated binding classes produced from Metaschema definitions (e.g., in metaschema-testing's testing suite). Document and style improvements should be made at the code generator level (metaschema-maven-plugin) so that generated code remains consistent and regenerable. If you need to fix issues, adjust the generator templates or generation process rather than editing the generated .java files directly.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
📚 Learning: 2025-12-24T21:21:52.756Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 567
File: metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/Metaschema.java:41-47
Timestamp: 2025-12-24T21:21:52.756Z
Learning: In metaschema-testing, generated binding classes under gov.nist.secauto.metaschema.model.testing.testsuite are produced by the metaschema-maven-plugin. Do not flag Javadoc issues in these generated classes for manual fixes; improvements should be tracked and implemented via code generator enhancements. Treat such issues as generator-related and avoid edits to generated source unless regenerating."

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
📚 Learning: 2025-12-30T04:37:04.935Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 0
File: :0-0
Timestamp: 2025-12-30T04:37:04.935Z
Learning: In metaschema-framework/metaschema-java, assert statements on loop variables (e.g., `assert item != null;`) are intentionally kept to satisfy Eclipse's null-safety analysis when the list elements have a `NonNull` contract, ensuring static analysis tools recognize the non-null guarantee for subsequent method calls.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java
  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java
📚 Learning: 2025-12-30T19:01:22.713Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: databind/src/main/java/gov/nist/secauto/metaschema/databind/codegen/typeinfo/DefaultMetaschemaClassFactory.java:508-512
Timestamp: 2025-12-30T19:01:22.713Z
Learning: DefaultMetaschemaClassFactory.extendsIBoundObject logs a warning when a configured superinterface cannot be loaded from the classpath during code generation, advising users to add the class as a Maven plugin dependency to avoid redundant IBoundObject additions.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
📚 Learning: 2025-12-30T19:08:14.869Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 605
File: src/site/markdown/index.md.vm:3-3
Timestamp: 2025-12-30T19:08:14.869Z
Learning: In the metaschema-framework/metaschema-java repository, https://framework.metaschema.dev/ is the project's preferred and canonical documentation URL for the Metaschema framework. While https://pages.nist.gov/metaschema/ is an alternative, the project uses framework.metaschema.dev as the official reference in documentation and should not be changed to pages.nist.gov URLs.

Applied to files:

  • metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs require passing CI checks before merge

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All changes require PR review with CODEOWNERS enforcement

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: Applies to **/*.java : Follow package naming convention gov.nist.secauto.metaschema.* for all Java packages

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java
📚 Learning: 2024-11-14T17:07:03.586Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 245
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/IIPv4AddressItem.java:66-73
Timestamp: 2024-11-14T17:07:03.586Z
Learning: In the Metaschema Java codebase, differences in casting patterns across atomic type implementations are intentional and required; any differences in approach are significant and necessary.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
  • databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java
📚 Learning: 2024-11-14T17:09:05.819Z 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 245
File: core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/INonNegativeIntegerItem.java:116-124
Timestamp: 2024-11-14T17:09:05.819Z
Learning: In the interface `INonNegativeIntegerItem` (file `core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/atomic/INonNegativeIntegerItem.java`), the casting logic in the `cast` method is intentionally designed this way due to earlier discrepancies.

Applied to files:

  • databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java
🧬 Code graph analysis (11)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java (1)
core/src/main/java/gov/nist/secauto/metaschema/core/util/ObjectUtils.java (1)
  • ObjectUtils (18-135)
🔇 Additional comments (25)
databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/Example.java (1)

1-174: Generated code with formatting-only updates.

This file is generated by metaschema-maven-plugin (as indicated by the header). All changes are formatting-only: annotation closing parentheses moved to separate lines and minor Javadoc adjustments. No functional changes observed.

Based on learnings, any improvements to generated binding classes should be addressed at the code generator level rather than through manual edits to the generated source.

metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestScenario.java (1)

5-6: Generated file: formatting changes approved.

This file is generated by metaschema-maven-plugin (as indicated by the header comments). The changes are purely formatting-related: annotation closing parentheses moved to new lines, Javadoc reflowing, and minor whitespace adjustments. No functional logic has changed.

Based on learnings, any formatting or documentation improvements should be addressed at the code generator level rather than through manual edits to this generated file.

Also applies to: 32-33, 45-46, 55-56, 67-68, 72-72, 79-79, 82-82, 113-113, 139-139, 168-168, 176-176, 180-180, 188-189, 193-193

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetaschemaModuleConstraints.java (1)

1-928: LGTM! Generated file with formatting-only changes.

This is a generated binding class (as indicated by the header comment). The changes are limited to formatting and alignment: Javadoc text reflow, annotation line breaks, and consistent @param tag indentation. No semantic or functional changes detected.

Based on learnings, improvements to generated binding classes should be addressed at the code generator level (metaschema-maven-plugin) rather than through manual edits to the generated source.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIndexConstraint.java (1)

1-435: Generated code with formatting-only changes — LGTM.

This is a generated binding class (per lines 5-6). All marked changes are formatting/whitespace normalization from the code generator — annotation layout, Javadoc indentation, and closing parenthesis placement. No semantic or behavioral modifications. Based on learnings, improvements to generated code style are tracked at the generator level.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/MetapathContext.java (1)

1-235: LGTM! Generated binding class with formatting updates only.

This file is explicitly marked as generated code (lines 5-6). The changes are purely formatting adjustments:

  • Annotation layout improvements (closing parentheses on separate lines)
  • Javadoc text refinements
  • Minor code spacing adjustments

No functional logic or API signatures have changed. All null-safety annotations remain intact.

Note: If any formatting inconsistencies need correction (e.g., spacing in ObjectUtils.requireNonNull calls on lines 122, 135, 188, 201), they should be addressed in the code generator (metaschema-maven-plugin) rather than in this generated file.

Based on learnings, improvements to generated binding classes should be made at the code generator level rather than by manually editing the generated code.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedMatchesConstraint.java (1)

1-407: LGTM! Generated file with formatting-only changes.

This file is generated by metaschema-maven-plugin (as indicated by the header comment). All changes are formatting/whitespace adjustments with no functional modifications. The annotation reflow and Javadoc formatting normalization are consistent with code generator output updates.

Based on learnings, any Javadoc coverage or style improvements for generated binding classes should be addressed at the code generator level rather than in the generated source files.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/InlineDefineField.java (1)

1-695: LGTM! Formatting-only regeneration.

This generated binding class has been regenerated with improved formatting (annotation parameter wrapping, consistent indentation, minor Javadoc text corrections). No functional changes are present—method signatures, return types, and runtime behavior remain unchanged.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedAllowedValuesConstraint.java (1)

1-446: LGTM! Generated binding class with formatting improvements.

This is a generated binding class (as indicated by the file header), and the changes consist entirely of formatting improvements to annotations and Javadoc documentation. The improvements enhance readability without altering functionality.

Based on learnings, any further improvements to generated binding classes should be tracked as code generator enhancements rather than manual edits to the generated source.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedExpectConstraint.java (1)

1-380: Generated file with formatting-only changes - LGTM

This file is generated by metaschema-maven-plugin and contains only formatting adjustments (annotation alignment, Javadoc indentation). No functional changes detected. Any further improvements should be made at the code generator level rather than by manually editing this file.

Based on learnings, generated binding classes in this package are produced by metaschema-maven-plugin and improvements should be tracked at the generator level.

databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/MetaschemaBindings.java (1)

1-2110: Generated file with formatting-only changes - LGTM

This file is generated from metaschema-bindings.yaml and contains only formatting adjustments (annotation realignment, Javadoc formatting). The public API surface remains unchanged. Any improvements should be made at the code generator level.

Based on learnings, generated binding classes should be improved through generator enhancements rather than manual edits.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/package-info.java (1)

1-15: Generated package-info with documentation updates - LGTM

This generated package-info file has updated Javadoc text and annotation formatting. No functional changes to package declarations. Any further improvements should be made at the code generator level.

Based on learnings, generated package-info files are produced by metaschema-maven-plugin.

metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/TestSuite.java (1)

1-126: Generated test suite file with formatting-only changes - LGTM

This file is generated from unit-tests.yaml and contains only formatting adjustments (Javadoc alignment, annotation formatting). No functional changes detected. Per learnings, files in gov.nist.secauto.metaschema.model.testing.testsuite are generated and improvements should be made at the code generator level.

Based on learnings, do not manually edit generated binding classes in metaschema-testing.

pom.xml (2)

581-582: Good documentation of JXR's built-in exclusion behavior

The comment correctly notes that JXR excludes package-info.java by design via DirectoryScanner.addDefaultExcludes.

714-720: Sensible alignment of PMD exclusions with JXR behavior

Excluding package-info.java from PMD analysis aligns with JXR's built-in exclusions and prevents broken xref links in PMD reports. The comment correctly notes these generated files primarily trigger low-priority UnnecessaryFullyQualifiedName warnings. This is a reasonable quality-of-life improvement for the build tooling.

databind/src/main/java/gov/nist/secauto/metaschema/databind/config/binding/package-info.java (1)

1-20: Generated package-info with enhanced documentation - LGTM

This generated package-info file has updated Javadoc text with an enhanced description of the binding configuration format. Annotation formatting has been adjusted. No functional changes to package declarations. Any further improvements should be made at the code generator level.

Based on learnings, generated package-info files should be improved through generator enhancements.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/TargetedIsUniqueConstraint.java (1)

1-407: Generated file with formatting-only changes - LGTM

This file is generated by metaschema-maven-plugin and contains only formatting adjustments (annotation alignment, Javadoc indentation). No functional changes detected. Any improvements should be made at the code generator level rather than by manually editing this file.

Based on learnings, generated binding classes in this package should be improved through generator enhancements.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagReference.java (1)

1-407: Generated file with formatting-only changes - LGTM

This file is generated by metaschema-maven-plugin and contains only formatting adjustments (annotation alignment, Javadoc indentation). No functional changes detected. Any improvements should be made at the code generator level rather than by manually editing this file.

Based on learnings, generated binding classes in this package should be improved through generator enhancements.

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/KeyConstraintField.java (1)

72-74: LGTM! Generated binding class updated with standard accessors.

The new getMetaschemaData() and toString() methods are consistent additions to this generated binding class. The @Override on getMetaschemaData() correctly implements the IBoundObject interface contract, and the toString() implementation follows the standard pattern using ReflectionToStringBuilder. All formatting adjustments align with the generator's output style.

Based on learnings, generated binding classes in this repository are produced by metaschema-maven-plugin and any documentation improvements should be tracked at the generator level.

Also applies to: 143-145

metaschema-testing/src/main/java/gov/nist/secauto/metaschema/model/testing/testsuite/GenerateSchema.java (1)

108-110: LGTM! Generated test suite binding updated with standard accessors.

The new getMetaschemaData() method correctly implements the IBoundObject interface, and the toString() implementation uses ReflectionToStringBuilder consistently with other generated bindings. The formatting adjustments to ObjectUtils.requireNonNull calls (lines 225, 238) improve readability.

Based on learnings, generated binding classes under gov.nist.secauto.metaschema.model.testing.testsuite are produced by metaschema-maven-plugin and should not be manually edited.

Also applies to: 243-245

databind/src/main/java/gov/nist/secauto/metaschema/databind/model/metaschema/binding/FlagConstraints.java (1)

72-74: LGTM! Generated binding class updated with standard accessors.

The new getMetaschemaData() and toString() methods follow the same pattern as other generated bindings in this PR. The @Override on getMetaschemaData() correctly implements the IBoundObject interface, and the toString() implementation uses the standard ReflectionToStringBuilder approach. The reorganization of @BoundGroupedAssembly entries (lines 45-50) improves annotation readability.

Based on learnings, generated binding classes are produced by metaschema-maven-plugin and documentation improvements should be tracked at the generator level.

Also applies to: 154-156

.github/workflows/build.yml (5)

41-42: LGTM!

The UPLOAD_SCAN_SARIF variable correctly handles both push and pull request events with the appropriate ref comparisons (github.ref uses full paths, github.base_ref uses short branch names). The fix from the past review has been properly applied.

131-141: LGTM!

The Trivy configuration is well-structured:

  • Filesystem scan with vulnerability detection
  • SARIF output for GitHub Security integration
  • All severity levels captured for comprehensive visibility
  • Appropriate exclusions for the submodule (with its own scanning) and IT target directories

142-166: LGTM!

The Trivy summary correctly uses the SARIF level mappings (error=CRITICAL, warning=HIGH, note=MEDIUM/LOW) as fixed from the past review. The markdown table provides clear visibility, and the conditional message about upload status is helpful for understanding when results appear in the Security tab.

249-272: LGTM!

The Link Checker Summary is well-implemented:

  • Uses if: always() to ensure summary generation regardless of link checker outcome
  • Gracefully handles missing report files
  • Provides a collapsible details section for broken links to keep the summary clean
  • Error counting with proper fallback handling

288-293: LGTM!

The failure step correctly uses steps.linkchecker.outputs.exit_code != 0 to detect link checker errors, combined with !cancelled() to avoid running on cancelled workflows and the configurable INPUT_FAIL_ON_ERROR flag.

@david-waltermire
fix: address PR review feedback
ca8f339 
- Fix lychee issue content filepath (./lychee/out.md -> html-link-report.md)
- Add language identifier to CodeQL summary for multi-file clarity
@david-waltermire
Copy link
Contributor Author

david-waltermire commented Dec 31, 2025

@coderabbitai Addressed the following review nitpicks in commit ca8f339:

  1. Lychee issue content filepath - Fixed incorrect path ./lychee/out.md to html-link-report.md (matches the Link Checker output configuration)

  2. CodeQL summary filename clarity - Added language identifier to the summary output for multi-file SARIF clarity (e.g., 'Language: java')

@coderabbitai
Copy link

coderabbitai bot commented Dec 31, 2025

Tip

For best results, initiate chat on the files or code changes.

@david-waltermire Thank you for addressing those review nitpicks! Both changes look good:

  1. Lychee filepath fix - Correcting the path to html-link-report.md ensures the issue creation properly references the link checker output file.

  2. CodeQL summary enhancement - Adding the language identifier to the summary output improves clarity, especially helpful when reviewing multi-language repositories or when multiple SARIF files are present.

These refinements improve the workflow's maintainability and user experience. Great work! 🎉

@david-waltermire
fix: improve CI summary consistency and usability
a940d00 
- Add upload status indicator to CodeQL summary (matches Trivy)
- Wrap Link Checker results in collapsible details toggle
- Remove nested details for broken links (section is now collapsible)
@david-waltermire david-waltermire merged commit b3c2d42 into metaschema-framework:develop Dec 31, 2025
6 checks passed
@david-waltermire david-waltermire deleted the feature/trivy-scanning branch December 31, 2025 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.0.0 Milestone 2

Development

Successfully merging this pull request may close these issues.

1 participant

@david-waltermire