adding find sec bugs scan

Author: emessiha

.github/workflows/maven.yml

@@ -22,3 +22,7 @@ jobs:
         java-version: 1.8
     - name: Build with Maven
       run: mvn -B package --file pom.xml
+    - name: Run findSecBugs scan
+      run: |
+        chmod +x ./findsecbugs-cli-1.10.1/findsecbugs.sh
+        ./findsecbugs-cli-1.10.1/findsecbugs.sh -progress -html -output report.htm target/JavaVulnerableLab.war

.gitignore

@@ -7,7 +7,7 @@
 .project
 .classpath
 factoryConfiguration.json
-
+report.htm
 ### Eclipse ###
 
 .metadata

findsecbugs-cli-1.10.1/findsecbugs.bat

@@ -0,0 +1,2 @@
+@echo off
+java -cp %~dp0lib/* edu.umd.cs.findbugs.LaunchAppropriateUI -quiet -pluginList %~dp0lib/findsecbugs-plugin-1.10.1.jar -include %~dp0include.xml %*

findsecbugs-cli-1.10.1/findsecbugs.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+  DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"
+  SOURCE="$(readlink "$SOURCE")"
+  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+done
+DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"
+FINDBUGS_PLUGIN="$(find "$DIR"/lib/findsecbugs-plugin-* | sort --version-sort | tail -n1)"
+
+for LIB in "$DIR"/lib/*.jar; do
+  if [[ -z "${LIBS// }" ]]; then
+    LIBS=$LIB
+  else
+    LIBS=$LIB:$LIBS
+  fi
+done
+
+java -cp "$LIBS" edu.umd.cs.findbugs.LaunchAppropriateUI -quiet -pluginList "$FINDBUGS_PLUGIN" -include "$DIR"/include.xml $@

findsecbugs-cli-1.10.1/include.xml

@@ -0,0 +1,5 @@
+<FindBugsFilter>
+    <Match>
+        <Bug category="SECURITY"/>
+    </Match>
+</FindBugsFilter>