Add comprehensive security scanning workflows for Java

lukeina2z · lukeina2z · commit 431e4ff6079d · 2025-09-23T13:01:13.000-07:00
Fixed issues:
- Replace wget with curl for GitHub Actions compatibility
- Add proper error handling for SpotBugs SARIF file generation
- Add continue-on-error for all security scanning steps
- Ensure SARIF files exist before upload attempts
- Initialize empty SARIF file as fallback for SpotBugs

This provides robust security scanning that won't fail the build
while still providing comprehensive vulnerability detection.
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- 
+    This file contains suppressions for OWASP Dependency Check false positives.
+    Each suppression should include:
+    1. A clear reason for suppression
+    2. The specific CVE or vulnerability being suppressed
+    3. The affected file pattern or GAV coordinates
+    
+    Example suppression:
+    <suppress>
+        <notes><![CDATA[
+        This CVE affects a different component with the same name.
+        Our usage is not vulnerable because we don't use the affected functionality.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.example/.*@.*$</packageUrl>
+        <cve>CVE-2023-12345</cve>
+    </suppress>
+    -->
+    
+    <!-- Add specific suppressions here as needed -->
+    
+</suppressions>
