Springboot Verification

1---2name: springboot-verification3description: "Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR."4origin: ECC5---6 7# Spring Boot Verification Loop8 9Run before PRs, after major changes, and pre-deploy.10 11## When to Activate12 13- Before opening a pull request for a Spring Boot service14- After major refactoring or dependency upgrades15- Pre-deployment verification for staging or production16- Running full build → lint → test → security scan pipeline17- Validating test coverage meets thresholds18 19## Phase 1: Build20 21```bash22mvn -T 4 clean verify -DskipTests23# or24./gradlew clean assemble -x test25```26 27If build fails, stop and fix.28 29## Phase 2: Static Analysis30 31Maven (common plugins):32```bash33mvn -T 4 spotbugs:check pmd:check checkstyle:check34```35 36Gradle (if configured):37```bash38./gradlew checkstyleMain pmdMain spotbugsMain39```40 41## Phase 3: Tests + Coverage42 43```bash44mvn -T 4 test45mvn jacoco:report   # verify 80%+ coverage46# or47./gradlew test jacocoTestReport48```49 50Report:51- Total tests, passed/failed52- Coverage % (lines/branches)53 54### Unit Tests55 56Test service logic in isolation with mocked dependencies:57 58```java59@ExtendWith(MockitoExtension.class)60class UserServiceTest {61 62  @Mock private UserRepository userRepository;63  @InjectMocks private UserService userService;64 65  @Test66  void createUser_validInput_returnsUser() {67    var dto = new CreateUserDto("Alice", "alice@example.com");68    var expected = new User(1L, "Alice", "alice@example.com");69    when(userRepository.save(any(User.class))).thenReturn(expected);70 71    var result = userService.create(dto);72 73    assertThat(result.name()).isEqualTo("Alice");74    verify(userRepository).save(any(User.class));75  }76 77  @Test78  void createUser_duplicateEmail_throwsException() {79    var dto = new CreateUserDto("Alice", "existing@example.com");80    when(userRepository.existsByEmail(dto.email())).thenReturn(true);81 82    assertThatThrownBy(() -> userService.create(dto))83        .isInstanceOf(DuplicateEmailException.class);84  }85}86```87 88### Integration Tests with Testcontainers89 90Test against a real database instead of H2:91 92```java93@SpringBootTest94@Testcontainers95class UserRepositoryIntegrationTest {96 97  @Container98  static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")99      .withDatabaseName("testdb");100 101  @DynamicPropertySource102  static void configureProperties(DynamicPropertyRegistry registry) {103    registry.add("spring.datasource.url", postgres::getJdbcUrl);104    registry.add("spring.datasource.username", postgres::getUsername);105    registry.add("spring.datasource.password", postgres::getPassword);106  }107 108  @Autowired private UserRepository userRepository;109 110  @Test111  void findByEmail_existingUser_returnsUser() {112    userRepository.save(new User("Alice", "alice@example.com"));113 114    var found = userRepository.findByEmail("alice@example.com");115 116    assertThat(found).isPresent();117    assertThat(found.get().getName()).isEqualTo("Alice");118  }119}120```121 122### API Tests with MockMvc123 124Test controller layer with full Spring context:125 126```java127@WebMvcTest(UserController.class)128class UserControllerTest {129 130  @Autowired private MockMvc mockMvc;131  @MockBean private UserService userService;132 133  @Test134  void createUser_validInput_returns201() throws Exception {135    var user = new UserDto(1L, "Alice", "alice@example.com");136    when(userService.create(any())).thenReturn(user);137 138    mockMvc.perform(post("/api/users")139            .contentType(MediaType.APPLICATION_JSON)140            .content("""141                {"name": "Alice", "email": "alice@example.com"}142                """))143        .andExpect(status().isCreated())144        .andExpect(jsonPath("$.name").value("Alice"));145  }146 147  @Test148  void createUser_invalidEmail_returns400() throws Exception {149    mockMvc.perform(post("/api/users")150            .contentType(MediaType.APPLICATION_JSON)151            .content("""152                {"name": "Alice", "email": "not-an-email"}153                """))154        .andExpect(status().isBadRequest());155  }156}157```158 159## Phase 4: Security Scan160 161```bash162# Dependency CVEs163mvn org.owasp:dependency-check-maven:check164# or165./gradlew dependencyCheckAnalyze166 167# Secrets in source168grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"169grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"170 171# Secrets (git history)172git secrets --scan  # if configured173```174 175### Common Security Findings176 177```178# Check for System.out.println (use logger instead)179grep -rn "System\.out\.print" src/main/ --include="*.java"180 181# Check for raw exception messages in responses182grep -rn "e\.getMessage()" src/main/ --include="*.java"183 184# Check for wildcard CORS185grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"186```187 188## Phase 5: Lint/Format (optional gate)189 190```bash191mvn spotless:apply   # if using Spotless plugin192./gradlew spotlessApply193```194 195## Phase 6: Diff Review196 197```bash198git diff --stat199git diff200```201 202Checklist:203- No debugging logs left (`System.out`, `log.debug` without guards)204- Meaningful errors and HTTP statuses205- Transactions and validation present where needed206- Config changes documented207 208## Output Template209 210```211VERIFICATION REPORT212===================213Build:     [PASS/FAIL]214Static:    [PASS/FAIL] (spotbugs/pmd/checkstyle)215Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)216Security:  [PASS/FAIL] (CVE findings: N)217Diff:      [X files changed]218 219Overall:   [READY / NOT READY]220 221Issues to Fix:2221. ...2232. ...224```225 226## Continuous Mode227 228- Re-run phases on significant changes or every 30–60 minutes in long sessions229- Keep a short loop: `mvn -T 4 test` + spotbugs for quick feedback230 231**Remember**: Fast feedback beats late surprises. Keep the gate strict—treat warnings as defects in production systems.