Refactoring/oft 4.5.0

AGENTS.md

@@ -0,0 +1,80 @@
+---
+name: oft-contributor
+description: Expert Java developer for maintaining and evolving the OpenFastTrace Maven Plugin.
+---
+
+### AGENTS.md — OpenFastTrace Maven Plugin
+
+This file provides guidance for AI agents and LLMs working on the OpenFastTrace Maven Plugin project.
+
+### Key Commands
+
+All commands should be run from the repository root.
+
+| Task                     | Command                                                                  |
+|:-------------------------|:-------------------------------------------------------------------------|
+| **Verify (All tests)**   | `mvn verify`                                                       |
+| **Build (full)**         | `mvn clean package -DskipTests`                                    |
+| **Run Unit Tests**       | `mvn test`                                                         |
+| **Run Single Test**      | `mvn test -Dtest=ClassName`                                              |
+| **Run Integration Test** | `mvn failsafe:integration-test`                                          |
+| **Check Dependencies**   | `mvn versions:display-dependency-updates`                                |
+
+### Agent Role & Persona
+
+You are an expert Java developer specializing in requirement tracing and Maven plugin development. Your goal is to help maintain and evolve the OpenFastTrace Maven Plugin, following "Clean Code" principles and ensuring high reliability.
+
+### Boundaries
+
+- **Always**:
+  - Follow the branching strategy: `<type>/<number>_<short-description-lower-snake-case>` (e.g., `feature/533_update_agents_md`).
+- **Ask First**:
+  - Before adding new external dependencies to `pom.xml`.
+- **Never**:
+  - Never remove failing tests unless specifically instructed to do so. Fix the code instead.
+  - Never modify files in `.idea/` or other IDE-specific metadata folders.
+  - Never bypass `mvn verify` checks (e.g., by skipping static analysis or tests) during final validation.
+
+### Code Examples
+
+#### Requirement Tagging in Java
+Show coverage of a requirement (e.g., `req~trace-goal~1`) in the implementation:
+
+```java
+/**
+ * Mojo for tracing requirements.
+ * // [impl->req~trace-goal~1]
+ */
+@Mojo(name = "trace", defaultPhase = LifecyclePhase.VERIFY, threadSafe = true)
+public class TraceMojo extends AbstractMojo {
+    // implementation details...
+}
+```
+
+### Project Stack & Structure
+
+- **Tech Stack**: Java 17+, Maven 3.8+, JUnit 5, Mockito, Hamcrest.
+- **Architecture**:
+  - Single-module Maven project providing a Maven Plugin.
+  - `src/main/java`: Plugin implementation (Mojos).
+  - `src/test/java`: Unit tests.
+  - `src/test/resources`: Integration test projects and logging configuration.
+
+### Code Style & Conventions
+
+- **Clean Code**: Meaningful names, small functions, single responsibility.
+- **Logging**: Use `java.util.logging`. Test config: `src/test/resources/logging.properties`.
+
+### Development Workflow
+
+1. **Create Branch** (see [Boundaries](#boundaries))
+2. **Implement**: Tag all new code with coverage markers.
+3. **Verify**: `mvn -T 1C verify`.
+4. **Review**: All changes require human review per `CONTRIBUTING.md`.
+
+### Agent Skills & Critical Files
+
+- **Key Resources**:
+  - `README.md`: General overview and usage documentation.
+  - `CONTRIBUTING.md`: Human-AI collaboration guidelines.
+  - `CHANGELOG.md`: Project history.

CHANGELOG.md

@@ -4,7 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [2.3.2] - Unreleased
+## [2.4.0] - 2026-06-14
+
+* [PR# 88](https://github.com/itsallcode/openfasttrace-maven-plugin/pull/88) Updated to [OpenFastTrace 4.5.0](https://github.com/itsallcode/openfasttrace/releases/tag/4.5.0)
+* We also now generate an SPDX SBOM
 
 ## [2.3.1] - 2026-05-18
 

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# OpenFastTrace Project Code of Conduct
+
+* Treat others with respect.
+* Criticize ideas, not people.
+* Back up your arguments with facts and reasoning.
+* Keep discussions on topic and concise.
+* Disagreements are fine — personal attacks are not.
+* Help people who ask for it. We were all beginners once.
+* Offer solutions, not just complaints.

README.md

@@ -7,7 +7,7 @@ Maven Plugin for [OpenFastTrace](https://github.com/itsallcode/openfasttrace) (O
 [![Build](https://github.com/itsallcode/openfasttrace-maven-plugin/actions/workflows/build.yml/badge.svg)](https://github.com/itsallcode/openfasttrace-maven-plugin/actions/workflows/build.yml)
 [![Maven Central](https://img.shields.io/maven-central/v/org.itsallcode/openfasttrace-maven-plugin.svg?label=Maven%20Central)](http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.itsallcode%22%20a%3A%22openfasttrace-maven-plugin%22)
 
-Sonarcloud status:
+SonarCloud status:
 
 [![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=org.itsallcode%3Aopenfasttrace-maven-plugin&metric=alert_status)](https://sonarcloud.io/dashboard?id=org.itsallcode%3Aopenfasttrace-maven-plugin)
 [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=org.itsallcode%3Aopenfasttrace-maven-plugin&metric=bugs)](https://sonarcloud.io/dashboard?id=org.itsallcode%3Aopenfasttrace-maven-plugin)
@@ -21,10 +21,13 @@ Sonarcloud status:
 [![Technical Dept](https://sonarcloud.io/api/project_badges/measure?project=org.itsallcode%3Aopenfasttrace-maven-plugin&metric=sqale_index)](https://sonarcloud.io/dashboard?id=org.itsallcode%3Aopenfasttrace-maven-plugin)
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=org.itsallcode%3Aopenfasttrace-maven-plugin&metric=vulnerabilities)](https://sonarcloud.io/dashboard?id=org.itsallcode%3Aopenfasttrace-maven-plugin)
 
-* [Blog](https://blog.itsallcode.org/)
-* [Changelog](CHANGELOG.md)
-* [Contributing guide](CONTRIBUTING.md)
-* [OpenFastTrace stories](https://github.com/itsallcode/openfasttrace/wiki/OFT-Stories)
+* [📢 Blog](https://blog.itsallcode.org/)
+* [➕ Changelog](CHANGELOG.md)
+* [🎁 Contributing Guide](CONTRIBUTING.md)
+* [🤝 Code of Conduct](CODE_OF_CONDUCT.md)
+* [🛡️ Security Policy](SECURITY.md)
+* [✨ OpenFastTrace Stories](https://github.com/itsallcode/openfasttrace/wiki/OFT-Stories)
+* [🤖 AI Agent Guide](AGENTS.md)
 
 ## Usage
 
@@ -59,7 +62,7 @@ Then you can run tracing by calling the goal directly: `mvn openfasttrace:trace`
 
 The plugin binds to the `verify` lifecycle, so you can also use `mvn verify`.
 
-See [src/test/resources/empty-project](src/test/resources/simple-project/) for an example project.
+See [src/test/resources/empty-project](src/test/resources/simple-project) for an example project.
 
 ### OpenFastTrace Plugins
 
@@ -89,9 +92,9 @@ You can configure the plugin using the `<configuration>` element.
 
 #### Traced Directories
 
-By default the OFT plugin imports requirements from the following directories:
+By default, the OFT plugin imports requirements from the following directories:
 
-* The `doc` sub-directory of the module that includes the plugin if it exists
+* The `doc` subdirectory of the module that includes the plugin if it exists
 * For each Maven module in the project if they exist:
   * Compile source roots (default: `src/main/java`)
   * Resources (default: `src/main/resources`)
@@ -212,7 +215,7 @@ The HTML report will have its details sections collapsed (i.e. hidden) by defaul
 
 #### Fail Build
 
-By default the build will fail when there are errors found during tracing. To continue with the build when tracing fails, use configuration `<failBuild>false</failBuild>`.
+By default, the build will fail when there are errors found during tracing. To continue with the build when tracing fails, use configuration `<failBuild>false</failBuild>`.
 
 #### Skipping Execution
 
@@ -235,9 +238,9 @@ apt-get install openjdk-17-jdk maven
 This project uses Maven Toolchains to configure the correct JDK version (see the [documentation](https://maven.apache.org/guides/mini/guide-using-toolchains.html) for details). To configure the Toolchains plugin create file ` ~/.m2/toolchains.xml` with the following content. Adapt the paths to your JDKs.
 
 ```xml
-<toolchains xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0 http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
+<toolchains xmlns="https://maven.apache.org/TOOLCHAINS/1.1.0"
+    xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="https://maven.apache.org/TOOLCHAINS/1.1.0 https://maven.apache.org/xsd/toolchains-1.0.0.xsd">
     <toolchain>
         <type>jdk</type>
         <provides>
@@ -305,7 +308,7 @@ mvn --update-snapshots versions:use-latest-releases versions:update-properties
 ### Perform the Release
 
 1. Start the release workflow
-  * Run command `gh workflow run release.yml --repo itsallcode/openfasttrace-maven-plugin --ref main`
-  * or go to [GitHub Actions](https://github.com/itsallcode/openfasttrace-maven-plugin/actions/workflows/release.yml) and start the `release.yml` workflow on branch `main`.
+    * Run command `gh workflow run release.yml --repo itsallcode/openfasttrace-maven-plugin --ref main`
+    * or go to [GitHub Actions](https://github.com/itsallcode/openfasttrace-maven-plugin/actions/workflows/release.yml) and start the `release.yml` workflow on branch `main`.
 2. Update title and description of the newly created [GitHub release](https://github.com/itsallcode/openfasttrace-maven-plugin/releases).
 3. After some time the release will be available at [Maven Central](https://repo1.maven.org/maven2/org/itsallcode/openfasttrace-maven-plugin/).

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We are very grateful for any security reports and see them as a valuable way to improve the quality and reliability of our codebase. As a non-profit open-source project, we appreciate the time and effort the community puts into helping us keep OpenFastTrace secure.
+
+Please note that we do not offer bug bounties.
+
+To report a vulnerability, please use the [GitHub Security Advisory reporting feature](https://github.com/itsallcode/openfasttrace/security/advisories/new) or contact the maintainers directly. We strive to address all security concerns in a timely and professional manner.
+
+## Software Bill of Materials (SBOM)
+
+To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the plugin releases starting from version 2.4.0. These files provide a comprehensive list of all components and dependencies used in the project.

pom.xml

@@ -4,7 +4,7 @@
 
     <groupId>org.itsallcode</groupId>
     <artifactId>openfasttrace-maven-plugin</artifactId>
-    <version>2.3.1</version>
+    <version>2.4.0</version>
     <packaging>maven-plugin</packaging>
 
     <name>OpenFastTrace Maven Plugin</name>
@@ -15,11 +15,12 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <java.version>17</java.version>
-        <oft.version>4.4.0</oft.version>
+        <oft.version>4.5.0</oft.version>
         <!-- Maven version available in Debian 13 -->
-        <maven.core.version>3.8.9</maven.core.version>
+        <maven.core.version>3.9.9</maven.core.version>
+        <!-- Below is not a typo. It's the version of the Maven Plugin Plugin. -->
+        <maven.plugin.plugin.version>3.15.2</maven.plugin.plugin.version>
         <jacoco.version>0.8.14</jacoco.version>
-        <mavenPluginPluginVersion>3.15.2</mavenPluginPluginVersion>
         <sonar.organization>itsallcode</sonar.organization>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
         <project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp>
@@ -78,7 +79,7 @@
             <artifactId>plexus-utils</artifactId>
             <!-- Build fails with version > 4.0.0 -->
             <!-- Fix CVE-2025-67030 -->
-            <version>3.6.1</version>
+            <version>4.0.3</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -90,7 +91,7 @@
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
             <artifactId>maven-plugin-annotations</artifactId>
-            <version>3.15.1</version>
+            <version>${maven.plugin.plugin.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -99,39 +100,11 @@
             <version>${maven.core.version}</version>
             <scope>provided</scope>
         </dependency>
-        <dependency>
-            <!-- Upgrade transitive dependency of maven-core to fix CVE-2025-48924 -->
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <version>3.20.0</version>
-            <scope>provided</scope>
-        </dependency>
         <!-- Test dependencies -->
         <dependency>
             <groupId>org.apache.maven.plugin-testing</groupId>
             <artifactId>maven-plugin-testing-harness</artifactId>
-            <version>3.3.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <!-- Fix CVE-2021-29425 in transitive dependency of maven-plugin-testing-harness -->
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.22.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <!-- Fix CVE-2012-2098 and CVE-2023-37460 in dependency of maven-plugin-testing-harness -->
-            <groupId>org.codehaus.plexus</groupId>
-            <artifactId>plexus-archiver</artifactId>
-            <version>4.11.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <!-- Fix CVE-2024-36124 in dependency of plexus-archiver -->
-            <groupId>org.iq80.snappy</groupId>
-            <artifactId>snappy</artifactId>
-            <version>0.5</version>
+            <version>3.5.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -161,7 +134,7 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>6.0.3</version>
+            <version>6.1.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -319,7 +292,7 @@
                         <path>
                             <groupId>org.apache.maven.plugins</groupId>
                             <artifactId>maven-plugin-plugin</artifactId>
-                            <version>${mavenPluginPluginVersion}</version>
+                            <version>${maven.plugin.plugin.version}</version>
                         </path>
                     </annotationProcessorPaths>
                     <compilerArgs>
@@ -332,7 +305,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-plugin-plugin</artifactId>
-                <version>${mavenPluginPluginVersion}</version>
+                <version>${maven.plugin.plugin.version}</version>
                 <configuration>
                     <goalPrefix>openfasttrace</goalPrefix>
                     <skipErrorNoDescriptorsFound>false</skipErrorNoDescriptorsFound>
@@ -386,7 +359,7 @@
                 </executions>
                 <configuration>
                     <charset>UTF-8</charset>
-                    <doclint></doclint>
+                    <doclint/>
                     <serialwarn>true</serialwarn>
                     <failOnError>true</failOnError>
                     <!-- Generated class HelpMojo causes warning with Java 21: use of default constructor, which does not provide a comment -->
@@ -554,6 +527,13 @@
                          <!-- Suppress warning "Found duplicate and different resources in [org.eclipse.sisu:org.eclipse.sisu.inject:0.3.5, org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.5]" -->
                         <ignoredResourcePattern>about.html</ignoredResourcePattern>
                     </ignoredResourcePatterns>
+                    <ignoredDependencies>
+                        <!-- Workaround for https://github.com/itsallcode/openfasttrace/issues/428: API and openfasttrace module have overlaps -->
+                        <ignoredDependency>
+                            <groupId>org.itsallcode.openfasttrace</groupId>
+                            <artifactId>openfasttrace</artifactId>
+                        </ignoredDependency>
+                    </ignoredDependencies>
                 </configuration>
             </plugin>
             <plugin>
@@ -571,6 +551,59 @@
                     <failOnNonReproducible>true</failOnNonReproducible>
                 </configuration>
             </plugin>
+            <plugin>
+                <!-- Create an aggregated SPDX SBOM -->
+                <groupId>org.spdx</groupId>
+                <artifactId>spdx-maven-plugin</artifactId>
+                <version>1.0.3</version>
+                <executions>
+                    <execution>
+                        <id>aggregate-spdx</id>
+                        <goals>
+                            <goal>aggregateSPDX</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <sbomType>build</sbomType>
+                    <includeCompileScope>true</includeCompileScope>
+                    <includeRuntimeScope>true</includeRuntimeScope>
+                    <includeProvidedScope>true</includeProvidedScope>
+                    <includeSystemScope>false</includeSystemScope>
+                    <includeTestScope>false</includeTestScope>
+                    <licenseDeclared>GPL-3.0-only</licenseDeclared>
+                    <licenseConcluded>GPL-3.0-only</licenseConcluded>
+                    <copyrightText>Copyright (c) itsallcode.org</copyrightText>
+                    <createExternalRefs>false</createExternalRefs>
+                    <defaultFileConcludedLicense>GPL-3.0-only</defaultFileConcludedLicense>
+                    <defaultLicenseInformationInFile>GPL-3.0-only</defaultLicenseInformationInFile>
+                    <defaultFileCopyright>Copyright (c) itsallcode.org</defaultFileCopyright>
+                </configuration>
+            </plugin>
+            <plugin>
+                <!-- Bundle the SPDX SBOM with the Maven artifact -->
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <version>3.6.1</version>
+                <executions>
+                    <execution>
+                        <id>attach-spdx-sbom</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/site/${project.groupId}_${project.artifactId}-${project.version}.spdx.json</file>
+                                    <type>spdx</type>
+                                    <classifier>sbom</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>