chore: replace unmaintained unix-maven-plugin with jdeb, upgrade Maven to 3.9.14

[Copilot]

Description

com.stratio.mojo.unix:unix-maven-plugin (1.2.0) is unmaintained and incompatible with Maven >3.9.9, blocking upgrades. Replaced with org.vafer:jdeb (1.14) — actively maintained, cross-platform, no native tooling required.

Key changes:

• cia-dist-deb/pom.xml: Packaging deb → pom; maven-antrun-plugin unpacks jetty-home from local Maven repository and WAR from reactor build output via Ant unzip, strips version dir, and copies configs at prepare-package phase; jdeb assembles .deb with root:root ownership and hardened file permissions at package phase; staging directory is cleaned before each build to prevent stale files
• parent-pom/pom.xml: Replaced unix-maven-plugin 1.2.0 → jdeb 1.14 in pluginManagement
• src/deb/control/: New control file template + idempotent maintainer scripts with proper error handling and correct shebangs
• Maven 3.9.9 → 3.9.14 across all 5 workflow files, devcontainer, release-drafter, and docs

MDEP-98 fix: Replaced maven-dependency-plugin:unpack entirely with Ant unzip tasks inside maven-antrun-plugin at prepare-package phase. Jetty-home is read from ${settings.localRepository} and the WAR is read from reactor build output (../citizen-intelligence-agency/target/), avoiding MDEP-98 errors in all reactor contexts (javadoc:aggregate, mvn test, etc.) and ensuring mvn clean package works from the repo root without a prior install.

Secure package ownership and permissions: The jdeb perm mapper uses root:root ownership for all packaged files with filemode=644 for general files and filemode=600 for keystore.p12 to protect private key material. Directories use dirmode=755. The postinst script sets cia:cia ownership on runtime directories at install time via chown -R and makes scripts executable via chmod a+x.

Idempotent control scripts: All Debian maintainer scripts (preinst, postinst, prerm, postrm) are now idempotent and safe for upgrade/reinstall — using existence checks, ln -sf, grep/sed for properties, setup_ok tracking, proper error propagation, and correct #!/bin/bash shebangs. The postrm script gates destructive cleanup (logs/javamelody) on $1 = purge to preserve runtime data during upgrades. Missing cacerts is treated as a non-critical warning rather than a setup failure. The cia service account uses /usr/sbin/nologin shell for security hardening. The prerm script only removes cacerts if it is the managed symlink pointing to /etc/ssl/certs/java/cacerts, preserving admin-placed custom truststores.

Staging directory cleanup: The antrun target now deletes target/deb-staging before unpacking, ensuring incremental builds (mvn package without clean) never include stale files from prior builds.

Verified: .deb produces identical structure — 1263 entries, correct root:root ownership, hardened file permissions (644 default, 600 for keystore), all config files, keystore, jetty binaries, WAR contents, and control scripts.

Type of Change

Primary Changes

• 📦 Dependency Update

Political Analysis

Technical Changes

• 🏗️ Infrastructure
  • Configuration Updates
• 🔒 Security & Compliance
  • Data Protection
• 📝 Documentation
  • Technical Documentation

Impact Analysis

Political Analysis Impact

• Impact on data quality: None
• Impact on analysis accuracy: None
• Impact on transparency features: None

Technical Impact

• Performance impact: None — identical .deb output
• Security implications: jdeb 1.14 has zero known CVEs; removes outdated plexus-utils 3.0.24 transitive dependency; package files owned by root:root to prevent privilege escalation; general files use filemode=644 and keystore.p12 uses filemode=600 to protect private key material; service account uses /usr/sbin/nologin shell; control file suggests openjdk-21-jre-headless to minimize attack surface; prerm preserves admin-placed custom truststores by only removing managed cacerts symlinks; control scripts now fail properly on errors instead of silently masking failures; correct shebangs ensure dpkg can execute maintainer scripts
• Dependency changes: Removed com.stratio.mojo.unix:unix-maven-plugin 1.2.0 and maven-dependency-plugin unpack executions, added org.vafer:jdeb 1.14; Maven 3.9.9 → 3.9.14

Testing

• Security compliance verified
• .deb package structure validated via dpkg-deb --info and dpkg-deb --contents
• Standalone mvn package -pl cia-dist-deb builds .deb correctly
• mvn javadoc:aggregate reactor build passes without MDEP-98 error
• mvn test reactor build passes without MDEP-98 error
• Full mvn clean install -pl cia-dist-deb lifecycle works
• Incremental build (mvn package without clean) produces correct output
• mvn clean package from repo root works without prior install
• File permissions verified: keystore.p12 at 600, general files at 644, directories at 755

Documentation

• README updated
• Package/module documentation updated

Screenshots

Related Issues

Checklist

• Code follows project coding standards
• Comments are clear and helpful
• Documentation is updated
• Tests are passing
• Security compliance is maintained
• Performance impact is acceptable
• Breaking changes are documented
• Changes are backward compatible

Additional Notes

The .deb filename convention (cia-dist-deb-VERSION.all.deb) matches the existing release.yml workflow expectations. The old src/main/unix/scripts/ directory is no longer used but left in place — scripts are now sourced from src/deb/control/.

Maven lifecycle phase ordering for cia-dist-deb:

1. generate-resources — keytool generates keystore
2. prepare-package — antrun-plugin cleans staging dir, then unpacks jetty-home from local Maven repository and WAR from reactor build output via Ant unzip, strips version directory, and copies config files
3. package — jdeb assembles .deb from staging directory with root:root ownership and hardened file permissions

File permission model:

• General files: filemode=644 (-rw-r--r--) with root:root ownership
• keystore.p12: filemode=600 (-rw-------) with root:root ownership — protects private key material
• Directories: dirmode=755 (drwxr-xr-x) with root:root ownership
• postinst sets cia:cia ownership on runtime directories and chmod a+x on .sh scripts at install time

Control script improvements:

• preinst: Correct #!/bin/bash shebang; checks if cia user exists via getent passwd before creating; validates adduser availability; uses /usr/sbin/nologin shell for security; propagates errors
• postinst: Correct #!/bin/bash shebang; uses ln -sf for idempotent symlinks; checks file existence before mv; tracks setup_ok for all operations; updates database.properties idempotently via grep/sed; missing cacerts treated as non-critical warning (doesn't fail setup); only starts service if all critical setup succeeds
• prerm: Correct #!/bin/bash shebang; uses -f flags for rm/mv; checks service existence before stopping; only removes cacerts if it is the managed symlink pointing to /etc/ssl/certs/java/cacerts (preserves admin-placed custom truststores); safe for upgrade/reinstall
• postrm: Correct #!/bin/bash shebang; gates destructive cleanup (logs/javamelody) on $1 = purge to preserve runtime data during upgrades

Security Considerations

• No sensitive data exposed
• Security best practices followed
• Compliance requirements met

Release Notes

Replaced unmaintained unix-maven-plugin with jdeb for Debian package building. Upgraded Maven from 3.9.9 to 3.9.14 across all CI workflows and dev tooling. Replaced maven-dependency-plugin:unpack with Ant unzip tasks — jetty-home from local repository and WAR from reactor build output — to prevent MDEP-98 errors in all reactor build contexts and ensure mvn clean package works from repo root. Hardened file permissions: general files at 644, keystore.p12 at 600 to protect private key material, all owned by root:root to prevent privilege escalation. Made all Debian control scripts idempotent with proper error handling, correct shebangs, tolerant optional steps (cacerts), purge-gated destructive cleanup, and managed-symlink-only cacerts removal in prerm to preserve admin custom truststores. Service account uses /usr/sbin/nologin shell and control file suggests openjdk-21-jre-headless to minimize attack surface. Added staging directory cleanup to ensure incremental builds produce correct output.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA bbec475.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

cia-dist-deb/pom.xml

Package	Version	License	Issue Type
org.apache.maven.plugins:maven-antrun-plugin		Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
maven/org.apache.maven.plugins:maven-antrun-plugin		Unknown	Unknown
maven/org.vafer:jdeb	1.14	🟢 3.8	Details Check Score Reason Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/15 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/org.vafer:jdeb	1.14	🟢 3.8	Details Check Score Reason Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/15 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• cia-dist-deb/pom.xml
• parent-pom/pom.xml

[pethers]

@copilot analyse failures in Generate Javadoc / Generate Javadoc Documentation (pull_request)
Generate Javadoc / Generate Javadoc Documentation (pull_request)Failing after 5m

[Copilot]

@copilot analyse failures in Generate Javadoc / Generate Javadoc Documentation (pull_request)
Genera...

The Javadoc workflow failed with MDEP-98: Artifact has not been packaged yet on cia-dist-deb. Root cause: maven-dependency-plugin:unpack was bound to compile phase, which javadoc:aggregate forks into during its reactor lifecycle. The WAR artifact from citizen-intelligence-agency wasn't packaged yet at that point.

Fixed in 5d0e4e2 by moving the unpack executions to process-classes phase. This phase runs after compile but is NOT reached by javadoc:aggregate (which only forks up to compile), while still executing before the antrun staging at prepare-package and jdeb at package.

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.

[Copilot]

Pull request overview

Updates the project’s Debian packaging pipeline by replacing the unmaintained unix-maven-plugin with org.vafer:jdeb, and aligns CI/dev tooling documentation to use Maven 3.9.14.

Changes:

• Replace unix-maven-plugin with jdeb (pluginManagement + cia-dist-deb packaging pipeline).
• Introduce src/deb/control templates/scripts for jdeb and stage Debian filesystem contents under target/deb-staging/.
• Upgrade Maven version references to 3.9.14 across GitHub Actions, devcontainer, and documentation.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
parent-pom/pom.xml	Switch pluginManagement from unix-maven-plugin to jdeb.
cia-dist-deb/pom.xml	Rework Debian build to stage artifacts/config and assemble .deb via jdeb.
cia-dist-deb/src/deb/control/control	New jdeb control template (package metadata).
cia-dist-deb/src/deb/control/preinst	New maintainer script copied to jdeb control dir.
cia-dist-deb/src/deb/control/postinst	New maintainer script copied to jdeb control dir.
cia-dist-deb/src/deb/control/prerm	New maintainer script copied to jdeb control dir.
cia-dist-deb/src/deb/control/postrm	New maintainer script copied to jdeb control dir.
WORKFLOWS.md	Update documented Maven runtime version to 3.9.14.
README.md	Update prerequisites Maven version to 3.9.14+.
PRIORITY1_INDEXES_IMPLEMENTATION.md	Update prerequisites Maven version to 3.9.14+.
PATTERN_RECOGNITION_OPTIMIZATION_IMPLEMENTATION.md	Update prerequisites Maven version to 3.9.14+.
E2ETestPlan.md	Update build tool Maven version to 3.9.14+.
.github/workflows/site-generation.yml	Bump Maven setup + cache keys to 3.9.14.
.github/workflows/release.yml	Bump Maven setup + cache keys to 3.9.14.
.github/workflows/javadoc-generation.yml	Bump Maven setup + cache keys to 3.9.14.
.github/workflows/copilot-setup-steps.yml	Bump Maven setup + cache keys to 3.9.14.
.github/workflows/codeql-analysis.yml	Bump Maven setup + cache keys to 3.9.14.
.github/release-drafter.yml	Update Maven version string in release notes template.
.github/copilot-instructions.md	Update prerequisites Maven version to 3.9.14+.
.github/WORKFLOWS.md	Update workflow environment Maven version to 3.9.14.
.github/MAVEN_CACHING_STRATEGY.md	Update documented cache keys/restore keys to 3.9.14.
.devcontainer/devcontainer.json	Update devcontainer Maven version to 3.9.14.
.devcontainer/Dockerfile	Update Docker build arg default Maven version to 3.9.14.

[Copilot]

Appending to database.properties with >> will add duplicate database.search.index.location entries every time postinst runs (upgrade/reinstall). Consider making this idempotent by replacing an existing key/value if present or only appending when the key is missing.

Suggested change

	echo 'database.search.index.location=/opt/cia/cia-base/lucene-prod/indexes' >> /opt/cia/cia-base/webapps/cia/WEB-INF/database.properties
	PROPERTIES_FILE="/opt/cia/cia-base/webapps/cia/WEB-INF/database.properties"
	PROPERTY_KEY="database.search.index.location"
	PROPERTY_VALUE="/opt/cia/cia-base/lucene-prod/indexes"
	# Ensure properties file exists and update property idempotently
	touch "${PROPERTIES_FILE}"
	if grep -q "^${PROPERTY_KEY}=" "${PROPERTIES_FILE}"; then
	sed -i "s|^${PROPERTY_KEY}=.*|${PROPERTY_KEY}=${PROPERTY_VALUE}|" "${PROPERTIES_FILE}"
	else
	echo "${PROPERTY_KEY}=${PROPERTY_VALUE}" >> "${PROPERTIES_FILE}"
	fi

[Copilot]

mv/ln -s here can fail or create broken state on upgrade/reinstall (e.g., symlink already exists, jetty.sh missing), and the script still exits 0. Consider making these steps idempotent (use existence checks and ln -sf where appropriate) and only start the service if setup succeeded.

Suggested change

	mkdir -p /opt/cia/cia-base
	mkdir -p /opt/cia/cia-base/logs
	mkdir -p /opt/cia/cia-base/temp
	chown -R cia:cia /opt/cia
	mv /opt/cia/bin/jetty.sh /opt/cia/bin/cia.sh
	chmod a+x /opt/cia/bin/*.sh
	ln -s /opt/cia/bin/cia.sh /etc/init.d/cia
	echo 'database.search.index.location=/opt/cia/cia-base/lucene-prod/indexes' >> /opt/cia/cia-base/webapps/cia/WEB-INF/database.properties
	ln -s /etc/ssl/certs/java/cacerts /opt/cia/cia-base/etc/cacerts
	/etc/init.d/cia start
	exit 0
	# Track whether critical setup steps succeed
	setup_ok=1
	mkdir -p /opt/cia/cia-base
	mkdir -p /opt/cia/cia-base/logs
	mkdir -p /opt/cia/cia-base/temp
	mkdir -p /opt/cia/cia-base/etc
	chown -R cia:cia /opt/cia
	# Ensure cia.sh exists, moving from jetty.sh if necessary
	if [ ! -f /opt/cia/bin/cia.sh ]; then
	if [ -f /opt/cia/bin/jetty.sh ]; then
	if ! mv /opt/cia/bin/jetty.sh /opt/cia/bin/cia.sh; then
	echo "postinst: failed to move /opt/cia/bin/jetty.sh to /opt/cia/bin/cia.sh" >&2
	setup_ok=0
	fi
	else
	echo "postinst: neither /opt/cia/bin/jetty.sh nor /opt/cia/bin/cia.sh exists" >&2
	setup_ok=0
	fi
	fi
	chmod a+x /opt/cia/bin/*.sh 2>/dev/null || true
	# Create/update init.d symlink idempotently
	if [ -f /opt/cia/bin/cia.sh ]; then
	if ! ln -sf /opt/cia/bin/cia.sh /etc/init.d/cia; then
	echo "postinst: failed to create symlink /etc/init.d/cia -> /opt/cia/bin/cia.sh" >&2
	setup_ok=0
	fi
	else
	echo "postinst: /opt/cia/bin/cia.sh missing, cannot create /etc/init.d/cia symlink" >&2
	setup_ok=0
	fi
	# Ensure database search index location is configured
	if ! echo 'database.search.index.location=/opt/cia/cia-base/lucene-prod/indexes' >> /opt/cia/cia-base/webapps/cia/WEB-INF/database.properties; then
	echo "postinst: failed to update database.properties" >&2
	setup_ok=0
	fi
	# Create/update cacerts symlink idempotently
	if [ -f /etc/ssl/certs/java/cacerts ]; then
	if ! ln -sf /etc/ssl/certs/java/cacerts /opt/cia/cia-base/etc/cacerts; then
	echo "postinst: failed to create symlink /opt/cia/cia-base/etc/cacerts" >&2
	setup_ok=0
	fi
	else
	echo "postinst: /etc/ssl/certs/java/cacerts not found, skipping cacerts symlink" >&2
	setup_ok=0
	fi
	# Only start the service if setup completed successfully
	if [ "$setup_ok" -eq 1 ]; then
	if ! /etc/init.d/cia start; then
	echo "postinst: failed to start cia service" >&2
	exit 1
	fi
	exit 0
	else
	echo "postinst: setup errors detected, not starting cia service" >&2
	exit 1
	fi

[Copilot]

The PR updates CI/docs to Maven 3.9.14, but the repo’s Maven-enforcer minimum is still driven by cia.project.versions.maven in this same POM (currently 3.8.4). This creates a mismatch between enforced/advertised Maven versions; consider updating the property to 3.9.14 (or adjusting docs/PR description if 3.8.4 is still intended).

[Copilot]

This adduser is not idempotent and the script always exits 0, so failures to create the service user (or missing adduser) won’t fail the install. Consider checking whether the cia user already exists (e.g., getent passwd cia) before creating it, and propagate a non-zero exit code on real failures.

Suggested change

	adduser --system --shell /bin/sh --gecos 'CIA' --group --disabled-password --home /opt/cia cia
	# Ensure the 'cia' system user exists
	if ! getent passwd cia > /dev/null 2>&1; then
	if command -v adduser > /dev/null 2>&1; then
	if ! adduser --system --shell /bin/sh --gecos 'CIA' --group --disabled-password --home /opt/cia cia; then
	echo "Failed to create system user 'cia'." >&2
	exit 1
	fi
	else
	echo "'adduser' command not found; cannot create system user 'cia'." >&2
	exit 1
	fi
	fi

[Copilot]

This mv/rm sequence isn’t safe on upgrades/removals where files/symlinks may already be missing; failures are also masked by the unconditional exit 0. Consider making these operations idempotent (e.g., test existence and use rm -f, mv -f as appropriate) and only stopping/removing /etc/init.d/cia if it exists.

Suggested change

	/etc/init.d/cia stop
	mv /opt/cia/bin/cia.sh /opt/cia/bin/jetty.sh
	rm /etc/init.d/cia
	rm /opt/cia/cia-base/etc/cacerts
	if [ -x /etc/init.d/cia ]; then
	/etc/init.d/cia stop || true
	fi
	if [ -e /opt/cia/bin/cia.sh ]; then
	mv -f /opt/cia/bin/cia.sh /opt/cia/bin/jetty.sh
	fi
	rm -f /etc/init.d/cia
	rm -f /opt/cia/cia-base/etc/cacerts

[pethers]

@copilot apply changes based on the comments in this thread and CodeQL / Analyze (java) (pull_request)
CodeQL / Analyze (java) (pull_request)Failing after 12m

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both review comments in 16b4c96:

• postinst: Missing /etc/ssl/certs/java/cacerts now warns but doesn't set setup_ok=0 — installs proceed on systems without ca-certificates-java
• pom.xml: WAR path changed from ${settings.localRepository} to ${basedir}/../citizen-intelligence-agency/target/, so mvn clean package from repo root works without prior install

Verified: .deb produces identical 1263-entry structure with correct control scripts.

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.

[Copilot]

PR description says Maven was upgraded to 3.9.14 across docs, but there are still repo docs referencing 3.9.9 (e.g., .github/agents/*.md, custom-instructions/repo/.github/copilot-instructions.md). Either update those remaining references or adjust the PR description/scope so the stated upgrade is accurate.

[Copilot]

The jdeb perm mapper sets all packaged files/directories to user/group cia with mode 755. That includes /opt/cia/bin/*.sh which is later executed as root via /etc/init.d/cia in postinst; having the service user own those scripts is a privilege-escalation risk (service user can modify code run as root). Consider mapping root:root (and non-writable modes) for init/start scripts and system config under /etc, while keeping only runtime-writable paths (e.g., logs/temp) owned by cia.

Suggested change

	<user>cia</user>
	<group>cia</group>
	<user>root</user>
	<group>root</group>

[Copilot]

adduser --system --shell /bin/sh ... creates a system account with an interactive shell. Even with --disabled-password, this increases the risk of unintended interactive use; for service accounts it’s safer to use a non-login shell (e.g., /usr/sbin/nologin) unless interactive access is required.

Suggested change

	if ! adduser --system --shell /bin/sh --gecos 'CIA' --group --disabled-password --home /opt/cia cia; then
	if ! adduser --system --shell /usr/sbin/nologin --gecos 'CIA' --group --disabled-password --home /opt/cia cia; then

[Copilot]

The control file suggests openjdk-21-jdk-headless. Since this package is a runtime deployment artifact, it likely only needs a JRE; suggesting the full JDK can unnecessarily increase install size and attack surface. Consider suggesting openjdk-21-jre-headless (or an appropriate runtime package) unless build-time tooling is required on the target host.

Suggested change

	Suggests: postgresql, openjdk-21-jdk-headless, ca-certificates-java
	Suggests: postgresql, openjdk-21-jre-headless, ca-certificates-java

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all 4 review comments in 63fee9f:

• pom.xml: jdeb perm mapper changed to root:root — eliminates privilege-escalation risk; postinst still sets cia:cia on runtime dirs via chown -R
• preinst: Service account shell changed to /usr/sbin/nologin
• control: Suggests openjdk-21-jre-headless instead of jdk-headless
• Maven 3.9.9 references: The remaining occurrences are all in .github/agents/ files which are outside the scope of this PR

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

[Copilot]

The perm mapper applies filemode=755 to every file in the package, including the generated keystore.p12. That makes the keystore world-readable (and executable), which is a security risk for a private key container. Consider using a default file mode like 644 for general files, and set stricter permissions/ownership for sensitive files (e.g., keystore) via an explicit <data> entry or a more specific mapper.

Suggested change

	<mapper>
	<type>perm</type>
	<prefix>/</prefix>
	<user>root</user>
	<group>root</group>
	<filemode>755</filemode>
	<dirmode>755</dirmode>
	</mapper>
	</data>
	<excludes>**/keystore.p12</excludes>
	<mapper>
	<type>perm</type>
	<prefix>/</prefix>
	<user>root</user>
	<group>root</group>
	<filemode>644</filemode>
	<dirmode>755</dirmode>
	</mapper>
	</data>
	<data>
	<type>directory</type>
	<src>${project.build.directory}/deb-staging</src>
	<includes>**/keystore.p12</includes>
	<mapper>
	<type>perm</type>
	<prefix>/</prefix>
	<user>root</user>
	<group>root</group>
	<filemode>600</filemode>
	<dirmode>755</dirmode>
	</mapper>
	</data>

[Copilot]

prerm unconditionally removes /opt/cia/cia-base/etc/cacerts. If an admin replaces the symlink with a real file (custom truststore), this will delete it during upgrade/removal. Consider only removing it when it is a symlink you manage (e.g., check -L and/or that it points to /etc/ssl/certs/java/cacerts).

Suggested change

	rm -f /opt/cia/cia-base/etc/cacerts
	# Only remove cacerts if it is the symlink managed by this package
	if [ -L /opt/cia/cia-base/etc/cacerts ]; then
	cacerts_target="$(readlink -f /opt/cia/cia-base/etc/cacerts 2>/dev/null || true)"
	if [ "$cacerts_target" = "/etc/ssl/certs/java/cacerts" ]; then
	rm -f /opt/cia/cia-base/etc/cacerts
	fi
	fi

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both review comments in c241c86 and bbec475:

• pom.xml: Split jdeb dataSet into two entries — general files at filemode=644, keystore.p12 at filemode=600 (was 755 for all). Verified: keystore shows -rw------- and regular files show -rw-r--r-- in dpkg-deb --contents
• prerm: Cacerts removal now guarded by -L (is symlink) + readlink check against /etc/ssl/certs/java/cacerts — admin-placed custom truststores are preserved

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.