Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.
在提交 PR 前、重大变更后以及部署前运行。
mvn -T 4 clean verify -DskipTests
# or
./gradlew clean assemble -x test
如果构建失败,停止并修复。
Maven(常用插件):
mvn -T 4 spotbugs:check pmd:check checkstyle:check
Gradle(如果已配置):
./gradlew checkstyleMain pmdMain spotbugsMain
mvn -T 4 test
mvn jacoco:report # verify 80%+ coverage
# or
./gradlew test jacocoTestReport
报告:
使用模拟的依赖项来隔离测试服务逻辑:
@ExtendWith(MockitoExtension.class)
class UserServiceTest {
@Mock private UserRepository userRepository;
@InjectMocks private UserService userService;
@Test
void createUser_validInput_returnsUser() {
var dto = new CreateUserDto("Alice", "alice@example.com");
var expected = new User(1L, "Alice", "alice@example.com");
when(userRepository.save(any(User.class))).thenReturn(expected);
var result = userService.create(dto);
assertThat(result.name()).isEqualTo("Alice");
verify(userRepository).save(any(User.class));
}
@Test
void createUser_duplicateEmail_throwsException() {
var dto = new CreateUserDto("Alice", "existing@example.com");
when(userRepository.existsByEmail(dto.email())).thenReturn(true);
assertThatThrownBy(() -> userService.create(dto))
.isInstanceOf(DuplicateEmailException.class);
}
}
针对真实数据库(而非 H2)进行测试:
@SpringBootTest
@Testcontainers
class UserRepositoryIntegrationTest {
@Container
static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")
.withDatabaseName("testdb");
@DynamicPropertySource
static void configureProperties(DynamicPropertyRegistry registry) {
registry.add("spring.datasource.url", postgres::getJdbcUrl);
registry.add("spring.datasource.username", postgres::getUsername);
registry.add("spring.datasource.password", postgres::getPassword);
}
@Autowired private UserRepository userRepository;
@Test
void findByEmail_existingUser_returnsUser() {
userRepository.save(new User("Alice", "alice@example.com"));
var found = userRepository.findByEmail("alice@example.com");
assertThat(found).isPresent();
assertThat(found.get().getName()).isEqualTo("Alice");
}
}
在完整的 Spring 上下文中测试控制器层:
@WebMvcTest(UserController.class)
class UserControllerTest {
@Autowired private MockMvc mockMvc;
@MockBean private UserService userService;
@Test
void createUser_validInput_returns201() throws Exception {
var user = new UserDto(1L, "Alice", "alice@example.com");
when(userService.create(any())).thenReturn(user);
mockMvc.perform(post("/api/users")
.contentType(MediaType.APPLICATION_JSON)
.content("""
{"name": "Alice", "email": "alice@example.com"}
"""))
.andExpect(status().isCreated())
.andExpect(jsonPath("$.name").value("Alice"));
}
@Test
void createUser_invalidEmail_returns400() throws Exception {
mockMvc.perform(post("/api/users")
.contentType(MediaType.APPLICATION_JSON)
.content("""
{"name": "Alice", "email": "not-an-email"}
"""))
.andExpect(status().isBadRequest());
}
}
# Dependency CVEs
mvn org.owasp:dependency-check-maven:check
# or
./gradlew dependencyCheckAnalyze
# Secrets in source
grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"
grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"
# Secrets (git history)
git secrets --scan # if configured
# 检查 System.out.println(应使用日志记录器)
grep -rn "System\.out\.print" src/main/ --include="*.java"
# 检查响应中的原始异常消息
grep -rn "e\.getMessage()" src/main/ --include="*.java"
# 检查通配符 CORS 配置
grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"
mvn spotless:apply # if using Spotless plugin
./gradlew spotlessApply
git diff --stat
git diff
检查清单:
System.out、log.debug 没有防护)验证报告
===================
构建: [通过/失败]
静态分析: [通过/失败] (spotbugs/pmd/checkstyle)
测试: [通过/失败] (X/Y 通过, Z% 覆盖率)
安全性: [通过/失败] (CVE 发现数: N)
差异: [X 个文件变更]
总体: [就绪 / 未就绪]
待修复问题:
1. ...
2. ...
mvn -T 4 test + spotbugs 以获取快速反馈记住:快速反馈胜过意外惊喜。保持关卡严格——将警告视为生产系统中的缺陷。
