Product Engineering Standard v1
Strict, enterprise-grade standards for build determinism, static analysis, security, and release discipline. These gates are wired into the parent Maven POM so every module inherits the same expectations.
Java 25
Spring Boot 4
Maven multi-module
Fail fast CI
SBOM + SCA
Non-negotiable quality gates
- Enforcer: JVM/Maven version, dependency convergence, no SNAPSHOT deps in CI.
- Formatting: Spotless runs at
validate; commits fail if dirty. - Style: Checkstyle executes at
verifywith repo-provided rules. - Static analysis: PMD + SpotBugs at
verify; zero warning budget. - Testing: Unit + Integration via Surefire/Failsafe.
- Coverage: JaCoCo gate at 80% line coverage by default.
- Security: OWASP Dependency-Check blocks CVSS ≥ 7; CycloneDX SBOM per build.
CI command
Run all gates:
Run all gates:
CI=true mvn -Pci clean verify
Repo layout expectations
config/ checkstyle/checkstyle.xml checkstyle/suppressions.xml pmd/pmd.xml spotbugs/spotbugs-exclude.xml
Maven enforcement hooks (parent POM snippet)
Copy into the parent pom.xml and adjust thresholds over time.
<!-- Add to parent pom.xml -->
<properties>
<java.version>25</java.version>
<maven.min.version>3.9.6</maven.min.version>
<maven.enforcer.version>3.6.2</maven.enforcer.version>
<maven.checkstyle.version>3.6.0</maven.checkstyle.version>
<maven.pmd.version>3.28.0</maven.pmd.version>
<spotless.version>3.1.0</spotless.version>
<spotbugs.maven.version>4.9.8.2</spotbugs.maven.version>
<jacoco.version>0.8.14</jacoco.version>
<surefire.version>3.5.4</surefire.version>
<owasp.dc.version>12.1.9</owasp.dc.version>
<cyclonedx.version>2.9.1</cyclonedx.version>
<jacoco.line.coverage.minimum>0.80</jacoco.line.coverage.minimum>
</properties>
<build>
<pluginManagement>
<plugins>
<!-- Enforcer -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>${maven.enforcer.version}</version>
<executions>
<execution>
<id>enforce</id>
<phase>validate</phase>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<requireMavenVersion><version>[${maven.min.version},)</version></requireMavenVersion>
<requireJavaVersion><version>[${java.version},)</version></requireJavaVersion>
<dependencyConvergence/>
<banDuplicatePomDependencyVersions/>
<requireReleaseDeps/>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<!-- Spotless -->
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>${spotless.version}</version>
<executions>
<execution>
<id>spotless</id>
<phase>validate</phase>
<goals><goal>apply</goal></goals>
<configuration>
<java>
<palantirJavaFormat/>
</java>
</configuration>
</execution>
</executions>
</plugin>
<!-- Checkstyle -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${maven.checkstyle.version}</version>
<executions>
<execution>
<id>checkstyle</id>
<phase>verify</phase>
<goals><goal>check</goal></goals>
<configuration>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
<suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
</configuration>
</execution>
</executions>
</plugin>
<!-- PMD -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>${maven.pmd.version}</version>
<executions>
<execution>
<id>pmd</id>
<phase>verify</phase>
<goals><goal>check</goal></goals>
<configuration>
<rulesets>
<ruleset>config/pmd/pmd.xml</ruleset>
</rulesets>
</configuration>
</execution>
</executions>
</plugin>
<!-- SpotBugs -->
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${spotbugs.maven.version}</version>
<executions>
<execution>
<id>spotbugs</id>
<phase>verify</phase>
<goals><goal>check</goal></goals>
<configuration>
<excludeFilterFile>config/spotbugs/spotbugs-exclude.xml</excludeFilterFile>
</configuration>
</execution>
</executions>
</plugin>
<!-- JaCoCo -->
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>prepare-agent</id>
<goals><goal>prepare-agent</goal></goals>
</execution>
<execution>
<id>report</id>
<phase>verify</phase>
<goals><goal>report</goal></goals>
<configuration>
<rules>
<rule>
<element>BUNDLE</element>
<limits>
<limit>
<counter>LINE</counter>
<value>COVEREDRATIO</value>
<minimum>${jacoco.line.coverage.minimum}</minimum>
</limit>
</limits>
</rule>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<!-- OWASP Dependency-Check -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp.dc.version}</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
</configuration>
<executions>
<execution>
<id>nvd</id>
<phase>verify</phase>
<goals><goal>check</goal></goals>
</execution>
</executions>
</plugin>
<!-- CycloneDX SBOM -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>${cyclonedx.version}</version>
<executions>
<execution>
<id>sbom</id>
<phase>verify</phase>
<goals><goal>makeAggregateBom</goal></goals>
</execution>
</executions>
</plugin>
<!-- Surefire / Failsafe versions -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${surefire.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>${surefire.version}</version>
</plugin>
</plugins>
</pluginManagement>
</build>