diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-10 15:01:14 +0100 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-10 15:01:14 +0100 |
| commit | 6cebc7aa1aecb1bc8f87443887a90fe851893954 (patch) | |
| tree | 90f9b8b0187a4bb4d033ccd57cc15e72b27791ae | |
| parent | a126c249b8ed83dce4386331a49d04a42b53e448 (diff) | |
| parent | 360df2054cdc5a8bc194f7701b2bfa5a9c39dd0d (diff) | |
| download | EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.tar.gz EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.tar.bz2 EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.zip | |
Merge branch 'feature/someSmallUpdates' into 'nightlyBuild'
Feature/some small updates
See merge request egiz/eaaf_components!6
19 files changed, 557 insertions, 237 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 37ca635e..9ec05060 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,12 +13,12 @@ variables: include: - template: Dependency-Scanning.gitlab-ci.yml - - template: Security/SAST.gitlab-ci.yml - template: Secret-Detection.gitlab-ci.yml - template: Code-Quality.gitlab-ci.yml stages: - assemble + - visualize - test - package - release @@ -37,7 +37,27 @@ assemble: when: always reports: junit: "**/target/surefire-reports/TEST-*.xml" - + paths: + - build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml + +coverage: + stage: visualize + image: haynes/jacoco2cobertura:1.0.4 + script: + - mkdir -p target/site + # convert report from jacoco to cobertura + - 'python /opt/cover2cover.py build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml eaaf_core_api/src/main/java eaaf_core_utils/src/main/java eaaf_core/src/main/java eaaf_modules/eaaf_module_auth_sl20/src/main/java eaaf_modules/eaaf_module_moa-sig/src/main/java eaaf_modules/eaaf_module_pvp2_core/src/main/java eaaf_modules/eaaf_module_pvp2_idp/src/main/java eaaf_modules/eaaf_module_pvp2_sp/src/main/java > target/site/cobertura.xml' + # read the <source></source> tag and prepend the path to every filename attribute + #- 'python /opt/source2filename.py target/site/cobertura.xml' + needs: + - job: assemble + dependencies: + - assemble + artifacts: + reports: + cobertura: target/site/cobertura.xml + + publishToGitlab: stage: package except: diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml new file mode 100644 index 00000000..5300ff74 --- /dev/null +++ b/build_reporting/pom.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>at.gv.egiz</groupId> + <artifactId>eaaf</artifactId> + <version>1.1.11-SNAPSHOT</version> + </parent> + <artifactId>build_reporting</artifactId> + <packaging>pom</packaging> + <name>Reporting Module</name> + + <dependencies> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_utils</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf-core</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_auth_sl20</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_moa-sig</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_core</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_idp</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_sp</artifactId> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <version>${jacoco-maven-plugin.version}</version> + <executions> + <!-- aggregated unit test coverage report --> + <execution> + <id>aggregate-reports-ut</id> + <phase>test</phase> + <goals> + <goal>report-aggregate</goal> + </goals> + <configuration> + <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory> + <dataFileExcludes> + <!-- exclude coverage data of integration tests --> + <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude> + </dataFileExcludes> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + +</project>
\ No newline at end of file diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..aa11a955 --- /dev/null +++ b/eaaf_core/checks/spotbugs-exclude.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- bPK requires SHA1 from specification --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" /> + <OR> + <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" /> + </OR> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/> + <Method name="performRedirectToItself" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/> + <Method name="forwardToErrorHandler" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- the ErrorToken is only single-used as same as a CSRF token --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Method name="errorHandling" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- Only used to evaluate expressions from pre-compiled process-flows --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/> + </OR> + <Bug pattern="SPEL_INJECTION" /> + </Match> + <Match> + <!-- URL will be only generated from configuration path--> + <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Logging of request parameters is allowed for this classes --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/> + </OR> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml index a1eee06e..178b53a3 100644 --- a/eaaf_core/pom.xml +++ b/eaaf_core/pom.xml @@ -1,108 +1,112 @@ <?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> - <groupId>at.gv.egiz</groupId> - <artifactId>eaaf</artifactId> - <version>1.1.11-SNAPSHOT</version> + <groupId>at.gv.egiz</groupId> + <artifactId>eaaf</artifactId> + <version>1.1.11-SNAPSHOT</version> </parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf-core</artifactId> <name>EAAF core components</name> <description>Core components for identity managment implementations</description> - + <dependencies> - <dependency> - <groupId>at.gv.egiz.eaaf</groupId> - <artifactId>eaaf_core_api</artifactId> - </dependency> - <dependency> - <groupId>at.gv.egiz.eaaf</groupId> - <artifactId>eaaf_core_utils</artifactId> - </dependency> - - <dependency> - <groupId>at.gv.egiz.components</groupId> - <artifactId>eventlog-api</artifactId> - </dependency> - <dependency> - <groupId>at.gv.egiz.components</groupId> - <artifactId>egiz-spring-api</artifactId> - </dependency> - <dependency> - <groupId>javax.annotation</groupId> - <artifactId>javax.annotation-api</artifactId> - </dependency> - <dependency> - <groupId>org.springframework</groupId> - <artifactId>spring-webmvc</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <!-- dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </dependency--> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-lang3</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-collections4</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-text</artifactId> - </dependency> - <dependency> - <groupId>commons-fileupload</groupId> - <artifactId>commons-fileupload</artifactId> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.velocity</groupId> - <artifactId>velocity</artifactId> - </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_utils</artifactId> + </dependency> + + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>eventlog-api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> + <dependency> + <groupId>javax.annotation</groupId> + <artifactId>javax.annotation-api</artifactId> + </dependency> + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </dependency> + <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> + </dependency --> + <dependency> + <groupId>commons-codec</groupId> + <artifactId>commons-codec</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-lang3</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-collections4</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + </dependency> + <dependency> + <groupId>commons-fileupload</groupId> + <artifactId>commons-fileupload</artifactId> + </dependency> + <dependency> + <groupId>javax.servlet</groupId> + <artifactId>javax.servlet-api</artifactId> + </dependency> + <dependency> + <groupId>org.apache.velocity</groupId> + <artifactId>velocity</artifactId> + </dependency> <dependency> <groupId>commons-collections</groupId> - <artifactId>commons-collections</artifactId> - </dependency> - <dependency> - <groupId>jaxen</groupId> - <artifactId>jaxen</artifactId> - </dependency> - <dependency> - <groupId>xerces</groupId> - <artifactId>xercesImpl</artifactId> - </dependency> - <dependency> - <groupId>xalan</groupId> - <artifactId>xalan</artifactId> - </dependency> - + <artifactId>commons-collections</artifactId> + </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + </dependency> + <dependency> + <groupId>jaxen</groupId> + <artifactId>jaxen</artifactId> + </dependency> + <dependency> + <groupId>xerces</groupId> + <artifactId>xercesImpl</artifactId> + </dependency> + <dependency> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + </dependency> + <!-- For testing --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.springframework</groupId> - <artifactId>spring-test</artifactId> - <scope>test</scope> - </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-test</artifactId> + <scope>test</scope> + </dependency> <dependency> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> @@ -110,10 +114,10 @@ <type>test-jar</type> </dependency> </dependencies> - - <build> + + <build> <finalName>eaaf_core</finalName> - + <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -124,44 +128,54 @@ <target>1.8</target> </configuration> <executions> - <execution> - <goals> - <goal>compile</goal> - <goal>testCompile</goal> - </goals> - </execution> + <execution> + <goals> + <goal>compile</goal> + <goal>testCompile</goal> + </goals> + </execution> </executions> </plugin> <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - <version>3.1.0</version> - <executions> - <execution> - <goals> - <goal>test-jar</goal> - </goals> - </execution> - </executions> - </plugin> - + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <version>3.1.0</version> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> + <!-- enable co-existence of testng and junit --> - <plugin> - <artifactId>maven-surefire-plugin</artifactId> - <version>${surefire.version}</version> - <configuration> - <threadCount>1</threadCount> - </configuration> - <dependencies> - <dependency> - <groupId>org.apache.maven.surefire</groupId> - <artifactId>surefire-junit47</artifactId> - <version>${surefire.version}</version> - </dependency> - </dependencies> - </plugin> - + <plugin> + <artifactId>maven-surefire-plugin</artifactId> + <version>${surefire.version}</version> + <configuration> + <threadCount>1</threadCount> + </configuration> + <dependencies> + <dependency> + <groupId>org.apache.maven.surefire</groupId> + <artifactId>surefire-junit47</artifactId> + <version>${surefire.version}</version> + </dependency> + </dependencies> + </plugin> + + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> - + </project> diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java index 50bf76db..4410267e 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java @@ -20,8 +20,6 @@ package at.gv.egiz.eaaf.core.impl.idp.auth.services; import java.io.IOException; -import java.io.PrintWriter; -import java.io.StringWriter; import java.util.HashSet; import javax.annotation.PostConstruct; @@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.text.StringEscapeUtils; +import org.owasp.encoder.Encode; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer // write generic message for general exceptions final String msg = statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null); - writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable); + writeHtmlErrorResponse(req, resp, msg, "9199", null); } @@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq, @NonNull final HttpServletResponse httpResp, @NonNull final String msg, - @NonNull final String errorCode, @Nullable final Object[] params, - @NonNull final Exception error) throws EaafException { + @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException { try { final IGuiBuilderConfiguration config = @@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS, ArrayUtils.toString(errorCodeParams)); - // add stacktrace if debug is enabled - if (log.isTraceEnabled()) { - ((ModifyableGuiBuilderConfiguration) config).putCustomParameter( - AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE, - getStacktraceFromException(error)); - - } - } else { log.info( "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable "); @@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer } - private String getStacktraceFromException(final Exception ex) { - final StringWriter errors = new StringWriter(); - ex.printStackTrace(new PrintWriter(errors)); - return errors.toString(); - - } - private void internalMoaidExceptionHandler(final HttpServletRequest req, final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog) throws IOException, EaafException { if (e instanceof ProtocolNotActiveException) { - resp.getWriter().write(e.getMessage()); + resp.getWriter().write(Encode.forHtml(e.getMessage())); resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8); resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage()))); @@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer // write error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof InvalidProtocolRequestException) { // send error response writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof ConfigurationException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof EaafException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - ((EaafException) e).getParams(), e); + ((EaafException) e).getParams()); } else if (e instanceof ProcessExecutionException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java index 14537d44..edca0fba 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java @@ -101,6 +101,7 @@ public class ProcessDefinitionParser { // Standard implementation of XMLInputFactory seems not to be thread-safe final XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); reader = inputFactory.createXMLEventReader(processDefinitionInputStream); final List<StartElement> transitionElements = new ArrayList<>(); diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java index e8d5c294..4b8a7a04 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java @@ -33,6 +33,7 @@ import java.util.Map.Entry; import java.util.Set; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; -import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; - import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.apache.xerces.parsers.DOMParser; @@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler; import org.xml.sax.InputSource; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; + /** * Various utility functions for handling XML DOM trees. * @@ -785,6 +786,7 @@ public class DomUtils { throws TransformerException, IOException { final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = transformerFactory.newTransformer(); final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384); @@ -1211,6 +1213,7 @@ public class DomUtils { // StringWriter stringWriter = new StringWriter(); final Result result = new StreamResult(out); final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = factory.newTransformer(); transformer.transform(source, result); return out.toByteArray(); diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java index b20efe3d..3343a089 100644 --- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java +++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java @@ -19,9 +19,6 @@ package at.gv.egiz.eaaf.core.exceptions; -import java.io.PrintStream; -import java.io.PrintWriter; - /** * An exception occurred evaluating an XPath. * @@ -56,32 +53,4 @@ public class XPathException extends RuntimeException { return wrapped; } - /** - * Print error message. - * - * @see java.lang.Throwable#printStackTrace(java.io.PrintStream) - */ - @Override - public void printStackTrace(final PrintStream s) { - super.printStackTrace(s); - if (getWrapped() != null) { - s.print("Caused by: "); - getWrapped().printStackTrace(s); - } - } - - /** - * Print error message. - * - * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter) - */ - @Override - public void printStackTrace(final PrintWriter s) { - super.printStackTrace(s); - if (getWrapped() != null) { - s.print("Caused by: "); - getWrapped().printStackTrace(s); - } - } - } diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..b42f34c2 --- /dev/null +++ b/eaaf_core_utils/checks/spotbugs-exclude.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" /> + <OR> + <Bug pattern="OBJECT_DESERIALIZATION" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml index 947faf4b..c7cefa8d 100644 --- a/eaaf_core_utils/pom.xml +++ b/eaaf_core_utils/pom.xml @@ -181,6 +181,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java index 8ec5f3a8..cfb4ed88 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java @@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Base64; import javax.annotation.PostConstruct; @@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy log.trace("Checking HMAC from externalPendingReqId ... "); final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]); final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp)); - if (!Arrays.equals(tokenDigest, refDigist)) { + + if (!MessageDigest.isEqual(refDigist,tokenDigest)) { log.warn("Digest of Token does NOT match"); log.debug("Token: {} | Ref: {}", tokenDigest, refDigist); throw new PendingReqIdValidationException(null, "internal.pendingreqid.04"); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java index 6550b026..cfa8868e 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java @@ -150,7 +150,32 @@ public abstract class AbstractJsonSecurityUtilsTest { final String encData = jwe.getCompactSerialization(); Assert.assertNotNull("JWE", encData); + + /* + //decrypt it again + final JsonWebEncryption jweDecrypt = new JsonWebEncryption(); + jweDecrypt.setCompactSerialization(encData); + jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst())); + + + // set special provider if required + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + + } + + String decPayload = jweDecrypt.getPayload(); + Assert.assertNotNull("decrypted Payload", decPayload); + Assert.assertEquals("Decrypted message not match", payLoad, decPayload); + */ } @@ -171,8 +196,7 @@ public abstract class AbstractJsonSecurityUtilsTest { // set special provider if required if (rsaEncKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); - providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( - rsaEncKeyStore.getSecond().getName()); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName()); providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jwe.setProviderContext(providerCtx); @@ -188,6 +212,30 @@ public abstract class AbstractJsonSecurityUtilsTest { Assert.assertNotNull("JWE", encData); + //decrypt it again + final JsonWebEncryption jweDecrypt = new JsonWebEncryption(); + jweDecrypt.setCompactSerialization(encData); + jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst())); + + + // set special provider if required + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + + } + + String decPayload = jweDecrypt.getPayload(); + Assert.assertNotNull("decrypted Payload", decPayload); + Assert.assertEquals("Decrypted message not match", payLoad, decPayload); + } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java index 4f8b2a23..b01330d2 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java @@ -3,21 +3,24 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.security.KeyStore; import java.security.Provider; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; - import org.apache.commons.lang3.StringUtils; import org.junit.Before; import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest { + /** + * Initialize jUnit test. + */ @Before public void initialize() { config.putConfigValue("modules.sl20.security.sigalg.rsa", "RS256"); diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..b1d216dc --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- allow logging of SAML2 message on trace level --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/> + <Method name="getBase64DecodedMessage" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> + <Match> + <!-- allow logging of SAML2 relaystate on debug level --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/> + <Method name="doDecode" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml index 86a66f4e..45819787 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml @@ -55,6 +55,10 @@ <artifactId>xmlsec</artifactId> </dependency> <dependency> + <groupId>org.cryptacular</groupId> + <artifactId>cryptacular</artifactId> + </dependency> + <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15to18</artifactId> </dependency> @@ -168,6 +172,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..855f39bd --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- allow SHA-1, because transient SubjectNameIDs should have the same pattern as bPKs --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder"/> + <Method name="buildAssertion" /> + <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" /> + </Match> + <Match> + <!-- allow logging of SAML2 request parameters --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol"/> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml index 3840c8d9..b92d0f56 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml @@ -91,6 +91,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java index b7b18f0f..d2ed2c11 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java @@ -26,26 +26,6 @@ import java.util.List; import javax.naming.ConfigurationException; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; -import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; -import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; -import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; @@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.util.Base64Utils; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; +import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + @Service("PVP2AssertionBuilder") public class Pvp2AssertionBuilder implements PvpConstants { @@ -11,7 +11,7 @@ <name>EGIZ EAAF components</name> - <properties> + <properties> <!-- General project properties --> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <java.version>1.8</java.version> @@ -50,6 +50,7 @@ <org.springframework.version>5.2.8.RELEASE</org.springframework.version> <org.opensaml.version>3.4.5</org.opensaml.version> <org.apache.santuario.xmlsec.version>2.2.0</org.apache.santuario.xmlsec.version> + <org.cryptacular.version>1.2.4</org.cryptacular.version> <org.bouncycastle.bcprov-jdk15to18.version>1.67</org.bouncycastle.bcprov-jdk15to18.version> <org.bouncycastle.bctls-jdk15to18.version>1.67</org.bouncycastle.bctls-jdk15to18.version> @@ -67,6 +68,7 @@ <joda-time.version>2.10.8</joda-time.version> <jsr305.version>3.0.2</jsr305.version> <com.google.guava.version>30.0-jre</com.google.guava.version> + <org.owasp.encoder.version>1.2.3</org.owasp.encoder.version> <httpclient.version>4.5.13</httpclient.version> <httpcore.version>4.4.14</httpcore.version> @@ -80,7 +82,7 @@ <!-- jUnit testing --> <surefire.version>2.22.1</surefire.version> - <junit.version>4.12</junit.version> + <junit.version>4.13.1</junit.version> <com.squareup.okhttp3.version>4.4.1</com.squareup.okhttp3.version> <!-- Code helper plug-ins --> @@ -91,6 +93,7 @@ <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version> <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version> <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version> + <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version> <dependency-check-maven.version>6.0.3</dependency-check-maven.version> <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory> @@ -106,7 +109,7 @@ <repository> <id>gitlab-localbuild</id> <url>https://gitlab.iaik.tugraz.at/api/v4/groups/119/-/packages/maven</url> - </repository> + </repository> <repository> <id>egiz-commons</id> <url>https://apps.egiz.gv.at/maven/</url> @@ -196,7 +199,7 @@ </plugin> </plugins> </build> - </profile> + </profile> </profiles> <modules> @@ -204,6 +207,7 @@ <module>eaaf_core_utils</module> <module>eaaf_core</module> <module>eaaf_modules</module> + <module>build_reporting</module> </modules> <dependencyManagement> @@ -217,7 +221,38 @@ <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf-core</artifactId> + <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_auth_sl20</artifactId> + <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_moa-sig</artifactId> + <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_core</artifactId> + <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_idp</artifactId> + <version>${egiz.eaaf.version}</version> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_sp</artifactId> + <version>${egiz.eaaf.version}</version> </dependency> + <dependency> <groupId>at.gv.egiz.components</groupId> <artifactId>eventlog-api</artifactId> @@ -355,7 +390,7 @@ <groupId>javax.annotation</groupId> <artifactId>javax.annotation-api</artifactId> <version>${javax.annotation-api}</version> - </dependency> + </dependency> <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> @@ -432,6 +467,13 @@ <version>${org.apache.santuario.xmlsec.version}</version> </dependency> <dependency> + <!-- Set newer version, because 1.1.3 from openSAML dependency has + an CVE-2020-7226 --> + <groupId>org.cryptacular</groupId> + <artifactId>cryptacular</artifactId> + <version>${org.cryptacular.version}</version> + </dependency> + <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15to18</artifactId> <version>${org.bouncycastle.bcprov-jdk15to18.version}</version> @@ -439,7 +481,7 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bctls-jdk15to18</artifactId> - <version>${org.bouncycastle.bctls-jdk15to18.version}</version> + <version>${org.bouncycastle.bctls-jdk15to18.version}</version> </dependency> <dependency> @@ -481,6 +523,12 @@ </dependency> <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>${org.owasp.encoder.version}</version> + </dependency> + + <dependency> <groupId>joda-time</groupId> <artifactId>joda-time</artifactId> <version>${joda-time.version}</version> @@ -527,7 +575,7 @@ <artifactId>okhttp-tls</artifactId> <version>${com.squareup.okhttp3.version}</version> <scope>test</scope> - </dependency> + </dependency> <dependency> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> @@ -581,6 +629,8 @@ <version>${surefire.version}</version> <configuration> <threadCount>1</threadCount> + <!-- Sets the VM argument line used when unit tests are run. --> + <argLine>${surefireArgLine}</argLine> </configuration> <dependencies> <dependency> @@ -633,6 +683,9 @@ <goals> <goal>prepare-agent</goal> </goals> + <configuration> + <propertyName>surefireArgLine</propertyName> + </configuration> </execution> <execution> <id>post-unit-report</id> @@ -643,7 +696,7 @@ <configuration> <outputDirectory>target/jacoco-report</outputDirectory> </configuration> - </execution> + </execution> <execution> <id>post-unit-check</id> <phase>test</phase> @@ -670,7 +723,7 @@ </rule> </rules> </configuration> - </execution> + </execution> </executions> </plugin> @@ -716,6 +769,13 @@ </executions> <configuration> <failOnError>true</failOnError> + <plugins> + <plugin> + <groupId>com.h3xstream.findsecbugs</groupId> + <artifactId>findsecbugs-plugin</artifactId> + <version>${findsecbugs-plugin.version}</version> + </plugin> + </plugins> </configuration> </plugin> @@ -724,18 +784,20 @@ </build> <reporting> - <plugins> + <plugins> <plugin> <groupId>org.jacoco</groupId> - <artifactId>jacoco-maven-plugin</artifactId> - <reportSets> - <reportSet> - <reports> - <report>report</report> - </reports> - </reportSet> - </reportSets> + <artifactId>jacoco-maven-plugin</artifactId> + <configuration> + <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory> + <dataFileExcludes> + <!-- exclude coverage data of integration tests --> + <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude> + </dataFileExcludes> + </configuration> </plugin> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-pmd-plugin</artifactId> |