diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-09 18:20:56 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-09 18:20:56 +0100 |
commit | c4f117e74b8ade8b420f0443955ec6b94f88cee4 (patch) | |
tree | 5d8aabd71d2df048bf2a1897a97a7cf13061b29c /eaaf_core/checks/spotbugs-exclude.xml | |
parent | 9e7812cb52bfe64e72855eecbd28a756718ce1e1 (diff) | |
download | EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.gz EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.bz2 EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.zip |
add findSecBugs extension into spotbugs plug-in
Diffstat (limited to 'eaaf_core/checks/spotbugs-exclude.xml')
-rw-r--r-- | eaaf_core/checks/spotbugs-exclude.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..aa11a955 --- /dev/null +++ b/eaaf_core/checks/spotbugs-exclude.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- bPK requires SHA1 from specification --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" /> + <OR> + <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" /> + </OR> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/> + <Method name="performRedirectToItself" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/> + <Method name="forwardToErrorHandler" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- the ErrorToken is only single-used as same as a CSRF token --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Method name="errorHandling" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- Only used to evaluate expressions from pre-compiled process-flows --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/> + </OR> + <Bug pattern="SPEL_INJECTION" /> + </Match> + <Match> + <!-- URL will be only generated from configuration path--> + <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Logging of request parameters is allowed for this classes --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/> + </OR> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> |