add findSecBugs extension into spotbugs plug-in

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-12-09 18:20:56 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-12-09 18:20:56 +0100
commit: c4f117e74b8ade8b420f0443955ec6b94f88cee4 (patch)
tree: 5d8aabd71d2df048bf2a1897a97a7cf13061b29c /eaaf_core/checks
parent: 9e7812cb52bfe64e72855eecbd28a756718ce1e1 (diff)
download: EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.gz
EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.bz2
EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.zip
1 files changed, 50 insertions, 0 deletions
diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..aa11a955
--- /dev/null
+++ b/eaaf_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- bPK requires SHA1 from specification -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" />
+      <OR>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
+      <Method name="performRedirectToItself" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
+      <Method name="forwardToErrorHandler" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- the ErrorToken is only single-used as same as a CSRF token -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+      <Method name="errorHandling" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+    </Match>
+    <Match>
+      <!-- Only used to evaluate expressions from pre-compiled process-flows -->
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
+      </OR>
+      <Bug pattern="SPEL_INJECTION" />
+    </Match>
+    <Match>
+      <!-- URL will be only generated from configuration path-->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
+      <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+      <!-- Logging of request parameters is allowed for this classes -->   
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
+      </OR>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-12-09 18:20:56 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-12-09 18:20:56 +0100
commit	c4f117e74b8ade8b420f0443955ec6b94f88cee4 (patch)
tree	5d8aabd71d2df048bf2a1897a97a7cf13061b29c /eaaf_core/checks
parent	9e7812cb52bfe64e72855eecbd28a756718ce1e1 (diff)
download	EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.gz EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.bz2 EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.zip