From 39f94caf86e054b2485beeae09c4947d75b017c1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 15:36:45 +0100
Subject: update third-party lib org.cryptacular to v 1.2.4 because openSAML
 3.4.5 includes v1.1.3 with CVE-2020-7226

---
 eaaf_modules/eaaf_module_pvp2_core/pom.xml | 4 ++++
 pom.xml                                    | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index 86a66f4e..a0eee0e6 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -54,6 +54,10 @@
       <groupId>org.apache.santuario</groupId>
       <artifactId>xmlsec</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.cryptacular</groupId>
+      <artifactId>cryptacular</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
diff --git a/pom.xml b/pom.xml
index c9f7309a..33588b5d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,7 @@
     <org.springframework.version>5.2.8.RELEASE</org.springframework.version>
     <org.opensaml.version>3.4.5</org.opensaml.version>
     <org.apache.santuario.xmlsec.version>2.2.0</org.apache.santuario.xmlsec.version>
+    <org.cryptacular.version>1.2.4</org.cryptacular.version>
     <org.bouncycastle.bcprov-jdk15to18.version>1.67</org.bouncycastle.bcprov-jdk15to18.version>
     <org.bouncycastle.bctls-jdk15to18.version>1.67</org.bouncycastle.bctls-jdk15to18.version>
 
@@ -431,6 +432,12 @@
         <artifactId>xmlsec</artifactId>
         <version>${org.apache.santuario.xmlsec.version}</version>
       </dependency>
+      <dependency>
+        <!-- Set newer version, because 1.1.3 from openSAML dependency has an CVE-2020-7226 -->
+        <groupId>org.cryptacular</groupId>
+        <artifactId>cryptacular</artifactId>
+        <version>${org.cryptacular.version}</version>
+      </dependency>      
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcprov-jdk15to18</artifactId>
-- 
cgit v1.2.3


From 9e7812cb52bfe64e72855eecbd28a756718ce1e1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 15:37:09 +0100
Subject: update jUnit for JWE encryption by using HSM-Facade

---
 .../sl20/utils/AbstractJsonSecurityUtilsTest.java  | 52 +++++++++++++++++++++-
 .../sl20/utils/JsonSecurityUtilsHsmKeyTest.java    | 13 +++---
 2 files changed, 58 insertions(+), 7 deletions(-)

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
index 6550b026..cfa8868e 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -150,7 +150,32 @@ public abstract class AbstractJsonSecurityUtilsTest {
 
     final String encData = jwe.getCompactSerialization();
     Assert.assertNotNull("JWE", encData);
+    
+    /*
+    //decrypt it again
+    final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+    jweDecrypt.setCompactSerialization(encData);
+    jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst()));
+    
+    
+    // set special provider if required
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
 
+    } else {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
+      
+    }
+    
+    String decPayload = jweDecrypt.getPayload();
+    Assert.assertNotNull("decrypted Payload", decPayload);
+    Assert.assertEquals("Decrypted message not match", payLoad, decPayload);
+    */
 
   }
 
@@ -171,8 +196,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
     // set special provider if required
     if (rsaEncKeyStore.getSecond() != null) {
       final ProviderContext providerCtx = new ProviderContext();
-      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
-          rsaEncKeyStore.getSecond().getName());
+      providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
       providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
       jwe.setProviderContext(providerCtx);
 
@@ -188,6 +212,30 @@ public abstract class AbstractJsonSecurityUtilsTest {
     Assert.assertNotNull("JWE", encData);
 
 
+    //decrypt it again
+    final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+    jweDecrypt.setCompactSerialization(encData);
+    jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst()));
+    
+    
+    // set special provider if required
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
+
+    } else {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
+      
+    }
+    
+    String decPayload = jweDecrypt.getPayload();
+    Assert.assertNotNull("decrypted Payload", decPayload);
+    Assert.assertEquals("Decrypted message not match", payLoad, decPayload);
+
   }
 
 
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
index 4f8b2a23..b01330d2 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
@@ -3,21 +3,24 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils;
 import java.security.KeyStore;
 import java.security.Provider;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-
 import org.apache.commons.lang3.StringUtils;
 import org.junit.Before;
 import org.junit.runner.RunWith;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
 public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest {
 
+  /**
+   * Initialize jUnit test.
+   */
   @Before
   public void initialize() {
     config.putConfigValue("modules.sl20.security.sigalg.rsa", "RS256");
-- 
cgit v1.2.3


From c4f117e74b8ade8b420f0443955ec6b94f88cee4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 18:20:56 +0100
Subject: add findSecBugs extension into spotbugs plug-in

---
 .gitlab-ci.yml                                     |   1 -
 eaaf_core/checks/spotbugs-exclude.xml              |  50 ++++
 eaaf_core/pom.xml                                  | 272 +++++++++++----------
 .../services/ProtocolAuthenticationService.java    |  35 +--
 .../impl/idp/process/ProcessDefinitionParser.java  |   1 +
 .../at/gv/egiz/eaaf/core/impl/utils/DomUtils.java  |   7 +-
 .../egiz/eaaf/core/exceptions/XPathException.java  |  31 ---
 eaaf_core_utils/checks/spotbugs-exclude.xml        |  25 ++
 eaaf_core_utils/pom.xml                            |  10 +
 .../SecurePendingRequestIdGenerationStrategy.java  |   5 +-
 .../checks/spotbugs-exclude.xml                    |  15 ++
 eaaf_modules/eaaf_module_pvp2_core/pom.xml         |  10 +
 .../checks/spotbugs-exclude.xml                    |  14 ++
 eaaf_modules/eaaf_module_pvp2_idp/pom.xml          |  10 +
 .../idp/impl/builder/Pvp2AssertionBuilder.java     |  40 +--
 pom.xml                                            |  32 ++-
 16 files changed, 339 insertions(+), 219 deletions(-)
 create mode 100644 eaaf_core/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_core_utils/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 37ca635e..ef026155 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,7 +13,6 @@ variables:
 
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
   - template: Secret-Detection.gitlab-ci.yml
   - template: Code-Quality.gitlab-ci.yml
 
diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..aa11a955
--- /dev/null
+++ b/eaaf_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- bPK requires SHA1 from specification -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" />
+      <OR>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
+      <Method name="performRedirectToItself" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
+      <Method name="forwardToErrorHandler" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- the ErrorToken is only single-used as same as a CSRF token -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+      <Method name="errorHandling" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+    </Match>
+    <Match>
+      <!-- Only used to evaluate expressions from pre-compiled process-flows -->
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
+      </OR>
+      <Bug pattern="SPEL_INJECTION" />
+    </Match>
+    <Match>
+      <!-- URL will be only generated from configuration path-->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
+      <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+      <!-- Logging of request parameters is allowed for this classes -->   
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
+      </OR>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml
index a1eee06e..178b53a3 100644
--- a/eaaf_core/pom.xml
+++ b/eaaf_core/pom.xml
@@ -1,108 +1,112 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
-	<groupId>at.gv.egiz</groupId>
-	<artifactId>eaaf</artifactId>
-	<version>1.1.11-SNAPSHOT</version>
+    <groupId>at.gv.egiz</groupId>
+    <artifactId>eaaf</artifactId>
+    <version>1.1.11-SNAPSHOT</version>
   </parent>
 
   <groupId>at.gv.egiz.eaaf</groupId>
   <artifactId>eaaf-core</artifactId>
   <name>EAAF core components</name>
   <description>Core components for identity managment implementations</description>
-     
+
   <dependencies>
-  	<dependency>
-  		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_api</artifactId>
-  	</dependency>
-  	<dependency>
-		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_utils</artifactId>
-  	</dependency>
-  
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>eventlog-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>egiz-spring-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>javax.annotation</groupId>
-    	<artifactId>javax.annotation-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>org.springframework</groupId>
-		<artifactId>spring-webmvc</artifactId>
-        <scope>provided</scope>
-  	</dependency>
-  	<dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-api</artifactId>
-	</dependency>
-	<!-- dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-log4j12</artifactId>
-	</dependency-->
-	<dependency>
-		<groupId>commons-codec</groupId>
-    	<artifactId>commons-codec</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-lang3</artifactId>
-	</dependency>	
-    <dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-collections4</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-text</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>commons-fileupload</groupId>
-    	<artifactId>commons-fileupload</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>javax.servlet</groupId>
-		<artifactId>javax.servlet-api</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.velocity</groupId>
-		<artifactId>velocity</artifactId>
-	</dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_utils</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>eventlog-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>egiz-spring-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>javax.annotation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-webmvc</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> 
+      </dependency -->
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-collections4</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-fileupload</groupId>
+      <artifactId>commons-fileupload</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.velocity</groupId>
+      <artifactId>velocity</artifactId>
+    </dependency>
     <dependency>
       <groupId>commons-collections</groupId>
-      <artifactId>commons-collections</artifactId>
-    </dependency>
- 	<dependency>
-		<groupId>jaxen</groupId>
-    	<artifactId>jaxen</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xerces</groupId>
-    	<artifactId>xercesImpl</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xalan</groupId>
-	    <artifactId>xalan</artifactId>
-	</dependency>
-		
+      <artifactId>commons-collections</artifactId>      
+    </dependency>
+    <dependency>
+      <groupId>org.owasp.encoder</groupId>
+      <artifactId>encoder</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jaxen</groupId>
+      <artifactId>jaxen</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xerces</groupId>
+      <artifactId>xercesImpl</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xalan</groupId>
+      <artifactId>xalan</artifactId>
+    </dependency>
+
     <!-- For testing -->
-	<dependency>
-		<groupId>junit</groupId>
-      	<artifactId>junit</artifactId>
-      	<scope>test</scope>
-	</dependency>
-	<dependency>
-		<groupId>org.springframework</groupId>
-		<artifactId>spring-test</artifactId>
-		<scope>test</scope>
-	</dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>at.gv.egiz.eaaf</groupId>
       <artifactId>eaaf_core_utils</artifactId>
@@ -110,10 +114,10 @@
       <type>test-jar</type>
     </dependency>
   </dependencies>
-  
-   <build>
+
+  <build>
     <finalName>eaaf_core</finalName>
-    
+
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
@@ -124,44 +128,54 @@
           <target>1.8</target>
         </configuration>
         <executions>
-        	<execution>
-        		<goals>
-        			<goal>compile</goal>
-        			<goal>testCompile</goal>
-        		</goals>
-        	</execution>
+          <execution>
+            <goals>
+              <goal>compile</goal>
+              <goal>testCompile</goal>
+            </goals>
+          </execution>
         </executions>
       </plugin>
       <plugin>
-    	<groupId>org.apache.maven.plugins</groupId>
-    	<artifactId>maven-jar-plugin</artifactId>
-    	<version>3.1.0</version>
-    	<executions>
-        	<execution>
-            	<goals>
-                	<goal>test-jar</goal>
-            	</goals>
-        	</execution>
-    	</executions>
-	  </plugin>
-      
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
       <!-- enable co-existence of testng and junit -->
-			<plugin>
-				<artifactId>maven-surefire-plugin</artifactId>
-				<version>${surefire.version}</version>
-				<configuration>
-					<threadCount>1</threadCount>
-				</configuration>
-				<dependencies>
-					<dependency>
-						<groupId>org.apache.maven.surefire</groupId>
-						<artifactId>surefire-junit47</artifactId>
-						<version>${surefire.version}</version>
-					</dependency>
-				</dependencies>
-			</plugin>
-      
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${surefire.version}</version>
+        <configuration>
+          <threadCount>1</threadCount>
+        </configuration>
+        <dependencies>
+          <dependency>
+            <groupId>org.apache.maven.surefire</groupId>
+            <artifactId>surefire-junit47</artifactId>
+            <version>${surefire.version}</version>
+          </dependency>
+        </dependencies>
+      </plugin>
+
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
-  
+
 </project>
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
 package at.gv.egiz.eaaf.core.impl.idp.auth.services;
 
 import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
 import java.util.HashSet;
 
 import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
       // write generic message for general exceptions
       final String msg =
           statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
-      writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+      writeHtmlErrorResponse(req, resp, msg, "9199", null);
 
     }
 
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
       @NonNull final HttpServletResponse httpResp, @NonNull final String msg,
-      @NonNull final String errorCode, @Nullable final Object[] params,
-      @NonNull final Exception error) throws EaafException {
+      @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
 
     try {
       final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
             AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
             ArrayUtils.toString(errorCodeParams));
 
-        // add stacktrace if debug is enabled
-        if (log.isTraceEnabled()) {
-          ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
-              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
-              getStacktraceFromException(error));
-
-        }
-
       } else {
         log.info(
             "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   }
 
-  private String getStacktraceFromException(final Exception ex) {
-    final StringWriter errors = new StringWriter();
-    ex.printStackTrace(new PrintWriter(errors));
-    return errors.toString();
-
-  }
-
   private void internalMoaidExceptionHandler(final HttpServletRequest req,
       final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
       throws IOException, EaafException {
     if (e instanceof ProtocolNotActiveException) {
-      resp.getWriter().write(e.getMessage());
+      resp.getWriter().write(Encode.forHtml(e.getMessage()));
       resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
       resp.sendError(HttpServletResponse.SC_FORBIDDEN,
           StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
       // write error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof InvalidProtocolRequestException) {
       // send error response
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof ConfigurationException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof EaafException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          ((EaafException) e).getParams(), e);
+          ((EaafException) e).getParams());
 
     } else if (e instanceof ProcessExecutionException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     }
 
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
 
       // Standard implementation of XMLInputFactory seems not to be thread-safe
       final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+      inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
       reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
 
       final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.Vector;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
 /**
  * Various utility functions for handling XML DOM trees.
  *
@@ -785,6 +786,7 @@ public class DomUtils {
       throws TransformerException, IOException {
 
     final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = transformerFactory.newTransformer();
     final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
 
@@ -1211,6 +1213,7 @@ public class DomUtils {
     // StringWriter stringWriter = new StringWriter();
     final Result result = new StreamResult(out);
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.transform(source, result);
     return out.toByteArray();
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
index b20efe3d..3343a089 100644
--- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
@@ -19,9 +19,6 @@
 
 package at.gv.egiz.eaaf.core.exceptions;
 
-import java.io.PrintStream;
-import java.io.PrintWriter;
-
 /**
  * An exception occurred evaluating an XPath.
  *
@@ -56,32 +53,4 @@ public class XPathException extends RuntimeException {
     return wrapped;
   }
 
-  /**
-   * Print error message.
-   *
-   * @see java.lang.Throwable#printStackTrace(java.io.PrintStream)
-   */
-  @Override
-  public void printStackTrace(final PrintStream s) {
-    super.printStackTrace(s);
-    if (getWrapped() != null) {
-      s.print("Caused by: ");
-      getWrapped().printStackTrace(s);
-    }
-  }
-
-  /**
-   * Print error message.
-   *
-   * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter)
-   */
-  @Override
-  public void printStackTrace(final PrintWriter s) {
-    super.printStackTrace(s);
-    if (getWrapped() != null) {
-      s.print("Caused by: ");
-      getWrapped().printStackTrace(s);
-    }
-  }
-
 }
diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b42f34c2
--- /dev/null
+++ b/eaaf_core_utils/checks/spotbugs-exclude.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" />
+      <OR>
+        <Bug pattern="OBJECT_DESERIALIZATION" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- Paths and URLs only loaded from configuration -->
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" />
+      <OR>
+        <Bug pattern="URLCONNECTION_SSRF_FD" />    
+        <Bug pattern="PATH_TRAVERSAL_IN" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- Paths and URLs only loaded from configuration -->
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" />
+      <OR>
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />        
+      </OR>        
+    </Match>    
+</FindBugsFilter>
\ No newline at end of file
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml
index 947faf4b..c7cefa8d 100644
--- a/eaaf_core_utils/pom.xml
+++ b/eaaf_core_utils/pom.xml
@@ -181,6 +181,16 @@
         </dependencies>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+           <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
index 8ec5f3a8..cfb4ed88 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
@@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils;
 
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
 import java.util.Base64;
 
 import javax.annotation.PostConstruct;
@@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy
       log.trace("Checking HMAC from externalPendingReqId ... ");
       final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]);
       final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp));
-      if (!Arrays.equals(tokenDigest, refDigist)) {
+            
+      if (!MessageDigest.isEqual(refDigist,tokenDigest)) {
         log.warn("Digest of Token does NOT match");
         log.debug("Token: {} | Ref: {}", tokenDigest, refDigist);
         throw new PendingReqIdValidationException(null, "internal.pendingreqid.04");
diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b1d216dc
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- allow logging of SAML2 message on trace level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/>
+      <Method name="getBase64DecodedMessage" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+    <Match>
+      <!-- allow logging of SAML2 relaystate on debug level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/>
+      <Method name="doDecode" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index a0eee0e6..45819787 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -172,6 +172,16 @@
         </dependencies>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 </project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..855f39bd
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- allow SHA-1, because transient SubjectNameIDs should have the same pattern as bPKs -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder"/>
+      <Method name="buildAssertion" />
+      <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />
+    </Match>
+    <Match>
+      <!-- allow logging of SAML2 request parameters -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol"/>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
index 3840c8d9..b92d0f56 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
@@ -91,6 +91,16 @@
         </dependencies>
       </plugin>
       
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+      
     </plugins>
   </build>
 </project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
index b7b18f0f..d2ed2c11 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -26,26 +26,6 @@ import java.util.List;
 
 import javax.naming.ConfigurationException;
 
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
-import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.core.impl.utils.Random;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
-
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.opensaml.saml.common.xml.SAMLConstants;
@@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Base64Utils;
 
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+
 @Service("PVP2AssertionBuilder")
 public class Pvp2AssertionBuilder implements PvpConstants {
 
diff --git a/pom.xml b/pom.xml
index 33588b5d..ae131914 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
 
   <name>EGIZ EAAF components</name>
 
-  <properties> 
+  <properties>
     <!-- General project properties -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <java.version>1.8</java.version>
@@ -68,6 +68,7 @@
     <joda-time.version>2.10.8</joda-time.version>
     <jsr305.version>3.0.2</jsr305.version>
     <com.google.guava.version>30.0-jre</com.google.guava.version>
+    <org.owasp.encoder.version>1.2.3</org.owasp.encoder.version>
 
     <httpclient.version>4.5.13</httpclient.version>
     <httpcore.version>4.4.14</httpcore.version>
@@ -92,6 +93,7 @@
     <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
     <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
     <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+    <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
     <dependency-check-maven.version>6.0.3</dependency-check-maven.version>
 
     <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
@@ -107,7 +109,7 @@
     <repository>
       <id>gitlab-localbuild</id>
       <url>https://gitlab.iaik.tugraz.at/api/v4/groups/119/-/packages/maven</url>
-    </repository>    
+    </repository>
     <repository>
       <id>egiz-commons</id>
       <url>https://apps.egiz.gv.at/maven/</url>
@@ -197,7 +199,7 @@
           </plugin>
         </plugins>
       </build>
-    </profile>    
+    </profile>
   </profiles>
 
   <modules>
@@ -356,7 +358,7 @@
         <groupId>javax.annotation</groupId>
         <artifactId>javax.annotation-api</artifactId>
         <version>${javax.annotation-api}</version>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>commons-collections</groupId>
         <artifactId>commons-collections</artifactId>
@@ -433,11 +435,12 @@
         <version>${org.apache.santuario.xmlsec.version}</version>
       </dependency>
       <dependency>
-        <!-- Set newer version, because 1.1.3 from openSAML dependency has an CVE-2020-7226 -->
+        <!-- Set newer version, because 1.1.3 from openSAML dependency has 
+          an CVE-2020-7226 -->
         <groupId>org.cryptacular</groupId>
         <artifactId>cryptacular</artifactId>
         <version>${org.cryptacular.version}</version>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcprov-jdk15to18</artifactId>
@@ -446,7 +449,7 @@
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bctls-jdk15to18</artifactId>
-        <version>${org.bouncycastle.bctls-jdk15to18.version}</version>      
+        <version>${org.bouncycastle.bctls-jdk15to18.version}</version>
       </dependency>
 
       <dependency>
@@ -487,6 +490,12 @@
         <version>${httpcore.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.owasp.encoder</groupId>
+        <artifactId>encoder</artifactId>
+        <version>${org.owasp.encoder.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>joda-time</groupId>
         <artifactId>joda-time</artifactId>
@@ -534,7 +543,7 @@
         <artifactId>okhttp-tls</artifactId>
         <version>${com.squareup.okhttp3.version}</version>
         <scope>test</scope>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>at.gv.egiz.eaaf</groupId>
         <artifactId>eaaf_core_utils</artifactId>
@@ -723,6 +732,13 @@
         </executions>
         <configuration>
           <failOnError>true</failOnError>
+          <plugins>
+            <plugin>
+              <groupId>com.h3xstream.findsecbugs</groupId>
+              <artifactId>findsecbugs-plugin</artifactId>
+              <version>${findsecbugs-plugin.version}</version>
+            </plugin>
+          </plugins>
         </configuration>
       </plugin>
 
-- 
cgit v1.2.3


From ba4489b7666e4ee669a1c91bfe36ae4ac90b1d93 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 10 Dec 2020 09:34:37 +0100
Subject: update jUnit version

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index ae131914..40920657 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,7 +82,7 @@
 
     <!-- jUnit testing -->
     <surefire.version>2.22.1</surefire.version>
-    <junit.version>4.12</junit.version>
+    <junit.version>4.13.1</junit.version>
     <com.squareup.okhttp3.version>4.4.1</com.squareup.okhttp3.version>
 
     <!-- Code helper plug-ins -->
-- 
cgit v1.2.3


From 360df2054cdc5a8bc194f7701b2bfa5a9c39dd0d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 10 Dec 2020 09:35:01 +0100
Subject: first test with code-coverage in CI pipe

---
 .gitlab-ci.yml          | 23 ++++++++++++++-
 build_reporting/pom.xml | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
 pom.xml                 | 61 +++++++++++++++++++++++++++++++-------
 3 files changed, 150 insertions(+), 12 deletions(-)
 create mode 100644 build_reporting/pom.xml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ef026155..9ec05060 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -18,6 +18,7 @@ include:
 
 stages:
   - assemble
+  - visualize
   - test
   - package
   - release
@@ -36,7 +37,27 @@ assemble:
     when: always
     reports:
       junit: "**/target/surefire-reports/TEST-*.xml"
-
+    paths:
+      - build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml
+      
+coverage:
+  stage: visualize
+  image: haynes/jacoco2cobertura:1.0.4
+  script:
+    - mkdir -p target/site
+    # convert report from jacoco to cobertura
+    - 'python /opt/cover2cover.py build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml eaaf_core_api/src/main/java eaaf_core_utils/src/main/java eaaf_core/src/main/java eaaf_modules/eaaf_module_auth_sl20/src/main/java eaaf_modules/eaaf_module_moa-sig/src/main/java eaaf_modules/eaaf_module_pvp2_core/src/main/java eaaf_modules/eaaf_module_pvp2_idp/src/main/java eaaf_modules/eaaf_module_pvp2_sp/src/main/java > target/site/cobertura.xml'
+    # read the <source></source> tag and prepend the path to every filename attribute
+    #- 'python /opt/source2filename.py target/site/cobertura.xml'
+  needs: 
+    - job: assemble
+  dependencies:
+    - assemble
+  artifacts:
+    reports:
+      cobertura: target/site/cobertura.xml
+      
+      
 publishToGitlab:
   stage: package
   except:
diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml
new file mode 100644
index 00000000..5300ff74
--- /dev/null
+++ b/build_reporting/pom.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>at.gv.egiz</groupId>
+    <artifactId>eaaf</artifactId>
+    <version>1.1.11-SNAPSHOT</version>
+  </parent>
+  <artifactId>build_reporting</artifactId>
+  <packaging>pom</packaging>
+  <name>Reporting Module</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_utils</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_module_auth_sl20</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_module_moa-sig</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_module_pvp2_core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_module_pvp2_idp</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_module_pvp2_sp</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <version>${jacoco-maven-plugin.version}</version>
+        <executions>
+          <!-- aggregated unit test coverage report -->
+          <execution>
+            <id>aggregate-reports-ut</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report-aggregate</goal>
+            </goals>
+            <configuration>
+              <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+              <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+              <dataFileExcludes>
+                <!-- exclude coverage data of integration tests -->
+                <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+              </dataFileExcludes>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 40920657..585310ce 100644
--- a/pom.xml
+++ b/pom.xml
@@ -207,6 +207,7 @@
     <module>eaaf_core_utils</module>
     <module>eaaf_core</module>
     <module>eaaf_modules</module>
+    <module>build_reporting</module>
   </modules>
 
   <dependencyManagement>
@@ -220,7 +221,38 @@
         <groupId>at.gv.egiz.eaaf</groupId>
         <artifactId>eaaf_core_utils</artifactId>
         <version>${egiz.eaaf.version}</version>
+      </dependency>      
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf-core</artifactId>
+        <version>${egiz.eaaf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf_module_auth_sl20</artifactId>
+        <version>${egiz.eaaf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf_module_moa-sig</artifactId>
+        <version>${egiz.eaaf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf_module_pvp2_core</artifactId>
+        <version>${egiz.eaaf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf_module_pvp2_idp</artifactId>
+        <version>${egiz.eaaf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>at.gv.egiz.eaaf</groupId>
+        <artifactId>eaaf_module_pvp2_sp</artifactId>
+        <version>${egiz.eaaf.version}</version>
       </dependency>
+      
       <dependency>
         <groupId>at.gv.egiz.components</groupId>
         <artifactId>eventlog-api</artifactId>
@@ -597,6 +629,8 @@
         <version>${surefire.version}</version>
         <configuration>
           <threadCount>1</threadCount>
+          <!-- Sets the VM argument line used when unit tests are run. -->
+          <argLine>${surefireArgLine}</argLine>
         </configuration>
         <dependencies>
           <dependency>
@@ -649,6 +683,9 @@
             <goals>
               <goal>prepare-agent</goal>
             </goals>
+            <configuration>
+              <propertyName>surefireArgLine</propertyName>
+            </configuration>
           </execution>
           <execution>
             <id>post-unit-report</id>
@@ -659,7 +696,7 @@
             <configuration>
               <outputDirectory>target/jacoco-report</outputDirectory>
             </configuration>
-          </execution>
+          </execution>          
           <execution>
             <id>post-unit-check</id>
             <phase>test</phase>
@@ -686,7 +723,7 @@
                 </rule>
               </rules>
             </configuration>
-          </execution>
+          </execution>          
         </executions>
       </plugin>
 
@@ -747,18 +784,20 @@
   </build>
 
   <reporting>
-    <plugins>
+    <plugins>  
       <plugin>
         <groupId>org.jacoco</groupId>
-        <artifactId>jacoco-maven-plugin</artifactId>
-        <reportSets>
-          <reportSet>
-            <reports>
-              <report>report</report>
-            </reports>
-          </reportSet>
-        </reportSets>
+        <artifactId>jacoco-maven-plugin</artifactId>        
+          <configuration>
+            <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+            <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+            <dataFileExcludes>
+              <!-- exclude coverage data of integration tests --> 
+              <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+            </dataFileExcludes>
+          </configuration>
       </plugin>
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-pmd-plugin</artifactId>
-- 
cgit v1.2.3