From c4f117e74b8ade8b420f0443955ec6b94f88cee4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 18:20:56 +0100
Subject: add findSecBugs extension into spotbugs plug-in

---
 .gitlab-ci.yml                                     |   1 -
 eaaf_core/checks/spotbugs-exclude.xml              |  50 ++++
 eaaf_core/pom.xml                                  | 272 +++++++++++----------
 .../services/ProtocolAuthenticationService.java    |  35 +--
 .../impl/idp/process/ProcessDefinitionParser.java  |   1 +
 .../at/gv/egiz/eaaf/core/impl/utils/DomUtils.java  |   7 +-
 .../egiz/eaaf/core/exceptions/XPathException.java  |  31 ---
 eaaf_core_utils/checks/spotbugs-exclude.xml        |  25 ++
 eaaf_core_utils/pom.xml                            |  10 +
 .../SecurePendingRequestIdGenerationStrategy.java  |   5 +-
 .../checks/spotbugs-exclude.xml                    |  15 ++
 eaaf_modules/eaaf_module_pvp2_core/pom.xml         |  10 +
 .../checks/spotbugs-exclude.xml                    |  14 ++
 eaaf_modules/eaaf_module_pvp2_idp/pom.xml          |  10 +
 .../idp/impl/builder/Pvp2AssertionBuilder.java     |  40 +--
 pom.xml                                            |  32 ++-
 16 files changed, 339 insertions(+), 219 deletions(-)
 create mode 100644 eaaf_core/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_core_utils/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
 create mode 100644 eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 37ca635e..ef026155 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,7 +13,6 @@ variables:
 
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
   - template: Secret-Detection.gitlab-ci.yml
   - template: Code-Quality.gitlab-ci.yml
 
diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..aa11a955
--- /dev/null
+++ b/eaaf_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- bPK requires SHA1 from specification -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" />
+      <OR>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
+      <Method name="performRedirectToItself" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
+      <Method name="forwardToErrorHandler" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- the ErrorToken is only single-used as same as a CSRF token -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+      <Method name="errorHandling" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+    </Match>
+    <Match>
+      <!-- Only used to evaluate expressions from pre-compiled process-flows -->
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
+      </OR>
+      <Bug pattern="SPEL_INJECTION" />
+    </Match>
+    <Match>
+      <!-- URL will be only generated from configuration path-->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
+      <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+      <!-- Logging of request parameters is allowed for this classes -->   
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
+      </OR>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml
index a1eee06e..178b53a3 100644
--- a/eaaf_core/pom.xml
+++ b/eaaf_core/pom.xml
@@ -1,108 +1,112 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
-	<groupId>at.gv.egiz</groupId>
-	<artifactId>eaaf</artifactId>
-	<version>1.1.11-SNAPSHOT</version>
+    <groupId>at.gv.egiz</groupId>
+    <artifactId>eaaf</artifactId>
+    <version>1.1.11-SNAPSHOT</version>
   </parent>
 
   <groupId>at.gv.egiz.eaaf</groupId>
   <artifactId>eaaf-core</artifactId>
   <name>EAAF core components</name>
   <description>Core components for identity managment implementations</description>
-     
+
   <dependencies>
-  	<dependency>
-  		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_api</artifactId>
-  	</dependency>
-  	<dependency>
-		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_utils</artifactId>
-  	</dependency>
-  
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>eventlog-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>egiz-spring-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>javax.annotation</groupId>
-    	<artifactId>javax.annotation-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>org.springframework</groupId>
-		<artifactId>spring-webmvc</artifactId>
-        <scope>provided</scope>
-  	</dependency>
-  	<dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-api</artifactId>
-	</dependency>
-	<!-- dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-log4j12</artifactId>
-	</dependency-->
-	<dependency>
-		<groupId>commons-codec</groupId>
-    	<artifactId>commons-codec</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-lang3</artifactId>
-	</dependency>	
-    <dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-collections4</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-text</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>commons-fileupload</groupId>
-    	<artifactId>commons-fileupload</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>javax.servlet</groupId>
-		<artifactId>javax.servlet-api</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.velocity</groupId>
-		<artifactId>velocity</artifactId>
-	</dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_utils</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>eventlog-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>egiz-spring-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>javax.annotation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-webmvc</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> 
+      </dependency -->
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-collections4</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-fileupload</groupId>
+      <artifactId>commons-fileupload</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.velocity</groupId>
+      <artifactId>velocity</artifactId>
+    </dependency>
     <dependency>
       <groupId>commons-collections</groupId>
-      <artifactId>commons-collections</artifactId>
-    </dependency>
- 	<dependency>
-		<groupId>jaxen</groupId>
-    	<artifactId>jaxen</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xerces</groupId>
-    	<artifactId>xercesImpl</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xalan</groupId>
-	    <artifactId>xalan</artifactId>
-	</dependency>
-		
+      <artifactId>commons-collections</artifactId>      
+    </dependency>
+    <dependency>
+      <groupId>org.owasp.encoder</groupId>
+      <artifactId>encoder</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jaxen</groupId>
+      <artifactId>jaxen</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xerces</groupId>
+      <artifactId>xercesImpl</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xalan</groupId>
+      <artifactId>xalan</artifactId>
+    </dependency>
+
     <!-- For testing -->
-	<dependency>
-		<groupId>junit</groupId>
-      	<artifactId>junit</artifactId>
-      	<scope>test</scope>
-	</dependency>
-	<dependency>
-		<groupId>org.springframework</groupId>
-		<artifactId>spring-test</artifactId>
-		<scope>test</scope>
-	</dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>at.gv.egiz.eaaf</groupId>
       <artifactId>eaaf_core_utils</artifactId>
@@ -110,10 +114,10 @@
       <type>test-jar</type>
     </dependency>
   </dependencies>
-  
-   <build>
+
+  <build>
     <finalName>eaaf_core</finalName>
-    
+
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
@@ -124,44 +128,54 @@
           <target>1.8</target>
         </configuration>
         <executions>
-        	<execution>
-        		<goals>
-        			<goal>compile</goal>
-        			<goal>testCompile</goal>
-        		</goals>
-        	</execution>
+          <execution>
+            <goals>
+              <goal>compile</goal>
+              <goal>testCompile</goal>
+            </goals>
+          </execution>
         </executions>
       </plugin>
       <plugin>
-    	<groupId>org.apache.maven.plugins</groupId>
-    	<artifactId>maven-jar-plugin</artifactId>
-    	<version>3.1.0</version>
-    	<executions>
-        	<execution>
-            	<goals>
-                	<goal>test-jar</goal>
-            	</goals>
-        	</execution>
-    	</executions>
-	  </plugin>
-      
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
       <!-- enable co-existence of testng and junit -->
-			<plugin>
-				<artifactId>maven-surefire-plugin</artifactId>
-				<version>${surefire.version}</version>
-				<configuration>
-					<threadCount>1</threadCount>
-				</configuration>
-				<dependencies>
-					<dependency>
-						<groupId>org.apache.maven.surefire</groupId>
-						<artifactId>surefire-junit47</artifactId>
-						<version>${surefire.version}</version>
-					</dependency>
-				</dependencies>
-			</plugin>
-      
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${surefire.version}</version>
+        <configuration>
+          <threadCount>1</threadCount>
+        </configuration>
+        <dependencies>
+          <dependency>
+            <groupId>org.apache.maven.surefire</groupId>
+            <artifactId>surefire-junit47</artifactId>
+            <version>${surefire.version}</version>
+          </dependency>
+        </dependencies>
+      </plugin>
+
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
-  
+
 </project>
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
 package at.gv.egiz.eaaf.core.impl.idp.auth.services;
 
 import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
 import java.util.HashSet;
 
 import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
       // write generic message for general exceptions
       final String msg =
           statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
-      writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+      writeHtmlErrorResponse(req, resp, msg, "9199", null);
 
     }
 
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
       @NonNull final HttpServletResponse httpResp, @NonNull final String msg,
-      @NonNull final String errorCode, @Nullable final Object[] params,
-      @NonNull final Exception error) throws EaafException {
+      @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
 
     try {
       final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
             AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
             ArrayUtils.toString(errorCodeParams));
 
-        // add stacktrace if debug is enabled
-        if (log.isTraceEnabled()) {
-          ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
-              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
-              getStacktraceFromException(error));
-
-        }
-
       } else {
         log.info(
             "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   }
 
-  private String getStacktraceFromException(final Exception ex) {
-    final StringWriter errors = new StringWriter();
-    ex.printStackTrace(new PrintWriter(errors));
-    return errors.toString();
-
-  }
-
   private void internalMoaidExceptionHandler(final HttpServletRequest req,
       final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
       throws IOException, EaafException {
     if (e instanceof ProtocolNotActiveException) {
-      resp.getWriter().write(e.getMessage());
+      resp.getWriter().write(Encode.forHtml(e.getMessage()));
       resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
       resp.sendError(HttpServletResponse.SC_FORBIDDEN,
           StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
       // write error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof InvalidProtocolRequestException) {
       // send error response
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof ConfigurationException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof EaafException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          ((EaafException) e).getParams(), e);
+          ((EaafException) e).getParams());
 
     } else if (e instanceof ProcessExecutionException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     }
 
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
 
       // Standard implementation of XMLInputFactory seems not to be thread-safe
       final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+      inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
       reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
 
       final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.Vector;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
 /**
  * Various utility functions for handling XML DOM trees.
  *
@@ -785,6 +786,7 @@ public class DomUtils {
       throws TransformerException, IOException {
 
     final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = transformerFactory.newTransformer();
     final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
 
@@ -1211,6 +1213,7 @@ public class DomUtils {
     // StringWriter stringWriter = new StringWriter();
     final Result result = new StreamResult(out);
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.transform(source, result);
     return out.toByteArray();
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
index b20efe3d..3343a089 100644
--- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
@@ -19,9 +19,6 @@
 
 package at.gv.egiz.eaaf.core.exceptions;
 
-import java.io.PrintStream;
-import java.io.PrintWriter;
-
 /**
  * An exception occurred evaluating an XPath.
  *
@@ -56,32 +53,4 @@ public class XPathException extends RuntimeException {
     return wrapped;
   }
 
-  /**
-   * Print error message.
-   *
-   * @see java.lang.Throwable#printStackTrace(java.io.PrintStream)
-   */
-  @Override
-  public void printStackTrace(final PrintStream s) {
-    super.printStackTrace(s);
-    if (getWrapped() != null) {
-      s.print("Caused by: ");
-      getWrapped().printStackTrace(s);
-    }
-  }
-
-  /**
-   * Print error message.
-   *
-   * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter)
-   */
-  @Override
-  public void printStackTrace(final PrintWriter s) {
-    super.printStackTrace(s);
-    if (getWrapped() != null) {
-      s.print("Caused by: ");
-      getWrapped().printStackTrace(s);
-    }
-  }
-
 }
diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b42f34c2
--- /dev/null
+++ b/eaaf_core_utils/checks/spotbugs-exclude.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" />
+      <OR>
+        <Bug pattern="OBJECT_DESERIALIZATION" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- Paths and URLs only loaded from configuration -->
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" />
+      <OR>
+        <Bug pattern="URLCONNECTION_SSRF_FD" />    
+        <Bug pattern="PATH_TRAVERSAL_IN" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- Paths and URLs only loaded from configuration -->
+      <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" />
+      <OR>
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />        
+      </OR>        
+    </Match>    
+</FindBugsFilter>
\ No newline at end of file
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml
index 947faf4b..c7cefa8d 100644
--- a/eaaf_core_utils/pom.xml
+++ b/eaaf_core_utils/pom.xml
@@ -181,6 +181,16 @@
         </dependencies>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+           <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
index 8ec5f3a8..cfb4ed88 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
@@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils;
 
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
 import java.util.Base64;
 
 import javax.annotation.PostConstruct;
@@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy
       log.trace("Checking HMAC from externalPendingReqId ... ");
       final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]);
       final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp));
-      if (!Arrays.equals(tokenDigest, refDigist)) {
+            
+      if (!MessageDigest.isEqual(refDigist,tokenDigest)) {
         log.warn("Digest of Token does NOT match");
         log.debug("Token: {} | Ref: {}", tokenDigest, refDigist);
         throw new PendingReqIdValidationException(null, "internal.pendingreqid.04");
diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b1d216dc
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- allow logging of SAML2 message on trace level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/>
+      <Method name="getBase64DecodedMessage" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+    <Match>
+      <!-- allow logging of SAML2 relaystate on debug level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/>
+      <Method name="doDecode" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index a0eee0e6..45819787 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -172,6 +172,16 @@
         </dependencies>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 </project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..855f39bd
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- allow SHA-1, because transient SubjectNameIDs should have the same pattern as bPKs -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder"/>
+      <Method name="buildAssertion" />
+      <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />
+    </Match>
+    <Match>
+      <!-- allow logging of SAML2 request parameters -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol"/>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
index 3840c8d9..b92d0f56 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
@@ -91,6 +91,16 @@
         </dependencies>
       </plugin>
       
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+      
     </plugins>
   </build>
 </project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
index b7b18f0f..d2ed2c11 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -26,26 +26,6 @@ import java.util.List;
 
 import javax.naming.ConfigurationException;
 
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
-import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.core.impl.utils.Random;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
-
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.opensaml.saml.common.xml.SAMLConstants;
@@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Base64Utils;
 
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+
 @Service("PVP2AssertionBuilder")
 public class Pvp2AssertionBuilder implements PvpConstants {
 
diff --git a/pom.xml b/pom.xml
index 33588b5d..ae131914 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
 
   <name>EGIZ EAAF components</name>
 
-  <properties> 
+  <properties>
     <!-- General project properties -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <java.version>1.8</java.version>
@@ -68,6 +68,7 @@
     <joda-time.version>2.10.8</joda-time.version>
     <jsr305.version>3.0.2</jsr305.version>
     <com.google.guava.version>30.0-jre</com.google.guava.version>
+    <org.owasp.encoder.version>1.2.3</org.owasp.encoder.version>
 
     <httpclient.version>4.5.13</httpclient.version>
     <httpcore.version>4.4.14</httpcore.version>
@@ -92,6 +93,7 @@
     <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
     <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
     <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+    <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
     <dependency-check-maven.version>6.0.3</dependency-check-maven.version>
 
     <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
@@ -107,7 +109,7 @@
     <repository>
       <id>gitlab-localbuild</id>
       <url>https://gitlab.iaik.tugraz.at/api/v4/groups/119/-/packages/maven</url>
-    </repository>    
+    </repository>
     <repository>
       <id>egiz-commons</id>
       <url>https://apps.egiz.gv.at/maven/</url>
@@ -197,7 +199,7 @@
           </plugin>
         </plugins>
       </build>
-    </profile>    
+    </profile>
   </profiles>
 
   <modules>
@@ -356,7 +358,7 @@
         <groupId>javax.annotation</groupId>
         <artifactId>javax.annotation-api</artifactId>
         <version>${javax.annotation-api}</version>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>commons-collections</groupId>
         <artifactId>commons-collections</artifactId>
@@ -433,11 +435,12 @@
         <version>${org.apache.santuario.xmlsec.version}</version>
       </dependency>
       <dependency>
-        <!-- Set newer version, because 1.1.3 from openSAML dependency has an CVE-2020-7226 -->
+        <!-- Set newer version, because 1.1.3 from openSAML dependency has 
+          an CVE-2020-7226 -->
         <groupId>org.cryptacular</groupId>
         <artifactId>cryptacular</artifactId>
         <version>${org.cryptacular.version}</version>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcprov-jdk15to18</artifactId>
@@ -446,7 +449,7 @@
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bctls-jdk15to18</artifactId>
-        <version>${org.bouncycastle.bctls-jdk15to18.version}</version>      
+        <version>${org.bouncycastle.bctls-jdk15to18.version}</version>
       </dependency>
 
       <dependency>
@@ -487,6 +490,12 @@
         <version>${httpcore.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.owasp.encoder</groupId>
+        <artifactId>encoder</artifactId>
+        <version>${org.owasp.encoder.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>joda-time</groupId>
         <artifactId>joda-time</artifactId>
@@ -534,7 +543,7 @@
         <artifactId>okhttp-tls</artifactId>
         <version>${com.squareup.okhttp3.version}</version>
         <scope>test</scope>
-      </dependency>      
+      </dependency>
       <dependency>
         <groupId>at.gv.egiz.eaaf</groupId>
         <artifactId>eaaf_core_utils</artifactId>
@@ -723,6 +732,13 @@
         </executions>
         <configuration>
           <failOnError>true</failOnError>
+          <plugins>
+            <plugin>
+              <groupId>com.h3xstream.findsecbugs</groupId>
+              <artifactId>findsecbugs-plugin</artifactId>
+              <version>${findsecbugs-plugin.version}</version>
+            </plugin>
+          </plugins>
         </configuration>
       </plugin>
 
-- 
cgit v1.2.3