From 39f94caf86e054b2485beeae09c4947d75b017c1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 15:36:45 +0100
Subject: update third-party lib org.cryptacular to v 1.2.4 because openSAML
 3.4.5 includes v1.1.3 with CVE-2020-7226

---
 eaaf_modules/eaaf_module_pvp2_core/pom.xml | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'eaaf_modules/eaaf_module_pvp2_core')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index 86a66f4e..a0eee0e6 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -54,6 +54,10 @@
       <groupId>org.apache.santuario</groupId>
       <artifactId>xmlsec</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.cryptacular</groupId>
+      <artifactId>cryptacular</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-- 
cgit v1.2.3


From c4f117e74b8ade8b420f0443955ec6b94f88cee4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 18:20:56 +0100
Subject: add findSecBugs extension into spotbugs plug-in

---
 .../eaaf_module_pvp2_core/checks/spotbugs-exclude.xml     | 15 +++++++++++++++
 eaaf_modules/eaaf_module_pvp2_core/pom.xml                | 10 ++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml

(limited to 'eaaf_modules/eaaf_module_pvp2_core')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b1d216dc
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- allow logging of SAML2 message on trace level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/>
+      <Method name="getBase64DecodedMessage" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+    <Match>
+      <!-- allow logging of SAML2 relaystate on debug level -->
+      <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/>
+      <Method name="doDecode" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index a0eee0e6..45819787 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -172,6 +172,16 @@
         </dependencies>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 </project>
-- 
cgit v1.2.3