aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-11 16:33:00 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-11 16:33:00 +0100
commit26e422ff90f2a4fb9d2d25c0b2328b365fe5f0d7 (patch)
tree2bf10a997dd1c5239d70fae4a77f4d56b9bd7e44
parent230e6c3890c7e63b286e9a08001e5ffd63743d2c (diff)
downloadNational_eIDAS_Gateway-26e422ff90f2a4fb9d2d25c0b2328b365fe5f0d7.tar.gz
National_eIDAS_Gateway-26e422ff90f2a4fb9d2d25c0b2328b365fe5f0d7.tar.bz2
National_eIDAS_Gateway-26e422ff90f2a4fb9d2d25c0b2328b365fe5f0d7.zip
add 'findSecBugs' plug-in into 'spotBugs' module and solve bugs or exclude false-positive
update gitlab-ci configuration to display jUnit test-coverage
-rw-r--r--.gitlab-ci.yml41
-rw-r--r--build_reporting/pom.xml75
-rw-r--r--connector/checks/spotbugs-exclude.xml22
-rw-r--r--connector/pom.xml9
-rw-r--r--connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java7
-rw-r--r--connector_lib/checks/spotbugs-exclude.xml9
-rw-r--r--connector_lib/pom.xml9
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml31
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/pom.xml13
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml6
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java7
-rw-r--r--pom.xml57
12 files changed, 253 insertions, 33 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 81a4a4dd..3d865418 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,6 +9,7 @@ variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${CI_PROJECT_DIR}/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
GIT_DEPTH: "2"
SECURE_LOG_LEVEL: "debug"
+ JACOCO_CSV_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.csv'
include:
- template: Dependency-Scanning.gitlab-ci.yml
@@ -31,7 +32,47 @@ assemble:
- tags
script: |
mvn $MAVEN_CLI_OPTS generate-sources compile test
+ after_script:
+ - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' $JACOCO_CSV_LOCATION
artifacts:
when: always
reports:
junit: "**/target/surefire-reports/TEST-*.xml"
+ paths:
+ - target/jacoco-report/jacoco.xml
+
+
+buildDistributionPackage:
+ stage: package
+ except:
+ - tags
+ script: |
+ export VERSION=$(mvn -B help:evaluate -Dexpression=project.version -B | grep -v "\[INFO\]" | grep -Po "\d+\.\d+\.\d+((-\w*)+)?")
+ echo "Build full package of version $VERSION
+ mvn $MAVEN_CLI_OPTS verify -s .cisettings.xml -DskipTests
+ echo "VERSION=$VERSION" >> variables.env
+ artifacts:
+ when: always
+ reports:
+ dotenv: variables.env
+ name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+ paths:
+ - target/*.-dist.zip
+
+release:
+ stage: release
+ image: registry.gitlab.com/gitlab-org/release-cli:latest
+ needs:
+ - job: buildDistributionPackage
+ artifacts: true
+ when: manual
+ only:
+ - master
+ script: |
+ echo "Releasing version $VERSION of $LIB_NAME"
+ echo "Publishing version $VERSION to public EGIZ maven"
+ mvn $MAVEN_CLI_OPTS deploy -s .cisettings.xml
+ artifacts:
+ name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-EGIZ"
+ paths:
+ - target/*.-dist.zip
diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml
new file mode 100644
index 00000000..eca57a03
--- /dev/null
+++ b/build_reporting/pom.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>at.asitplus.eidas</groupId>
+ <artifactId>ms_specific</artifactId>
+ <version>1.1.1-SNAPSHOT</version>
+ </parent>
+ <artifactId>build_reporting</artifactId>
+ <packaging>pom</packaging>
+ <name>Reporting Module</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>at.asitplus.eidas.ms_specific</groupId>
+ <artifactId>connector_lib</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.asitplus.eidas.ms_specific.modules</groupId>
+ <artifactId>authmodule-eIDAS-v2</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.asitplus.eidas.ms_specific</groupId>
+ <artifactId>ms_specific_connector</artifactId>
+ <type>war</type>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.jacoco</groupId>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <executions>
+ <!-- aggregated unit test coverage report -->
+ <execution>
+ <id>aggregate-reports-ut</id>
+ <phase>test</phase>
+ <goals>
+ <goal>report-aggregate</goal>
+ </goals>
+ <configuration>
+ <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+ <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+ <dataFileExcludes>
+ <!-- exclude coverage data of integration tests -->
+ <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+ </dataFileExcludes>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <failBuildOnCVSS>11</failBuildOnCVSS>
+ <failOnError>false</failOnError>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
+ </plugins>
+ </build>
+
+</project>
diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..5d4fd515
--- /dev/null
+++ b/connector/checks/spotbugs-exclude.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- Write only application status into response. Should be removed if we switch to Spring Actuator -->
+ <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" />
+ <Method name="startSingleTests" />
+ <Bug pattern="XSS_SERVLET" />
+ </Match>
+ <Match>
+ <!-- CSFR protection is implemented by pendingRequestId that is an one-time token
+ Endpoint for Metadata generation can be unrestrected by design -->
+ <OR>
+ <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" />
+ <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" />
+ </OR>
+ <OR>
+ <Method name="performGenericAuthenticationProcess" />
+ <Method name="pvpMetadataRequest" />
+ </OR>
+ <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+ </Match>
+</FindBugsFilter>
diff --git a/connector/pom.xml b/connector/pom.xml
index 6621fb0f..3c2ddf07 100644
--- a/connector/pom.xml
+++ b/connector/pom.xml
@@ -156,6 +156,15 @@
</executions>
</plugin>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
</project>
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
index aa45c836..f2d9fc8c 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
@@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -250,9 +251,9 @@ public class MonitoringController {
}
// create HTTP client
- // TODO: update if we switch to openSAML3
- CloseableHttpClient httpClient = httpClientFactory.getHttpClient();
- HttpUriRequest request = new HttpGet(urlString);
+ CloseableHttpClient httpClient = httpClientFactory.getHttpClient();
+ URIBuilder uriBuilder = new URIBuilder(urlString);
+ HttpUriRequest request = new HttpGet(uriBuilder.build());
final CloseableHttpResponse respCode = httpClient.execute(request);
if (respCode.getStatusLine().getStatusCode() != 200) {
diff --git a/connector_lib/checks/spotbugs-exclude.xml b/connector_lib/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..90ca96f2
--- /dev/null
+++ b/connector_lib/checks/spotbugs-exclude.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- View parameters are hard-coded values -->
+ <Class name="at.asitplus.eidas.specific.connector.gui.SpringMvcGuiFormBuilderImpl" />
+ <Method name="build" />
+ <Bug pattern="SPRING_FILE_DISCLOSURE" />
+ </Match>
+</FindBugsFilter>
diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml
index 795096f9..9a187f7f 100644
--- a/connector_lib/pom.xml
+++ b/connector_lib/pom.xml
@@ -68,6 +68,15 @@
</dependency>
</dependencies>
</plugin>
+
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..375f73f4
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- Do not check code generated by Apache CXF framework -->
+ <Class name="~szrservices.SZRException"/>
+ </Match>
+ <Match>
+ <!-- Logging of SAML2 responses in case of errors or for debugging is allowed -->
+ <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+ <Method name="getPendingRequestId" />
+ <Bug pattern="CRLF_INJECTION_LOGS" />
+ </Match>
+ <Match>
+ <!-- CSFR protection is implemented by pendingRequestId that is an one-time token -->
+ <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+ <Method name="restoreEidasAuthProcess" />
+ <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+ </Match>
+ <Match>
+ <!-- File path is only loaded from configuration -->
+ <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" />
+ <Method name="initialize" />
+ <Bug pattern="PATH_TRAVERSAL_IN" />
+ </Match>
+ <Match>
+ <!-- Redirect URL is only loaded from configuration -->
+ <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" />
+ <Method name="execute" />
+ <Bug pattern="UNVALIDATED_REDIRECT" />
+ </Match>
+</FindBugsFilter>
diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml
index b2e841fb..ddd2723c 100644
--- a/eidas_modules/authmodule-eIDAS-v2/pom.xml
+++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml
@@ -251,18 +251,9 @@
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
- <executions>
- <execution>
- <id>spotbugs_validate</id>
- <phase>test</phase>
- <goals>
- <goal>check</goal>
- </goals>
- </execution>
- </executions>
+ <version>${spotbugs-maven-plugin.version}</version>
<configuration>
- <failOnError>true</failOnError>
- <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
</configuration>
</plugin>
diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
deleted file mode 100644
index 90d418ff..00000000
--- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FindBugsFilter>
- <Match>
- <Class name="~szrservices.SZRException"/>
- </Match>
-</FindBugsFilter> \ No newline at end of file
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 69b993a4..067825d8 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Marshaller;
import javax.xml.namespace.QName;
@@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider;
import javax.xml.ws.Dispatch;
import javax.xml.ws.handler.Handler;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
@@ -75,6 +74,9 @@ import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler;
@@ -488,6 +490,7 @@ public class SzrClient {
private byte[] sourceToByteArray(Source result) throws TransformerException {
final TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = factory.newTransformer();
transformer.setOutputProperty("omit-xml-declaration", "yes");
transformer.setOutputProperty("method", "xml");
diff --git a/pom.xml b/pom.xml
index 2c8cb1e7..c360f910 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,29 +20,32 @@
<egiz-spring-api>0.3</egiz-spring-api>
<egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend>
<eaaf-core.version>1.1.10</eaaf-core.version>
- <org.springframework.version>5.2.9.RELEASE</org.springframework.version>
+ <org.springframework.version>5.2.12.RELEASE</org.springframework.version>
<org.thymeleaf-spring5.version>3.0.11.RELEASE</org.thymeleaf-spring5.version>
- <cxf.version>3.4.0</cxf.version>
+ <cxf.version>3.4.1</cxf.version>
<org.apache.commons-lang3.version>3.11</org.apache.commons-lang3.version>
<org.apache.commons-text.version>1.9</org.apache.commons-text.version>
<commons-collections4.version>4.4</commons-collections4.version>
- <com.google.guava.version>29.0-jre</com.google.guava.version>
- <joda-time.version>2.10.6</joda-time.version>
+ <com.google.guava.version>30.0-jre</com.google.guava.version>
+ <joda-time.version>2.10.8</joda-time.version>
<org.slf4j.version>1.7.30</org.slf4j.version>
- <jackson-datatype-jsr310.version>2.11.3</jackson-datatype-jsr310.version>
-
-
+ <jackson-datatype-jsr310.version>2.12.0</jackson-datatype-jsr310.version>
+
+
<!-- testing -->
- <junit.version>4.13</junit.version>
+ <junit.version>4.13.1</junit.version>
<surefire.version>2.22.2</surefire.version>
<mockito-soap-cxf.version>1.0.5</mockito-soap-cxf.version>
<!-- Code quality checks -->
<jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
<maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
- <maven-pmd-plugin.version>3.13.0</maven-pmd-plugin.version>
- <spotbugs-maven-plugin.version>4.0.4</spotbugs-maven-plugin.version>
+ <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
+ <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+ <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
+
+ <dependency-check-maven.version>6.0.3</dependency-check-maven.version>
<license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
<pmw_rules_location>https://apps.egiz.gv.at/checkstyle/egiz_pmd_checks.xml</pmw_rules_location>
@@ -95,6 +98,7 @@
<module>connector_lib</module>
<module>connector</module>
<module>eidas_modules</module>
+ <module>build_reporting</module>
</modules>
<dependencyManagement>
@@ -121,6 +125,12 @@
<version>${eaaf-core.version}</version>
</dependency>
<dependency>
+ <groupId>at.asitplus.eidas.ms_specific</groupId>
+ <artifactId>ms_specific_connector</artifactId>
+ <type>war</type>
+ <version>${egiz.eidas.version}</version>
+ </dependency>
+ <dependency>
<groupId>at.asitplus.eidas.ms_specific.modules</groupId>
<artifactId>authmodule-eIDAS-v2</artifactId>
<version>${egiz.eidas.version}</version>
@@ -303,6 +313,24 @@
<version>${maven-assembly-plugin.version}</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <configuration>
+ <failBuildOnCVSS>11</failBuildOnCVSS>
+ <failOnError>false</failOnError>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
+
</plugins>
</pluginManagement>
<plugins>
@@ -453,6 +481,13 @@
</executions>
<configuration>
<failOnError>true</failOnError>
+ <plugins>
+ <plugin>
+ <groupId>com.h3xstream.findsecbugs</groupId>
+ <artifactId>findsecbugs-plugin</artifactId>
+ <version>${findsecbugs-plugin.version}</version>
+ </plugin>
+ </plugins>
</configuration>
</plugin>
</plugins>
@@ -479,4 +514,4 @@
</plugin>
</plugins>
</reporting>
-</project> \ No newline at end of file
+</project>