diff options
-rw-r--r-- | .gitlab-ci.yml | 41 | ||||
-rw-r--r-- | build_reporting/pom.xml | 75 | ||||
-rw-r--r-- | connector/checks/spotbugs-exclude.xml | 22 | ||||
-rw-r--r-- | connector/pom.xml | 9 | ||||
-rw-r--r-- | connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java | 7 | ||||
-rw-r--r-- | connector_lib/checks/spotbugs-exclude.xml | 9 | ||||
-rw-r--r-- | connector_lib/pom.xml | 9 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml | 31 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/pom.xml | 13 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml | 6 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java | 7 | ||||
-rw-r--r-- | pom.xml | 57 |
12 files changed, 253 insertions, 33 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 81a4a4dd..3d865418 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,6 +9,7 @@ variables: MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${CI_PROJECT_DIR}/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true" GIT_DEPTH: "2" SECURE_LOG_LEVEL: "debug" + JACOCO_CSV_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.csv' include: - template: Dependency-Scanning.gitlab-ci.yml @@ -31,7 +32,47 @@ assemble: - tags script: | mvn $MAVEN_CLI_OPTS generate-sources compile test + after_script: + - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' $JACOCO_CSV_LOCATION artifacts: when: always reports: junit: "**/target/surefire-reports/TEST-*.xml" + paths: + - target/jacoco-report/jacoco.xml + + +buildDistributionPackage: + stage: package + except: + - tags + script: | + export VERSION=$(mvn -B help:evaluate -Dexpression=project.version -B | grep -v "\[INFO\]" | grep -Po "\d+\.\d+\.\d+((-\w*)+)?") + echo "Build full package of version $VERSION + mvn $MAVEN_CLI_OPTS verify -s .cisettings.xml -DskipTests + echo "VERSION=$VERSION" >> variables.env + artifacts: + when: always + reports: + dotenv: variables.env + name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME" + paths: + - target/*.-dist.zip + +release: + stage: release + image: registry.gitlab.com/gitlab-org/release-cli:latest + needs: + - job: buildDistributionPackage + artifacts: true + when: manual + only: + - master + script: | + echo "Releasing version $VERSION of $LIB_NAME" + echo "Publishing version $VERSION to public EGIZ maven" + mvn $MAVEN_CLI_OPTS deploy -s .cisettings.xml + artifacts: + name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-EGIZ" + paths: + - target/*.-dist.zip diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml new file mode 100644 index 00000000..eca57a03 --- /dev/null +++ b/build_reporting/pom.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>at.asitplus.eidas</groupId> + <artifactId>ms_specific</artifactId> + <version>1.1.1-SNAPSHOT</version> + </parent> + <artifactId>build_reporting</artifactId> + <packaging>pom</packaging> + <name>Reporting Module</name> + + <dependencies> + <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>connector_lib</artifactId> + </dependency> + <dependency> + <groupId>at.asitplus.eidas.ms_specific.modules</groupId> + <artifactId>authmodule-eIDAS-v2</artifactId> + </dependency> + <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>ms_specific_connector</artifactId> + <type>war</type> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <executions> + <!-- aggregated unit test coverage report --> + <execution> + <id>aggregate-reports-ut</id> + <phase>test</phase> + <goals> + <goal>report-aggregate</goal> + </goals> + <configuration> + <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory> + <dataFileExcludes> + <!-- exclude coverage data of integration tests --> + <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude> + </dataFileExcludes> + </configuration> + </execution> + </executions> + </plugin> + + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <failBuildOnCVSS>11</failBuildOnCVSS> + <failOnError>false</failOnError> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + + </plugins> + </build> + +</project> diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..5d4fd515 --- /dev/null +++ b/connector/checks/spotbugs-exclude.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Write only application status into response. Should be removed if we switch to Spring Actuator --> + <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" /> + <Method name="startSingleTests" /> + <Bug pattern="XSS_SERVLET" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token + Endpoint for Metadata generation can be unrestrected by design --> + <OR> + <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" /> + <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" /> + </OR> + <OR> + <Method name="performGenericAuthenticationProcess" /> + <Method name="pvpMetadataRequest" /> + </OR> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> +</FindBugsFilter> diff --git a/connector/pom.xml b/connector/pom.xml index 6621fb0f..3c2ddf07 100644 --- a/connector/pom.xml +++ b/connector/pom.xml @@ -156,6 +156,15 @@ </executions> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java index aa45c836..f2d9fc8c 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java @@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.CloseableHttpClient; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -250,9 +251,9 @@ public class MonitoringController { } // create HTTP client - // TODO: update if we switch to openSAML3 - CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); - HttpUriRequest request = new HttpGet(urlString); + CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); + URIBuilder uriBuilder = new URIBuilder(urlString); + HttpUriRequest request = new HttpGet(uriBuilder.build()); final CloseableHttpResponse respCode = httpClient.execute(request); if (respCode.getStatusLine().getStatusCode() != 200) { diff --git a/connector_lib/checks/spotbugs-exclude.xml b/connector_lib/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..90ca96f2 --- /dev/null +++ b/connector_lib/checks/spotbugs-exclude.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- View parameters are hard-coded values --> + <Class name="at.asitplus.eidas.specific.connector.gui.SpringMvcGuiFormBuilderImpl" /> + <Method name="build" /> + <Bug pattern="SPRING_FILE_DISCLOSURE" /> + </Match> +</FindBugsFilter> diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml index 795096f9..9a187f7f 100644 --- a/connector_lib/pom.xml +++ b/connector_lib/pom.xml @@ -68,6 +68,15 @@ </dependency> </dependencies> </plugin> + + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> </plugins> </build> diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..375f73f4 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Do not check code generated by Apache CXF framework --> + <Class name="~szrservices.SZRException"/> + </Match> + <Match> + <!-- Logging of SAML2 responses in case of errors or for debugging is allowed --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="getPendingRequestId" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="restoreEidasAuthProcess" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- File path is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" /> + <Method name="initialize" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Redirect URL is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" /> + <Method name="execute" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> +</FindBugsFilter> diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml index b2e841fb..ddd2723c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/pom.xml +++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml @@ -251,18 +251,9 @@ <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> - <executions> - <execution> - <id>spotbugs_validate</id> - <phase>test</phase> - <goals> - <goal>check</goal> - </goals> - </execution> - </executions> + <version>${spotbugs-maven-plugin.version}</version> <configuration> - <failOnError>true</failOnError> - <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> </configuration> </plugin> diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml deleted file mode 100644 index 90d418ff..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml +++ /dev/null @@ -1,6 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<FindBugsFilter> - <Match> - <Class name="~szrservices.SZRException"/> - </Match> -</FindBugsFilter>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 69b993a4..067825d8 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.Marshaller; import javax.xml.namespace.QName; @@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider; import javax.xml.ws.Dispatch; import javax.xml.ws.handler.Handler; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.lang3.StringUtils; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.endpoint.Client; @@ -75,6 +74,9 @@ import org.springframework.stereotype.Service; import org.w3c.dom.Document; import org.w3c.dom.Element; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; @@ -488,6 +490,7 @@ public class SzrClient { private byte[] sourceToByteArray(Source result) throws TransformerException { final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = factory.newTransformer(); transformer.setOutputProperty("omit-xml-declaration", "yes"); transformer.setOutputProperty("method", "xml"); @@ -20,29 +20,32 @@ <egiz-spring-api>0.3</egiz-spring-api> <egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend> <eaaf-core.version>1.1.10</eaaf-core.version> - <org.springframework.version>5.2.9.RELEASE</org.springframework.version> + <org.springframework.version>5.2.12.RELEASE</org.springframework.version> <org.thymeleaf-spring5.version>3.0.11.RELEASE</org.thymeleaf-spring5.version> - <cxf.version>3.4.0</cxf.version> + <cxf.version>3.4.1</cxf.version> <org.apache.commons-lang3.version>3.11</org.apache.commons-lang3.version> <org.apache.commons-text.version>1.9</org.apache.commons-text.version> <commons-collections4.version>4.4</commons-collections4.version> - <com.google.guava.version>29.0-jre</com.google.guava.version> - <joda-time.version>2.10.6</joda-time.version> + <com.google.guava.version>30.0-jre</com.google.guava.version> + <joda-time.version>2.10.8</joda-time.version> <org.slf4j.version>1.7.30</org.slf4j.version> - <jackson-datatype-jsr310.version>2.11.3</jackson-datatype-jsr310.version> - - + <jackson-datatype-jsr310.version>2.12.0</jackson-datatype-jsr310.version> + + <!-- testing --> - <junit.version>4.13</junit.version> + <junit.version>4.13.1</junit.version> <surefire.version>2.22.2</surefire.version> <mockito-soap-cxf.version>1.0.5</mockito-soap-cxf.version> <!-- Code quality checks --> <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version> <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version> - <maven-pmd-plugin.version>3.13.0</maven-pmd-plugin.version> - <spotbugs-maven-plugin.version>4.0.4</spotbugs-maven-plugin.version> + <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version> + <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version> + <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version> + + <dependency-check-maven.version>6.0.3</dependency-check-maven.version> <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory> <pmw_rules_location>https://apps.egiz.gv.at/checkstyle/egiz_pmd_checks.xml</pmw_rules_location> @@ -95,6 +98,7 @@ <module>connector_lib</module> <module>connector</module> <module>eidas_modules</module> + <module>build_reporting</module> </modules> <dependencyManagement> @@ -121,6 +125,12 @@ <version>${eaaf-core.version}</version> </dependency> <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>ms_specific_connector</artifactId> + <type>war</type> + <version>${egiz.eidas.version}</version> + </dependency> + <dependency> <groupId>at.asitplus.eidas.ms_specific.modules</groupId> <artifactId>authmodule-eIDAS-v2</artifactId> <version>${egiz.eidas.version}</version> @@ -303,6 +313,24 @@ <version>${maven-assembly-plugin.version}</version> </plugin> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${dependency-check-maven.version}</version> + <configuration> + <failBuildOnCVSS>11</failBuildOnCVSS> + <failOnError>false</failOnError> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + + </plugins> </pluginManagement> <plugins> @@ -453,6 +481,13 @@ </executions> <configuration> <failOnError>true</failOnError> + <plugins> + <plugin> + <groupId>com.h3xstream.findsecbugs</groupId> + <artifactId>findsecbugs-plugin</artifactId> + <version>${findsecbugs-plugin.version}</version> + </plugin> + </plugins> </configuration> </plugin> </plugins> @@ -479,4 +514,4 @@ </plugin> </plugins> </reporting> -</project>
\ No newline at end of file +</project> |