1 files changed, 36 insertions, 0 deletions

diff --git a/ms_specific_connector/checks/spotbugs-exclude.xml b/ms_specific_connector/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..bb41eb27
--- /dev/null
+++ b/ms_specific_connector/checks/spotbugs-exclude.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- Write only application status into response. Should be removed if we switch to Spring Actuator -->
+      <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" />
+      <Method name="startSingleTests" />
+      <Bug pattern="XSS_SERVLET" />               
+    </Match>
+    <Match>
+      <!-- CSFR protection is implemented by pendingRequestId that is an one-time token 
+           Endpoint for Metadata generation can be unrestrected by design -->
+      <OR>
+        <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" />
+        <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" />
+      </OR>
+      <OR>
+        <Method name="performGenericAuthenticationProcess" />
+        <Method name="pvpMetadataRequest" />
+      </OR>
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />               
+    </Match>
+    <Match>
+      <!-- Path to application configuration is trusted -->
+      <Class name="at.asitplus.eidas.specific.connector.MsSpecificSpringBootApplicationContextInitializer" />
+      <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+  <Match>
+    <!-- Builder pattern does not expose date elements -->
+    <OR>
+      <Class name="at.asitplus.eidas.specific.connector.health.IgniteClusterHealthIndicator" />
+    </OR>
+    <OR>
+      <Bug pattern="EI_EXPOSE_REP2" />
+    </OR>
+  </Match>      
+</FindBugsFilter>