From 26e422ff90f2a4fb9d2d25c0b2328b365fe5f0d7 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 11 Dec 2020 16:33:00 +0100
Subject: add 'findSecBugs' plug-in into 'spotBugs' module and solve bugs or
 exclude false-positive update gitlab-ci configuration to display jUnit
 test-coverage

---
 .gitlab-ci.yml                                     | 41 ++++++++++++
 build_reporting/pom.xml                            | 75 ++++++++++++++++++++++
 connector/checks/spotbugs-exclude.xml              | 22 +++++++
 connector/pom.xml                                  |  9 +++
 .../connector/controller/MonitoringController.java |  7 +-
 connector_lib/checks/spotbugs-exclude.xml          |  9 +++
 connector_lib/pom.xml                              |  9 +++
 .../checks/spotbugs-exclude.xml                    | 31 +++++++++
 eidas_modules/authmodule-eIDAS-v2/pom.xml          | 13 +---
 .../authmodule-eIDAS-v2/spotbugs_exclude.xml       |  6 --
 .../modules/auth/eidas/v2/szr/SzrClient.java       |  7 +-
 pom.xml                                            | 57 ++++++++++++----
 12 files changed, 253 insertions(+), 33 deletions(-)
 create mode 100644 build_reporting/pom.xml
 create mode 100644 connector/checks/spotbugs-exclude.xml
 create mode 100644 connector_lib/checks/spotbugs-exclude.xml
 create mode 100644 eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
 delete mode 100644 eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 81a4a4dd..3d865418 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,6 +9,7 @@ variables:
   MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${CI_PROJECT_DIR}/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
   GIT_DEPTH: "2"
   SECURE_LOG_LEVEL: "debug"
+  JACOCO_CSV_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.csv'
 
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
@@ -31,7 +32,47 @@ assemble:
     - tags
   script: |
     mvn $MAVEN_CLI_OPTS generate-sources compile test
+  after_script:
+    - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' $JACOCO_CSV_LOCATION    
   artifacts:
     when: always
     reports:
       junit: "**/target/surefire-reports/TEST-*.xml"
+      paths:
+        - target/jacoco-report/jacoco.xml
+
+
+buildDistributionPackage:
+  stage: package
+  except:
+    - tags
+  script: |
+    export VERSION=$(mvn -B help:evaluate -Dexpression=project.version -B | grep -v "\[INFO\]" | grep -Po "\d+\.\d+\.\d+((-\w*)+)?")
+    echo "Build full package of version $VERSION
+    mvn $MAVEN_CLI_OPTS verify -s .cisettings.xml -DskipTests
+    echo "VERSION=$VERSION" >> variables.env
+  artifacts:
+    when: always
+    reports:
+      dotenv: variables.env
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+    paths:
+      - target/*.-dist.zip  
+
+release:
+  stage: release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  needs:
+    - job: buildDistributionPackage
+      artifacts: true
+  when: manual
+  only:
+    - master
+  script: |
+    echo "Releasing version $VERSION of $LIB_NAME"
+    echo "Publishing version $VERSION to public EGIZ maven"
+    mvn $MAVEN_CLI_OPTS deploy -s .cisettings.xml
+  artifacts:
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-EGIZ"
+    paths:
+      - target/*.-dist.zip          
diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml
new file mode 100644
index 00000000..eca57a03
--- /dev/null
+++ b/build_reporting/pom.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>at.asitplus.eidas</groupId>
+    <artifactId>ms_specific</artifactId>
+    <version>1.1.1-SNAPSHOT</version>
+  </parent>
+  <artifactId>build_reporting</artifactId>
+  <packaging>pom</packaging>
+  <name>Reporting Module</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific</groupId>
+      <artifactId>connector_lib</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific.modules</groupId>
+      <artifactId>authmodule-eIDAS-v2</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific</groupId>
+      <artifactId>ms_specific_connector</artifactId>
+      <type>war</type>
+    </dependency>      
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <executions>
+          <!-- aggregated unit test coverage report -->
+          <execution>
+            <id>aggregate-reports-ut</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report-aggregate</goal>
+            </goals>
+            <configuration>
+              <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+              <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+              <dataFileExcludes>
+                <!-- exclude coverage data of integration tests -->
+                <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+              </dataFileExcludes>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <configuration>
+          <failBuildOnCVSS>11</failBuildOnCVSS>
+          <failOnError>false</failOnError>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      
+    </plugins>
+  </build>
+
+</project>
diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..5d4fd515
--- /dev/null
+++ b/connector/checks/spotbugs-exclude.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- Write only application status into response. Should be removed if we switch to Spring Actuator -->
+      <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" />
+      <Method name="startSingleTests" />
+      <Bug pattern="XSS_SERVLET" />               
+    </Match>
+    <Match>
+      <!-- CSFR protection is implemented by pendingRequestId that is an one-time token 
+           Endpoint for Metadata generation can be unrestrected by design -->
+      <OR>
+        <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" />
+        <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" />
+      </OR>
+      <OR>
+        <Method name="performGenericAuthenticationProcess" />
+        <Method name="pvpMetadataRequest" />
+      </OR>
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />               
+    </Match>
+</FindBugsFilter>
diff --git a/connector/pom.xml b/connector/pom.xml
index 6621fb0f..3c2ddf07 100644
--- a/connector/pom.xml
+++ b/connector/pom.xml
@@ -156,6 +156,15 @@
         </executions>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 </project>
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
index aa45c836..f2d9fc8c 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
@@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -250,9 +251,9 @@ public class MonitoringController {
       }
 
       // create HTTP client
-      // TODO: update if we switch to openSAML3
-      CloseableHttpClient httpClient = httpClientFactory.getHttpClient();
-      HttpUriRequest request = new HttpGet(urlString);
+      CloseableHttpClient httpClient = httpClientFactory.getHttpClient();      
+      URIBuilder uriBuilder = new URIBuilder(urlString);      
+      HttpUriRequest request = new HttpGet(uriBuilder.build());
 
       final CloseableHttpResponse respCode = httpClient.execute(request);
       if (respCode.getStatusLine().getStatusCode() != 200) {
diff --git a/connector_lib/checks/spotbugs-exclude.xml b/connector_lib/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..90ca96f2
--- /dev/null
+++ b/connector_lib/checks/spotbugs-exclude.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- View parameters are hard-coded values -->
+      <Class name="at.asitplus.eidas.specific.connector.gui.SpringMvcGuiFormBuilderImpl" />
+      <Method name="build" />
+      <Bug pattern="SPRING_FILE_DISCLOSURE" />               
+    </Match>  
+</FindBugsFilter>
diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml
index 795096f9..9a187f7f 100644
--- a/connector_lib/pom.xml
+++ b/connector_lib/pom.xml
@@ -68,6 +68,15 @@
           </dependency>
         </dependencies>
       </plugin>
+      
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
 
     </plugins>
   </build>
diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..375f73f4
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- Do not check code generated by Apache CXF framework -->
+      <Class name="~szrservices.SZRException"/>
+    </Match>
+    <Match>
+      <!-- Logging of SAML2 responses in case of errors or for debugging is allowed -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+      <Method name="getPendingRequestId" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />               
+    </Match>
+    <Match>
+      <!-- CSFR protection is implemented by pendingRequestId that is an one-time token -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+      <Method name="restoreEidasAuthProcess" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />               
+    </Match>
+    <Match>
+      <!-- File path is only loaded from configuration -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" />
+      <Method name="initialize" />
+      <Bug pattern="PATH_TRAVERSAL_IN" />               
+    </Match>
+    <Match>
+      <!-- Redirect URL is only loaded from configuration -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" />
+      <Method name="execute" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />               
+    </Match>  
+</FindBugsFilter>
diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml
index b2e841fb..ddd2723c 100644
--- a/eidas_modules/authmodule-eIDAS-v2/pom.xml
+++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml
@@ -251,18 +251,9 @@
       <plugin>
         <groupId>com.github.spotbugs</groupId>
         <artifactId>spotbugs-maven-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>spotbugs_validate</id>
-            <phase>test</phase>
-            <goals>
-              <goal>check</goal>
-            </goals>
-          </execution>
-        </executions>
+        <version>${spotbugs-maven-plugin.version}</version>
         <configuration>
-          <failOnError>true</failOnError>
-          <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
         </configuration>
       </plugin>
 
diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
deleted file mode 100644
index 90d418ff..00000000
--- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FindBugsFilter>
-    <Match>
-        <Class name="~szrservices.SZRException"/>
-    </Match>
-</FindBugsFilter>
\ No newline at end of file
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 69b993a4..067825d8 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Marshaller;
 import javax.xml.namespace.QName;
@@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Dispatch;
 import javax.xml.ws.handler.Handler;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
@@ -75,6 +74,9 @@ import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler;
@@ -488,6 +490,7 @@ public class SzrClient {
 
   private byte[] sourceToByteArray(Source result) throws TransformerException {
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.setOutputProperty("omit-xml-declaration", "yes");
     transformer.setOutputProperty("method", "xml");
diff --git a/pom.xml b/pom.xml
index 2c8cb1e7..c360f910 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,29 +20,32 @@
     <egiz-spring-api>0.3</egiz-spring-api>
     <egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend>
     <eaaf-core.version>1.1.10</eaaf-core.version>
-    <org.springframework.version>5.2.9.RELEASE</org.springframework.version>
+    <org.springframework.version>5.2.12.RELEASE</org.springframework.version>
     <org.thymeleaf-spring5.version>3.0.11.RELEASE</org.thymeleaf-spring5.version>
-    <cxf.version>3.4.0</cxf.version>
+    <cxf.version>3.4.1</cxf.version>
 
     <org.apache.commons-lang3.version>3.11</org.apache.commons-lang3.version>
     <org.apache.commons-text.version>1.9</org.apache.commons-text.version>
     <commons-collections4.version>4.4</commons-collections4.version>
-    <com.google.guava.version>29.0-jre</com.google.guava.version>
-    <joda-time.version>2.10.6</joda-time.version>
+    <com.google.guava.version>30.0-jre</com.google.guava.version>
+    <joda-time.version>2.10.8</joda-time.version>
     <org.slf4j.version>1.7.30</org.slf4j.version>
-    <jackson-datatype-jsr310.version>2.11.3</jackson-datatype-jsr310.version>
-    
-        
+    <jackson-datatype-jsr310.version>2.12.0</jackson-datatype-jsr310.version>
+
+
     <!-- testing -->
-    <junit.version>4.13</junit.version>
+    <junit.version>4.13.1</junit.version>
     <surefire.version>2.22.2</surefire.version>
     <mockito-soap-cxf.version>1.0.5</mockito-soap-cxf.version>
 
     <!-- Code quality checks -->
     <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
     <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
-    <maven-pmd-plugin.version>3.13.0</maven-pmd-plugin.version>
-    <spotbugs-maven-plugin.version>4.0.4</spotbugs-maven-plugin.version>
+    <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
+    <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+    <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
+
+    <dependency-check-maven.version>6.0.3</dependency-check-maven.version>
 
     <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
     <pmw_rules_location>https://apps.egiz.gv.at/checkstyle/egiz_pmd_checks.xml</pmw_rules_location>
@@ -95,6 +98,7 @@
     <module>connector_lib</module>
     <module>connector</module>
     <module>eidas_modules</module>
+    <module>build_reporting</module>
   </modules>
 
   <dependencyManagement>
@@ -120,6 +124,12 @@
         <artifactId>eaaf_module_pvp2_idp</artifactId>
         <version>${eaaf-core.version}</version>
       </dependency>
+      <dependency>
+        <groupId>at.asitplus.eidas.ms_specific</groupId>
+        <artifactId>ms_specific_connector</artifactId>
+        <type>war</type>
+        <version>${egiz.eidas.version}</version>
+      </dependency>
       <dependency>
         <groupId>at.asitplus.eidas.ms_specific.modules</groupId>
         <artifactId>authmodule-eIDAS-v2</artifactId>
@@ -303,6 +313,24 @@
           <version>${maven-assembly-plugin.version}</version>
         </plugin>
 
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>${dependency-check-maven.version}</version>
+          <configuration>
+            <failBuildOnCVSS>11</failBuildOnCVSS>
+            <failOnError>false</failOnError>
+          </configuration>
+          <executions>
+            <execution>
+              <goals>
+                <goal>check</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
+
+
       </plugins>
     </pluginManagement>
     <plugins>
@@ -453,6 +481,13 @@
         </executions>
         <configuration>
           <failOnError>true</failOnError>
+          <plugins>
+            <plugin>
+              <groupId>com.h3xstream.findsecbugs</groupId>
+              <artifactId>findsecbugs-plugin</artifactId>
+              <version>${findsecbugs-plugin.version}</version>
+            </plugin>
+          </plugins>
         </configuration>
       </plugin>
     </plugins>
@@ -479,4 +514,4 @@
       </plugin>
     </plugins>
   </reporting>
-</project>
\ No newline at end of file
+</project>
-- 
cgit v1.2.3