<?xml version="1.0" encoding="UTF-8"?> <FindBugsFilter> <Match> <!-- Write only application status into response. Should be removed if we switch to Spring Actuator --> <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" /> <Method name="startSingleTests" /> <Bug pattern="XSS_SERVLET" /> </Match> <Match> <!-- CSFR protection is implemented by pendingRequestId that is an one-time token Endpoint for Metadata generation can be unrestrected by design --> <OR> <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" /> <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" /> </OR> <OR> <Method name="performGenericAuthenticationProcess" /> <Method name="pvpMetadataRequest" /> </OR> <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> </Match> <Match> <!-- Path to application configuration is trusted --> <Class name="at.asitplus.eidas.specific.connector.MsSpecificSpringBootApplicationContextInitializer" /> <Bug pattern="PATH_TRAVERSAL_IN" /> </Match> <Match> <!-- Builder pattern does not expose date elements --> <OR> <Class name="at.asitplus.eidas.specific.connector.health.IgniteClusterHealthIndicator" /> </OR> <OR> <Bug pattern="EI_EXPOSE_REP2" /> </OR> </Match> </FindBugsFilter>