Add plugin to spotbugs-maven-plugin (helidon-io#2878)

* Add findsecbugs-plugin to spotbugs-maven-plugin

common/configurable/etc/spotbugs/exclude.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <!-- These paths/URLs come from code or config, not open user input -->
+    <Match>
+        <Class name="io.helidon.common.configurable.ResourceUtil" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.common.configurable.ResourceUtil" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+    <Match>
+        <!-- Used to grow data structure -->
+        <Cass name="io.helidon.common.configurable.ThreadPool"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+</FindBugsFilter>

common/configurable/pom.xml

@@ -29,6 +29,10 @@
     <name>Helidon Common Configurable</name>
     <artifactId>helidon-common-configurable</artifactId>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>

config/config-mp/etc/spotbugs/exclude.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <!-- Paths from config or code -->
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigBuilder" />
+        <Method name="toFile" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigBuilder" />
+        <Method name="toPath" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigSources" />
+        <Method name="create" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+
+</FindBugsFilter>

config/config-mp/pom.xml

@@ -29,6 +29,10 @@
     <name>Helidon Config MP</name>
     <description>Core of the implementation of MicroProfile Config specification</description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>jakarta.annotation</groupId>

config/config/etc/spotbugs/exclude.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -22,6 +22,56 @@
         xmlns="https://github.com/spotbugs/filter/3.0.0"
         xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
+    <Match>
+        <!-- Hash is used only to see if a file has changed -->
+        <Class name="io.helidon.config.FileSourceHelper"/>
+        <Bug pattern="UNSAFE_HASH_EQUALS"/>
+    </Match>
+    <Match>
+        <!-- Hash is used only to see if a file has changed -->
+        <Class name="io.helidon.config.FileSourceHelper"/>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_MD5"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ConfigMappers"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ConfigSources"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.OverrideSources"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ClasspathConfigSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ClasspathOverrideSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlConfigSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlHelper"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlOverrideSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
     <Match>
         <!-- False positive. See https://github.com/spotbugs/spotbugs/issues/756 -->
         <Class name="io.helidon.config.PropertiesConfigParser"/>

config/encryption/etc/spotbugs/exclude.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+         <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="PADDING_ORACLE"/>
+    </Match>
+    <Match>
+        <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="CIPHER_INTEGRITY"/>
+    </Match>
+    <Match>
+        <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="STATIC_IV"/>
+    </Match>
+    <Match>
+        <!-- Path from config or code -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="lambda$resolvePrivateKey$2"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config or code -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="lambda$resolvePrivateKey$4"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Class run from command line. Path passed on command line -->
+        <Class name="io.helidon.config.encryption.Main$EncryptionCliProcessor" />
+        <Method name="parseRsa"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+</FindBugsFilter>

config/encryption/pom.xml

@@ -34,6 +34,10 @@
         store them in config files.
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>

config/yaml/etc/spotbugs/exclude.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Paths come from config/code -->
+        <Class name="io.helidon.config.yaml.YamlMpConfigSource"/>
+        <Method name="create"/>
+        <Bug pattern=" URLCONNECTION_SSRF_FD"/>
+    </Match>
+
+</FindBugsFilter>

config/yaml/pom.xml

@@ -33,6 +33,10 @@
         YAML Parser implementation.
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>

dbclient/jdbc/etc/spotbugs/exclude.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  Copyright (c) 2019, 2020 Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2019, 2021 Oracle and/or its affiliates. All rights reserved.
 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -30,4 +30,33 @@
         <Class name="io.helidon.dbclient.jdbc.JdbcStatementQuery$RowPublisher"/>
         <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"/>
     </Match>
+
+    <Match>
+        <!-- Random used for balancing load, not for cryptology -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcQueryExecutor"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareNamedStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareIndexedStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+
 </FindBugsFilter>

fault-tolerance/etc/spotbugs/exclude.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Random is used for retry Jitter, not cryptology -->
+        <Class name="io.helidon.faulttolerance.Retry$JitterRetryPolicy"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+</FindBugsFilter>

fault-tolerance/pom.xml

@@ -29,6 +29,10 @@
     <artifactId>helidon-fault-tolerance</artifactId>
     <name>Helidon Fault Tolerance</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>