From e68c2b05e1ef6fbc2206b089a637334569852cd1 Mon Sep 17 00:00:00 2001
From: Joe DiPol <joe.dipol@oracle.com>
Date: Tue, 30 Mar 2021 16:13:59 -0700
Subject: [PATCH] Add plugin to spotbugs-maven-plugin (#2878)

* Add findsecbugs-plugin to spotbugs-maven-plugin
---
 common/configurable/etc/spotbugs/exclude.xml  | 39 ++++++++++++
 common/configurable/pom.xml                   |  4 ++
 config/config-mp/etc/spotbugs/exclude.xml     | 42 +++++++++++++
 config/config-mp/pom.xml                      |  4 ++
 config/config/etc/spotbugs/exclude.xml        | 52 +++++++++++++++-
 config/encryption/etc/spotbugs/exclude.xml    | 61 +++++++++++++++++++
 config/encryption/pom.xml                     |  4 ++
 config/yaml/etc/spotbugs/exclude.xml          | 32 ++++++++++
 config/yaml/pom.xml                           |  4 ++
 dbclient/jdbc/etc/spotbugs/exclude.xml        | 31 +++++++++-
 fault-tolerance/etc/spotbugs/exclude.xml      | 31 ++++++++++
 fault-tolerance/pom.xml                       |  4 ++
 grpc/core/etc/spotbugs/exclude.xml            | 32 ++++++++++
 grpc/core/pom.xml                             |  4 ++
 grpc/server/etc/spotbugs/exclude.xml          | 31 ++++++++++
 grpc/server/pom.xml                           |  4 ++
 health/health-checks/etc/spotbugs/exclude.xml | 32 ++++++++++
 health/health-checks/pom.xml                  |  4 ++
 .../cdi/jpa-cdi/etc/spotbugs/exclude.xml      | 28 ++++++++-
 .../etc/spotbugs/exclude.xml                  | 32 ++++++++++
 .../cdi/oci-objectstorage-cdi/pom.xml         |  1 +
 logging/jul/etc/spotbugs/exclude.xml          | 32 ++++++++++
 logging/jul/pom.xml                           |  4 ++
 media/common/etc/spotbugs/exclude.xml         | 32 ++++++++++
 media/common/pom.xml                          |  4 ++
 metrics/metrics/etc/spotbugs/exclude.xml      | 11 +++-
 .../graphql/server/etc/spotbugs/exclude.xml   | 44 +++++++++++++
 microprofile/graphql/server/pom.xml           |  5 ++
 .../jwt-auth/etc/spotbugs/exclude.xml         | 22 ++++++-
 openapi/etc/spotbugs/exclude.xml              | 38 ++++++++++++
 openapi/pom.xml                               |  1 +
 pom.xml                                       |  8 +++
 .../abac/policy-el/etc/spotbugs/exclude.xml   | 32 ++++++++++
 security/abac/policy-el/pom.xml               |  4 ++
 .../http-auth/etc/spotbugs/exclude.xml        | 39 ++++++++++++
 security/providers/http-auth/pom.xml          |  4 ++
 webclient/webclient/etc/spotbugs/exclude.xml  | 31 ++++++++++
 webclient/webclient/pom.xml                   |  4 ++
 .../static-content/etc/spotbugs/exclude.xml   | 50 +++++++++++++++
 webserver/static-content/pom.xml              |  4 ++
 .../test-support/etc/spotbugs/exclude.xml     | 38 ++++++++++++
 webserver/test-support/pom.xml                |  4 ++
 webserver/webserver/etc/spotbugs/exclude.xml  | 34 ++++++++++-
 43 files changed, 914 insertions(+), 7 deletions(-)
 create mode 100644 common/configurable/etc/spotbugs/exclude.xml
 create mode 100644 config/config-mp/etc/spotbugs/exclude.xml
 create mode 100644 config/encryption/etc/spotbugs/exclude.xml
 create mode 100644 config/yaml/etc/spotbugs/exclude.xml
 create mode 100644 fault-tolerance/etc/spotbugs/exclude.xml
 create mode 100644 grpc/core/etc/spotbugs/exclude.xml
 create mode 100644 grpc/server/etc/spotbugs/exclude.xml
 create mode 100644 health/health-checks/etc/spotbugs/exclude.xml
 create mode 100644 integrations/cdi/oci-objectstorage-cdi/etc/spotbugs/exclude.xml
 create mode 100644 logging/jul/etc/spotbugs/exclude.xml
 create mode 100644 media/common/etc/spotbugs/exclude.xml
 create mode 100644 microprofile/graphql/server/etc/spotbugs/exclude.xml
 create mode 100644 openapi/etc/spotbugs/exclude.xml
 create mode 100644 security/abac/policy-el/etc/spotbugs/exclude.xml
 create mode 100644 security/providers/http-auth/etc/spotbugs/exclude.xml
 create mode 100644 webclient/webclient/etc/spotbugs/exclude.xml
 create mode 100644 webserver/static-content/etc/spotbugs/exclude.xml
 create mode 100644 webserver/test-support/etc/spotbugs/exclude.xml

diff --git a/common/configurable/etc/spotbugs/exclude.xml b/common/configurable/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..b65246ca15b
--- /dev/null
+++ b/common/configurable/etc/spotbugs/exclude.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <!-- These paths/URLs come from code or config, not open user input -->
+    <Match>
+        <Class name="io.helidon.common.configurable.ResourceUtil" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.common.configurable.ResourceUtil" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+    <Match>
+        <!-- Used to grow data structure -->
+        <Cass name="io.helidon.common.configurable.ThreadPool"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+</FindBugsFilter>
diff --git a/common/configurable/pom.xml b/common/configurable/pom.xml
index 463429baab4..a9077b03d08 100644
--- a/common/configurable/pom.xml
+++ b/common/configurable/pom.xml
@@ -29,6 +29,10 @@
     <name>Helidon Common Configurable</name>
     <artifactId>helidon-common-configurable</artifactId>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/config/config-mp/etc/spotbugs/exclude.xml b/config/config-mp/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..d1a3085bfe7
--- /dev/null
+++ b/config/config-mp/etc/spotbugs/exclude.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <!-- Paths from config or code -->
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigBuilder" />
+        <Method name="toFile" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigBuilder" />
+        <Method name="toPath" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+        <Class name="io.helidon.config.mp.MpConfigSources" />
+        <Method name="create" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+
+</FindBugsFilter>
diff --git a/config/config-mp/pom.xml b/config/config-mp/pom.xml
index 4753ebb07aa..8ee12c2371c 100644
--- a/config/config-mp/pom.xml
+++ b/config/config-mp/pom.xml
@@ -29,6 +29,10 @@
     <name>Helidon Config MP</name>
     <description>Core of the implementation of MicroProfile Config specification</description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>jakarta.annotation</groupId>
diff --git a/config/config/etc/spotbugs/exclude.xml b/config/config/etc/spotbugs/exclude.xml
index efc3b31bd1c..c2b40fe9698 100644
--- a/config/config/etc/spotbugs/exclude.xml
+++ b/config/config/etc/spotbugs/exclude.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -22,6 +22,56 @@
         xmlns="https://github.com/spotbugs/filter/3.0.0"
         xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
+    <Match>
+        <!-- Hash is used only to see if a file has changed -->
+        <Class name="io.helidon.config.FileSourceHelper"/>
+        <Bug pattern="UNSAFE_HASH_EQUALS"/>
+    </Match>
+    <Match>
+        <!-- Hash is used only to see if a file has changed -->
+        <Class name="io.helidon.config.FileSourceHelper"/>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_MD5"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ConfigMappers"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ConfigSources"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.OverrideSources"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ClasspathConfigSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.ClasspathOverrideSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlConfigSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlHelper"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Path from config/code, not openly from user -->
+        <Class name="io.helidon.config.UrlOverrideSource"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
     <Match>
         <!-- False positive. See https://github.com/spotbugs/spotbugs/issues/756 -->
         <Class name="io.helidon.config.PropertiesConfigParser"/>
diff --git a/config/encryption/etc/spotbugs/exclude.xml b/config/encryption/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..39e636290be
--- /dev/null
+++ b/config/encryption/etc/spotbugs/exclude.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+         <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="PADDING_ORACLE"/>
+    </Match>
+    <Match>
+        <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="CIPHER_INTEGRITY"/>
+    </Match>
+    <Match>
+        <!-- Legacy support. This cipher is no longer used -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="cipherLegacy"/>
+        <Bug pattern="STATIC_IV"/>
+    </Match>
+    <Match>
+        <!-- Path from config or code -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="lambda$resolvePrivateKey$2"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path from config or code -->
+        <Class name="io.helidon.config.encryption.EncryptionUtil" />
+        <Method name="lambda$resolvePrivateKey$4"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Class run from command line. Path passed on command line -->
+        <Class name="io.helidon.config.encryption.Main$EncryptionCliProcessor" />
+        <Method name="parseRsa"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+</FindBugsFilter>
diff --git a/config/encryption/pom.xml b/config/encryption/pom.xml
index 5c77b1abf21..735faccf2fe 100644
--- a/config/encryption/pom.xml
+++ b/config/encryption/pom.xml
@@ -34,6 +34,10 @@
         store them in config files.
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>
diff --git a/config/yaml/etc/spotbugs/exclude.xml b/config/yaml/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..9ec9c5b0882
--- /dev/null
+++ b/config/yaml/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Paths come from config/code -->
+        <Class name="io.helidon.config.yaml.YamlMpConfigSource"/>
+        <Method name="create"/>
+        <Bug pattern=" URLCONNECTION_SSRF_FD"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/config/yaml/pom.xml b/config/yaml/pom.xml
index 443e85c6360..50cd94ffcb9 100644
--- a/config/yaml/pom.xml
+++ b/config/yaml/pom.xml
@@ -33,6 +33,10 @@
         YAML Parser implementation.
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>
diff --git a/dbclient/jdbc/etc/spotbugs/exclude.xml b/dbclient/jdbc/etc/spotbugs/exclude.xml
index 0e0f5ff8e62..905b9d4f39f 100644
--- a/dbclient/jdbc/etc/spotbugs/exclude.xml
+++ b/dbclient/jdbc/etc/spotbugs/exclude.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  Copyright (c) 2019, 2020 Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2019, 2021 Oracle and/or its affiliates. All rights reserved.
 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -30,4 +30,33 @@
         <Class name="io.helidon.dbclient.jdbc.JdbcStatementQuery$RowPublisher"/>
         <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"/>
     </Match>
+
+    <Match>
+        <!-- Random used for balancing load, not for cryptology -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcQueryExecutor"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareNamedStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+    <Match>
+        <!-- Doesn't construct SQL string. It converts string to statement -->
+        <Class name="io.helidon.dbclient.jdbc.JdbcStatement"/>
+        <Method name="prepareIndexedStatement"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+
+
 </FindBugsFilter>
diff --git a/fault-tolerance/etc/spotbugs/exclude.xml b/fault-tolerance/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..c939014cd3b
--- /dev/null
+++ b/fault-tolerance/etc/spotbugs/exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Random is used for retry Jitter, not cryptology -->
+        <Class name="io.helidon.faulttolerance.Retry$JitterRetryPolicy"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/fault-tolerance/pom.xml b/fault-tolerance/pom.xml
index ca34d53f4ac..3362e8ac586 100644
--- a/fault-tolerance/pom.xml
+++ b/fault-tolerance/pom.xml
@@ -29,6 +29,10 @@
     <artifactId>helidon-fault-tolerance</artifactId>
     <name>Helidon Fault Tolerance</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.config</groupId>
diff --git a/grpc/core/etc/spotbugs/exclude.xml b/grpc/core/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..e2aa16c7760
--- /dev/null
+++ b/grpc/core/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- TODO: need to evaluate this for object filtering -->
+        <Class name="io.helidon.grpc.core.JavaMarshaller"/>
+        <Method name="parse"/>
+        <Bug pattern="OBJECT_DESERIALIZATION"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/grpc/core/pom.xml b/grpc/core/pom.xml
index 00697891d9e..f751a9669f8 100644
--- a/grpc/core/pom.xml
+++ b/grpc/core/pom.xml
@@ -31,6 +31,10 @@
     <artifactId>helidon-grpc-core</artifactId>
     <name>Helidon gRPC Core</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/grpc/server/etc/spotbugs/exclude.xml b/grpc/server/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..37b720d88de
--- /dev/null
+++ b/grpc/server/etc/spotbugs/exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Used for temporary store that is not exposed  -->
+        <Class name="io.helidon.grpc.server.SSLContextBuilder"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/grpc/server/pom.xml b/grpc/server/pom.xml
index 7dcfa2d7ca8..bd6ce2a2093 100644
--- a/grpc/server/pom.xml
+++ b/grpc/server/pom.xml
@@ -31,6 +31,10 @@
     <artifactId>helidon-grpc-server</artifactId>
     <name>Helidon gRPC Server</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.grpc</groupId>
diff --git a/health/health-checks/etc/spotbugs/exclude.xml b/health/health-checks/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..69f134201f8
--- /dev/null
+++ b/health/health-checks/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Path comes from code or config -->
+        <Class name="io.helidon.health.checks.DiskSpaceHealthCheck$Builder"/>
+        <Method name="path"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/health/health-checks/pom.xml b/health/health-checks/pom.xml
index b60ce5dc533..ed8600dd602 100644
--- a/health/health-checks/pom.xml
+++ b/health/health-checks/pom.xml
@@ -32,6 +32,10 @@
         Microprofile Health implementation - health checks supported OOTB
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.health</groupId>
diff --git a/integrations/cdi/jpa-cdi/etc/spotbugs/exclude.xml b/integrations/cdi/jpa-cdi/etc/spotbugs/exclude.xml
index 19dfeefbd2e..e6dc73b7fb3 100644
--- a/integrations/cdi/jpa-cdi/etc/spotbugs/exclude.xml
+++ b/integrations/cdi/jpa-cdi/etc/spotbugs/exclude.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  Copyright (c) 2019, 2020 Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -31,4 +31,30 @@
         <Class name="io.helidon.integrations.cdi.jpa.DelegatingTypedQuery"/>
         <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT"/>
     </Match>
+
+    <!-- These are delegating classes. User input validation would need to occur upstream -->
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.DelegatingConnection"/>
+        <Bug pattern="EXTERNAL_CONFIG_CONTROL"/>
+    </Match>
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.DelegatingConnection"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.DelegatingEntityManager"/>
+        <Bug pattern="SQL_INJECTION_JDBC"/>
+    </Match>
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.JpaTransactionScopedEntityManager"/>
+        <Bug pattern="SQL_INJECTION_JPA"/>
+    </Match>
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.NonTransactionalEntityManager"/>
+        <Bug pattern="SQL_INJECTION_JPA"/>
+    </Match>
+    <Match>
+        <Class name="io.helidon.integrations.cdi.jpa.DelegatingEntityManager"/>
+        <Bug pattern="SQL_INJECTION_JPA"/>
+    </Match>
 </FindBugsFilter>
diff --git a/integrations/cdi/oci-objectstorage-cdi/etc/spotbugs/exclude.xml b/integrations/cdi/oci-objectstorage-cdi/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..4b53e801a5e
--- /dev/null
+++ b/integrations/cdi/oci-objectstorage-cdi/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Path is from configuration -->
+        <Class name="io.helidon.integrations.cdi.oci.objectstorage.MicroProfileConfigAuthenticationDetailsProvider"/>
+        <Method name="getPrivateKey"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/integrations/cdi/oci-objectstorage-cdi/pom.xml b/integrations/cdi/oci-objectstorage-cdi/pom.xml
index a2f7a2b08f0..bdc516f2767 100644
--- a/integrations/cdi/oci-objectstorage-cdi/pom.xml
+++ b/integrations/cdi/oci-objectstorage-cdi/pom.xml
@@ -34,6 +34,7 @@
         <oci.objectstorage.compartmentId/>
         <oci.objectstorage.namespaceName/>
         <oci.objectstorage.region/>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
     </properties>
 
     <build>
diff --git a/logging/jul/etc/spotbugs/exclude.xml b/logging/jul/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..369f312280c
--- /dev/null
+++ b/logging/jul/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Stack trace is written to log file -->
+        <Class name="io.helidon.logging.jul.HelidonFormatter"/>
+        <Method name="formatRow"/>
+        <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/logging/jul/pom.xml b/logging/jul/pom.xml
index 9f995f803ca..247e3c2ccd5 100644
--- a/logging/jul/pom.xml
+++ b/logging/jul/pom.xml
@@ -27,6 +27,10 @@
     <artifactId>helidon-logging-jul</artifactId>
     <name>Helidon Java Util Logging Integration</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/media/common/etc/spotbugs/exclude.xml b/media/common/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..30eb4b58d8d
--- /dev/null
+++ b/media/common/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Utility method to get stack trace as a single -->
+        <Class name="io.helidon.media.common.ContentWriters"/>
+        <Method name="writeStackTrace"/>
+        <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/media/common/pom.xml b/media/common/pom.xml
index 92a836efd60..ab055d67aca 100644
--- a/media/common/pom.xml
+++ b/media/common/pom.xml
@@ -28,6 +28,10 @@
     <artifactId>helidon-media-common</artifactId>
     <name>Helidon Media Common</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/metrics/metrics/etc/spotbugs/exclude.xml b/metrics/metrics/etc/spotbugs/exclude.xml
index 872fbd95709..a537726cb85 100644
--- a/metrics/metrics/etc/spotbugs/exclude.xml
+++ b/metrics/metrics/etc/spotbugs/exclude.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates. All rights reserved.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -52,5 +52,12 @@
         <Method name="jsonData" />
         <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT" />
     </Match>
-    
+
+    <Match>
+        <!-- Used to distribute data, not cryptology -->
+        <Class name="io.helidon.metrics.ExponentiallyDecayingReservoir" />
+        <Method name="update" />
+        <Bug pattern="PREDICTABLE_RANDOM" />
+    </Match>
+
 </FindBugsFilter>
diff --git a/microprofile/graphql/server/etc/spotbugs/exclude.xml b/microprofile/graphql/server/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..39893eda894
--- /dev/null
+++ b/microprofile/graphql/server/etc/spotbugs/exclude.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Stack trace written to log file -->
+        <Class name="io.helidon.microprofile.graphql.server.SchemaGeneratorHelper"/>
+        <Method name="getStackTrace"/>
+        <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE"/>
+    </Match>
+
+    <!-- Used to find a jandex index by absolute path or by name on classpath -->
+    <Match>
+        <Class name="io.helidon.microprofile.graphql.server.JandexUtils"/>
+        <Method name="findIndexFiles"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <!-- Used to find a jandex index by name on classpath -->
+    <Match>
+        <Class name="io.helidon.microprofile.graphql.server.JandexUtils"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/microprofile/graphql/server/pom.xml b/microprofile/graphql/server/pom.xml
index a534e7cd428..0e787ff0f7e 100644
--- a/microprofile/graphql/server/pom.xml
+++ b/microprofile/graphql/server/pom.xml
@@ -28,6 +28,11 @@
     <name>Helidon Microprofile GraphQL Server</name>
     <description>The Microprofile GraphQL Server implementation</description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
+
     <dependencies>
         <dependency>
             <groupId>org.eclipse.microprofile.graphql</groupId>
diff --git a/microprofile/jwt-auth/etc/spotbugs/exclude.xml b/microprofile/jwt-auth/etc/spotbugs/exclude.xml
index c4b8b3c5f81..99e23b09f56 100644
--- a/microprofile/jwt-auth/etc/spotbugs/exclude.xml
+++ b/microprofile/jwt-auth/etc/spotbugs/exclude.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates. All rights reserved.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -29,4 +29,24 @@
          -->
         <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
     </Match>
+
+    <Match>
+        <!-- Path comes from code/config -->
+        <Class name="io.helidon.microprofile.jwt.auth.JwtAuthProvider$Builder" />
+        <Method name="loadJwkKeysFromLocation" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+    <Match>
+        <!-- Path comes from code/config -->
+        <Class name="io.helidon.microprofile.jwt.auth.JwtAuthProvider$Builder" />
+        <Method name="locateStream" />
+        <Bug pattern="URLCONNECTION_SSRF_FD" />
+    </Match>
+    <Match>
+        <!-- Path comes from code/config -->
+        <Class name="io.helidon.microprofile.jwt.auth.JwtAuthProvider$Builder" />
+        <Method name="locatePath" />
+        <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+
 </FindBugsFilter>
diff --git a/openapi/etc/spotbugs/exclude.xml b/openapi/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..3fc7ea74d76
--- /dev/null
+++ b/openapi/etc/spotbugs/exclude.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Path comes from config or code -->
+        <Class name="io.helidon.openapi.OpenAPISupport$Builder"/>
+        <Method name="getExplicitStaticFile"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path comes from config or code -->
+        <Class name="io.helidon.openapi.OpenAPISupport$Builder"/>
+        <Method name="getDefaultStaticFile"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/openapi/pom.xml b/openapi/pom.xml
index d3cf5ffeca1..abad181a4bc 100644
--- a/openapi/pom.xml
+++ b/openapi/pom.xml
@@ -38,6 +38,7 @@
     <properties>
         <openapi-interfaces-dir>${project.build.directory}/extracted-sources/openapi-interfaces</openapi-interfaces-dir>
         <openapi-impls-dir>${project.build.directory}/extracted-sources/openapi-impls</openapi-impls-dir>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
     </properties>
 
     <build>
diff --git a/pom.xml b/pom.xml
index cb190964cfa..ead7510d53e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -115,6 +115,7 @@
         <version.plugin.shade>3.0.0</version.plugin.shade>
         <version.plugin.source>3.0.1</version.plugin.source>
         <version.plugin.spotbugs>4.2.0</version.plugin.spotbugs>
+        <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
         <version.plugin.dependency-check>6.0.2</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0-M5</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
@@ -495,6 +496,13 @@
                         <!--suppress UnresolvedMavenProperty -->
                         <excludeFilterFile>${spotbugs.exclude}</excludeFilterFile>
                         <xmlOutput>true</xmlOutput>
+                        <plugins>
+                            <plugin>
+                                <groupId>com.h3xstream.findsecbugs</groupId>
+                                <artifactId>findsecbugs-plugin</artifactId>
+                                <version>${version.plugin.findsecbugs}</version>
+                            </plugin>
+                        </plugins>
                     </configuration>
                 </plugin>
                 <plugin>
diff --git a/security/abac/policy-el/etc/spotbugs/exclude.xml b/security/abac/policy-el/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..dd18476f79a
--- /dev/null
+++ b/security/abac/policy-el/etc/spotbugs/exclude.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- EL policy statement comes from config or code -->
+        <Class name="io.helidon.security.abac.policy.el.JavaxElPolicyExecutor"/>
+        <Method name="executePolicy"/>
+        <Bug pattern="EL_INJECTION"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/security/abac/policy-el/pom.xml b/security/abac/policy-el/pom.xml
index 73ec891a22b..dfacbc07838 100644
--- a/security/abac/policy-el/pom.xml
+++ b/security/abac/policy-el/pom.xml
@@ -33,6 +33,10 @@
         Expression executor support for Expression Language.
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.security.abac</groupId>
diff --git a/security/providers/http-auth/etc/spotbugs/exclude.xml b/security/providers/http-auth/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..81f1d7e86e7
--- /dev/null
+++ b/security/providers/http-auth/etc/spotbugs/exclude.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Utility method for getting MD5 needed for basic http-auth -->
+        <Class name="io.helidon.security.providers.httpauth.DigestToken"/>
+        <Method name="md5"/>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_MD5"/>
+    </Match>
+
+    <Match>
+        <!-- Server nonce is SecureRandom -->
+        <Class name="io.helidon.security.providers.httpauth.HttpDigestAuthProvider$Builder"/>
+        <Method name="randomSecret"/>
+        <Bug pattern="PREDICTABLE_RANDOM"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/security/providers/http-auth/pom.xml b/security/providers/http-auth/pom.xml
index 90f9dc54a87..8da4e53707a 100644
--- a/security/providers/http-auth/pom.xml
+++ b/security/providers/http-auth/pom.xml
@@ -33,6 +33,10 @@
         HTTP basic and digest authentication provider
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.security.providers</groupId>
diff --git a/webclient/webclient/etc/spotbugs/exclude.xml b/webclient/webclient/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..e35fb60a2b1
--- /dev/null
+++ b/webclient/webclient/etc/spotbugs/exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Performance issue but not a DOS risk. Created issue https://github.com/oracle/helidon/issues/2870 -->
+        <Class name="io.helidon.webclient.Proxy"/>
+        <Bug pattern="REDOS"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/webclient/webclient/pom.xml b/webclient/webclient/pom.xml
index d30ea52cb7a..4da3c8f7f8c 100644
--- a/webclient/webclient/pom.xml
+++ b/webclient/webclient/pom.xml
@@ -30,6 +30,10 @@
     <artifactId>helidon-webclient</artifactId>
     <name>Helidon WebClient</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/webserver/static-content/etc/spotbugs/exclude.xml b/webserver/static-content/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..21f1df67521
--- /dev/null
+++ b/webserver/static-content/etc/spotbugs/exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- input for temp file creation -->
+        <Class name="io.helidon.webserver.staticcontent.ClassPathContentHandler"/>
+        <Method name="lambda$new$0"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- input for temp file creation -->
+        <Class name="io.helidon.webserver.staticcontent.ClassPathContentHandler"/>
+        <Method name="lambda$new$1"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- extracting from classpath -->
+        <Class name="io.helidon.webserver.staticcontent.ClassPathContentHandler"/>
+        <Method name="getLastModified"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- extracting from classpath -->
+        <Class name="io.helidon.webserver.staticcontent.ClassPathContentHandler"/>
+        <Method name="extractJarEntry"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/webserver/static-content/pom.xml b/webserver/static-content/pom.xml
index 60ca62b6779..009f8ad88d5 100644
--- a/webserver/static-content/pom.xml
+++ b/webserver/static-content/pom.xml
@@ -32,6 +32,10 @@
         Static content support for Helidon WebServer
     </description>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.common</groupId>
diff --git a/webserver/test-support/etc/spotbugs/exclude.xml b/webserver/test-support/etc/spotbugs/exclude.xml
new file mode 100644
index 00000000000..d2c3538385a
--- /dev/null
+++ b/webserver/test-support/etc/spotbugs/exclude.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Path comes from code/config  -->
+        <Class name="io.helidon.webserver.testsupport.TemporaryFolder"/>
+        <Method name="newFile"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Path comes from code/config  -->
+        <Class name="io.helidon.webserver.testsupport.TemporaryFolder"/>
+        <Method name="newFolder"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/webserver/test-support/pom.xml b/webserver/test-support/pom.xml
index 15e3aaa03ed..2cece5f2201 100644
--- a/webserver/test-support/pom.xml
+++ b/webserver/test-support/pom.xml
@@ -29,6 +29,10 @@
     <artifactId>helidon-webserver-test-support</artifactId>
     <name>Helidon WebServer Test Support</name>
 
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>io.helidon.webserver</groupId>
diff --git a/webserver/webserver/etc/spotbugs/exclude.xml b/webserver/webserver/etc/spotbugs/exclude.xml
index 835d8047965..d760058cd83 100644
--- a/webserver/webserver/etc/spotbugs/exclude.xml
+++ b/webserver/webserver/etc/spotbugs/exclude.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+    Copyright (c) 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -35,4 +35,36 @@
         <Bug pattern="DM_EXIT"/>
     </Match>
 
+    <Match>
+        <!-- Deprecated Class -->
+        <!-- Path is validated to ensure it does not break out of root directory -->
+        <Class name="io.helidon.webserver.FileSystemContentHandler"/>
+        <Method name="doHandle"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+    <Match>
+        <!-- Deprecated Class -->
+        <!-- From classpath -->
+        <Class name="io.helidon.webserver.ClassPathContentHandler"/>
+        <Method name="extractJarEntry"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+    <Match>
+        <!-- Deprecated Class -->
+        <!-- From classpath -->
+        <Class name="io.helidon.webserver.ClassPathContentHandler"/>
+        <Method name="extractJarEntry"/>
+        <Bug pattern="URLCONNECTION_SSRF_FD"/>
+    </Match>
+    <Match>
+        <!-- Deprecated Class -->
+        <!-- From classpath -->
+        <Class name="io.helidon.webserver.ClassPathContentHandler"/>
+        <Method name="getLastModified"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
+
+
+
 </FindBugsFilter>