-
Notifications
You must be signed in to change notification settings - Fork 16
/
spotbugs-exclude.xml
131 lines (121 loc) · 5.46 KB
/
spotbugs-exclude.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter
xmlns="https://github.com/spotbugs/filter/3.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/4.2.2/spotbugs/etc/findbugsfilter.xsd">
<!--
see https://spotbugs.readthedocs.io/en/latest/filter.html for documentation
-->
<Match>
<Or>
<!-- suggests using '%n rather than \n' in string formats.. did not work properly in manual tests -->
<Bug pattern="VA_FORMAT_STRING_USES_NEWLINE"/>
<!-- exclude 'serialVersionUID' warnings: https://github.com/projectlombok/lombok/wiki/WHY-NOT:-serialVersionUID -->
<Bug pattern="SE_NO_SERIALVERSIONID"/>
<!--
prevents false positives for 'nullcheck of nonnull' in try-catch clauses
can be removed when #600 is merged: https://github.com/spotbugs/spotbugs/pull/1575/files
-->
<Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
</Or>
</Match>
<Match>
<!-- disable some known risks or minor warnings in example apps -->
<Package name="~org\.tbk\..*\.example\.?.*" />
<Or>
<!-- disable 'Persistent objects should never be returned by APIs.' warning in example apps -->
<Bug pattern="ENTITY_LEAK"/>
<!-- disable 'Spring CSRF protection disabled' warning in example apps -->
<Bug pattern="SPRING_CSRF_PROTECTION_DISABLED"/>
<!-- disable minor 'include CRLF characters into log messages' warning in example apps -->
<Bug pattern="CRLF_INJECTION_LOGS"/>
<Bug pattern="CT_CONSTRUCTOR_THROW"/>
</Or>
</Match>
<Match>
<!-- disable some known risks or minor warnings in example apps dto classes -->
<Or>
<Class name="~org\.tbk\..*\.example\..*Dto(Impl)?"/>
<Class name="~org\.tbk\..*\.example\..*Dto(Impl)?Builder"/>
</Or>
<Or>
<Bug pattern="EI_EXPOSE_REP"/>
<Bug pattern="EI_EXPOSE_REP2"/>
</Or>
</Match>
<Match>
<!-- disable some known risks or minor warnings in test classes -->
<Class name="~.*Test"/>
<!-- disable minor 'include CRLF characters into log messages' warning in test classes -->
<Bug pattern="CRLF_INJECTION_LOGS"/>
</Match>
<Match>
<!-- prevents jMolecules class name pattern errors, e.g. 'The class name$jMolecules$oTL6KGeP doesn't start with an upper case letter' -->
<Class name="~.*\$jMolecules\$.*"/>
<Bug pattern="NM_CLASS_NAMING_CONVENTION"/>
</Match>
<Match>
<!-- prevents protobuf false positives, e.g. 'Useless control flow' in generated builder classes -->
<Class name="~.*\$Builder"/>
<Method name="maybeForceBuilderInitialization"/>
<Bug pattern="UCF_USELESS_CONTROL_FLOW"/>
</Match>
<!-- prevents protobuf false positives in fee module -->
<Match>
<Or>
<Class name="~org\.tbk\.bitcoin\.tool\.fee\.proto\..*"/>
<Class name="~org\.tbk\.bitcoin\.tool\.fee\..*\.proto\..*"/>
<Class name="~org\.tbk\.bitcoin\.fee\.example\..*\.proto\..*"/>
</Or>
<Or>
<Bug pattern="DLS_DEAD_LOCAL_STORE"/>
<Bug pattern="EI_EXPOSE_REP"/>
<Bug pattern="EI_EXPOSE_REP2"/>
<Bug pattern="MS_EXPOSE_REP"/>
<Bug pattern="PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS_CLASS_NAMES"/>
<Bug pattern="SE_BAD_FIELD"/>
<Bug pattern="UC_USELESS_VOID_METHOD"/>
<Bug pattern="UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"/>
</Or>
</Match>
<Match>
<Class name="~org\.tbk\.bitcoin\.tool\.fee\..*Protos(\$.*)?"/>
<Bug pattern="MS_EXPOSE_REP"/>
</Match>
<!-- END - prevents protobuf false positives in fee module - END -->
<Match>
<!-- prevents false positives in flyway migration scripts -->
<Class name="~.*V\d+__.*"/>
<Method name="migrate"/>
<Or>
<!-- e.g. 'A prepared statement is generated from a nonconstant String in [..].V1__init.migrate(Context) -->
<Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING"/>
<!-- e.g. 'prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC) -->
<Bug pattern="SQL_INJECTION_JDBC"/>
</Or>
</Match>
<Match>
<!--
prevents false positives in spring boot:
HealthContributorAutoConfigs cannot be an inner static class - would not be picked up by spring correctly
-->
<Class name="~.*HealthContributorAutoConfiguration"/>
<Bug pattern="SIC_INNER_SHOULD_BE_STATIC"/>
</Match>
<Match>
<Or>
<!-- all classes named '*Api' or '*Ctrl' are known to be Spring endpoints and should not be reported -->
<Class name="~.*Api"/>
<Class name="~.*Ctrl"/>
</Or>
<Or>
<Bug pattern="SPRING_ENDPOINT"/>
<Bug pattern="EI_EXPOSE_REP2"/>
</Or>
</Match>
<Match>
<!-- prevents false positives in constructors of domain classes extending org.springframework.data.domain.AbstractAggregateRoot -->
<Method name="<init>"/>
<Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT"/>
</Match>
</FindBugsFilter>