Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Demonstrate adding findsecbugs to spotbugs. #432
Demonstrate adding findsecbugs to spotbugs. This commit is a demonstration and is not intended to be merged as-is.
Findsecbugs reports several findings for this plugin, but all of them can be safely suppressed. There are a few that could be a concern, but examination shows that as currently used they do not introduce a vulnerability. While the MD5 usage here is used for tracking and not security, this serves a reminder that it would be better to migrate to a better algorithm. See JENKINS-60563.
This also uses the exclude file for a couple of finding types that are fairly common in Jenkins but not considered a concern.
My plan is to add findsecbugs at the plugin pom after sufficient testing and communication. At that point, it would make sense to add the suppressions, but not the pom file changes from this PR.