-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathspotbugs-exclude.xml
84 lines (77 loc) · 3.7 KB
/
spotbugs-exclude.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter
xmlns="https://github.com/spotbugs/filter/3.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/4.2.2/spotbugs/etc/findbugsfilter.xsd">
<!--
see https://spotbugs.readthedocs.io/en/latest/filter.html for documentation
-->
<Match>
<Or>
<!-- suggests using '%n rather than \n' in string formats… did not work properly in manual tests -->
<Bug pattern="VA_FORMAT_STRING_USES_NEWLINE"/>
<!-- exclude 'serialVersionUID' warnings: https://github.com/projectlombok/lombok/wiki/WHY-NOT:-serialVersionUID -->
<Bug pattern="SE_NO_SERIALVERSIONID"/>
<!--
prevents false positives for 'nullcheck of nonnull' in try-catch clauses
can be removed when #600 is merged: https://github.com/spotbugs/spotbugs/pull/1575/files
-->
<Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
</Or>
</Match>
<Match>
<!-- disable some known risks or minor warnings in example apps -->
<Package name="~org\.tbk\..*\.example\.?.*" />
<Or>
<!-- disable 'Persistent objects should never be returned by APIs.' warning in example apps -->
<Bug pattern="ENTITY_LEAK"/>
<!-- disable 'Spring CSRF protection disabled' warning in example apps -->
<Bug pattern="SPRING_CSRF_PROTECTION_DISABLED"/>
<!-- disable minor 'include CRLF characters into log messages' warning in example apps -->
<Bug pattern="CRLF_INJECTION_LOGS"/>
</Or>
</Match>
<Match>
<!-- disable some known risks or minor warnings in test classes -->
<Class name="~.*Test"/>
<Or>
<!-- disable minor 'include CRLF characters into log messages' warning in test classes -->
<Bug pattern="CRLF_INJECTION_LOGS"/>
</Or>
</Match>
<Match>
<!-- prevents jMolecules class name pattern errors, e.g. 'The class name$jMolecules$oTL6KGeP doesn't start with an upper case letter' -->
<Class name="~.*\$jMolecules\$.*"/>
<Bug pattern="NM_CLASS_NAMING_CONVENTION"/>
</Match>
<Match>
<!-- prevents protobuf false positives, e.g. 'Useless control flow' in generated builder classes -->
<Class name="~.*\$Builder"/>
<Method name="maybeForceBuilderInitialization"/>
<Bug pattern="UCF_USELESS_CONTROL_FLOW"/>
</Match>
<Match>
<!-- prevents false positives in flyway migration scripts -->
<Class name="~.*V\d+__.*"/>
<Method name="migrate"/>
<Or>
<!-- e.g. 'A prepared statement is generated from a nonconstant String in [..].V1__init.migrate(Context) -->
<Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING"/>
<!-- e.g. 'prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC) -->
<Bug pattern="SQL_INJECTION_JDBC"/>
</Or>
</Match>
<Match>
<Or>
<!-- all classes named '*Api' or '*Ctrl' are known to be Spring endpoints and should not be reported -->
<Class name="~.*Api"/>
<Class name="~.*Ctrl"/>
</Or>
<Bug pattern="SPRING_ENDPOINT"/>
</Match>
<Match>
<!-- prevents false positives in constructors of domain classes extending org.springframework.data.domain.AbstractAggregateRoot -->
<Method name="<init>"/>
<Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT"/>
</Match>
</FindBugsFilter>