Demonstrate adding findsecbugs to spotbugs.

pom.xml

@@ -426,6 +426,13 @@ THE SOFTWARE.
                 <groupId>com.github.spotbugs</groupId>
                 <artifactId>spotbugs-maven-plugin</artifactId>
                 <configuration>
+                    <plugins>
+                        <plugin>
+                            <groupId>com.h3xstream.findsecbugs</groupId>
+                            <artifactId>findsecbugs-plugin</artifactId>
+                            <version>1.10.1</version>
+                        </plugin>
+                    </plugins>
                     <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
                 </configuration>
             </plugin>

spotbugs-exclude.xml

@@ -6,4 +6,15 @@
       <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"/>
     </Or>
   </Match>
+
+  <Match>
+    <!--We don't care about this behavior.-->
+    <Bug pattern="CRLF_INJECTION_LOGS"/>
+  </Match>
+
+  <Match>
+    <!--We don't care about this behavior.-->
+    <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE"/>
+  </Match>
+
 </FindBugsFilter>

src/main/java/hudson/os/WindowsUtil.java

@@ -88,35 +88,4 @@ public class WindowsUtil {
         return CMD_METACHARS.matcher(quoteArgument(argument)).replaceAll("^$0");
     }
 
-    /**
-     * Executes a command and arguments using {@code cmd.exe /C ...}.
-     */
-    public static @Nonnull Process execCmd(String... argv) throws IOException {
-        String command = Arrays.stream(argv).map(WindowsUtil::quoteArgumentForCmd).collect(Collectors.joining(" "));
-        return Runtime.getRuntime().exec(new String[]{"cmd.exe", "/C", command});
-    }
-
-    /**
-     * Creates an NTFS junction point if supported. Similar to symbolic links, NTFS provides junction points which
-     * provide different features than symbolic links.
-     * @param junction NTFS junction point to create
-     * @param target target directory to junction
-     * @return the newly created junction point
-     * @throws IOException if the call to mklink exits with a non-zero status code
-     * @throws InterruptedException if the call to mklink is interrupted before completing
-     * @throws UnsupportedOperationException if this method is called on a non-Windows platform
-     */
-    public static @Nonnull File createJunction(@Nonnull File junction, @Nonnull File target) throws IOException, InterruptedException {
-        if(Functions.isWindows() == false) {
-            throw new UnsupportedOperationException("Can only be called on windows platform");
-        }
-        Process mklink = execCmd("mklink", "/J", junction.getAbsolutePath(), target.getAbsolutePath());
-        int result = mklink.waitFor();
-        if (result != 0) {
-            String stderr = IOUtils.toString(mklink.getErrorStream());
-            String stdout = IOUtils.toString(mklink.getInputStream());
-            throw new IOException("Process exited with " + result + "\nStandard Output:\n" + stdout + "\nError Output:\n" + stderr);
-        }
-        return junction;
-    }
 }

src/main/java/hudson/plugins/ec2/ssh/HostKeyVerifierImpl.java

@@ -26,6 +26,8 @@
 import java.util.logging.Logger;
 
 import com.trilead.ssh2.ServerHostKeyVerifier;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import java.security.MessageDigest;
 
 public class HostKeyVerifierImpl implements ServerHostKeyVerifier {
@@ -37,6 +39,7 @@ public HostKeyVerifierImpl(String console) {
         this.console = console;
     }
 
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification = "Used for tracking, not security.")
     private String getFingerprint(byte[] serverHostKey) throws Exception {
         MessageDigest md5 = MessageDigest.getInstance("MD5");
 

src/main/java/hudson/plugins/ec2/win/WinConnection.java

@@ -1,5 +1,6 @@
 package hudson.plugins.ec2.win;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.plugins.ec2.win.winrm.WinRM;
 import hudson.plugins.ec2.win.winrm.WindowsProcess;
 
@@ -101,6 +102,7 @@ private static String toFilePath(String path) {
         return path.substring(3);
     }
 
+    @SuppressFBWarnings(value = "UNENCRYPTED_SOCKET", justification = "Socket is opened and closed to check connection without sending any data.")
     public boolean ping() {
         log.log(Level.FINE, "checking SMB connection to " + host);
         try {