Add sec-bugs plugin. Closes #618 (#628)
* Created build profile for sec-bugs
* Replaced Math.Random with SecureRandom
* Sanitize user input in log messages to prevent potential CRLF injection
* Use SHA-256 instead of MD5 or SHA-1
* Remove unused method in CryptoUtils
* Replace vulnerable regex in Monitor param validation
diff --git a/src/main/spotbugs/exclude-filter.xml b/src/main/spotbugs/exclude-filter.xml
new file mode 100644
index 0000000..e4122bb
--- /dev/null
+++ b/src/main/spotbugs/exclude-filter.xml
@@ -0,0 +1,29 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<FindBugsFilter>
+ <Match>
+ <!-- new file on user input can be dangerous but OK here -->
+ <Class name="org.apache.accumulo.maven.plugin.StartMojo"/>
+ <Bug code="PATH" pattern="PATH_TRAVERSAL_IN"/>
+ </Match>
+ <Match>
+ <!-- dangerous on untrusted files but OK here -->
+ <Class name="org.apache.accumulo.maven.plugin.HelpMojo"/>
+ <Method name="build" params="" returns="org.w3c.dom.Document"/>
+ <Bug code="XXE" pattern="XXE_DOCUMENT"/>
+ </Match>
+</FindBugsFilter>