test sonar duplicates

build.gradle

@@ -54,6 +54,10 @@ allprojects {
 
 subprojects {
     apply(plugin: "java")
+    java {
+        sourceCompatibility = JavaVersion.VERSION_17
+        targetCompatibility = JavaVersion.VERSION_17
+    }
 
     configurations.all {
         exclude(group: "org.hamcrest", module: "hamcrest-all")
@@ -64,6 +68,24 @@ subprojects {
         exclude(group: "org.apache.directory.server", module: "apacheds-protocol-ldap")
         exclude(group: "org.skyscreamer", module: "jsonassert")
         exclude(group: "com.vaadin.external.google", module: "android-json")
+        exclude(group: "com.unboundid.components", module: "json")
+
+        // Exclude opensaml-security-api and non-FIPS bouncycastle libs, and use Shadow library for FIPS compliance
+        exclude(group: "org.bouncycastle", module: "bcpkix-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcprov-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcutil-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcprov-jdk18on")
+        exclude(group: "org.bouncycastle", module: "bcpkix-jdk18on")
+        exclude(group: "org.bouncycastle", module: "bcutil-jdk18on")
+
+        resolutionStrategy {
+            resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+                if (details.requested.group == 'org.opensaml' && details.requested.name.startsWith("opensaml-")) {
+                    details.useVersion "${versions.opensaml}"
+                    details.because 'Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.'
+                }
+            }
+        }
     }
 
     dependencies {
@@ -81,9 +103,6 @@ subprojects {
 
     [compileJava, compileTestJava]*.options*.compilerArgs = ["-Xlint:none", "-nowarn"]
 
-    java.sourceCompatibility = JavaVersion.VERSION_17
-    java.targetCompatibility = JavaVersion.VERSION_17
-
     test {
         maxParallelForks = 1
         // when failFast = true AND retry is on, there is a serious issue:

dependencies.gradle

@@ -6,7 +6,9 @@ ext {
 // Versions shared between multiple dependencies
 versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM27"
-versions.bouncyCastleVersion = "2.0.0"
+versions.bouncyCastleFipsVersion = "2.0.0"
+versions.bouncyCastlePkixFipsVersion = "2.0.7"
+versions.bouncyCastleTlsFipsVersion = "2.0.19"
 versions.hamcrestVersion = "3.0"
 versions.springBootVersion = "2.7.18"
 versions.springFrameworkVersion = "5.3.39"
@@ -18,6 +20,8 @@ versions.seleniumVersion = "4.26.0"
 versions.braveVersion = "6.0.3"
 versions.jacksonVersion = "2.18.1"
 versions.jsonPathVersion = "2.9.0"
+versions.awaitilityVersion = "4.2.2"
+versions.opensaml = "4.0.1" // Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.
 
 // Versions we're overriding from the Spring Boot Bom (Dependabot does not issue PRs to bump these versions, so we need to manually bump them)
 ext["mariadb.version"] = "2.7.12" // Bumping to v3 breaks some pipeline jobs (and compatibility with Amazon Aurora MySQL), so pinning to v2 for now. v2 (current version) is stable and will be supported until about September 2025 (https://mariadb.com/kb/en/about-mariadb-connector-j/).
@@ -43,8 +47,10 @@ libraries.apacheDsProtocolLdap = "org.apache.directory.server:apacheds-protocol-
 libraries.apacheLdapApi = "org.apache.directory.api:api-ldap-model:2.1.7"
 libraries.aspectJRt = "org.aspectj:aspectjrt"
 libraries.aspectJWeaver = "org.aspectj:aspectjweaver"
-libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-fips:2.0.7"
-libraries.bouncyCastleProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleVersion}"
+libraries.awaitility = "org.awaitility:awaitility:${versions.awaitilityVersion}"
+libraries.bouncyCastlePkixFips = "org.bouncycastle:bcpkix-fips:${versions.bouncyCastlePkixFipsVersion}"
+libraries.bouncyCastleFipsProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleFipsVersion}"
+libraries.bouncyCastleTlsFips = "org.bouncycastle:bctls-fips:${versions.bouncyCastleTlsFipsVersion}"
 libraries.braveInstrumentationSpringWebmvc = "io.zipkin.brave:brave-instrumentation-spring-webmvc:${versions.braveVersion}"
 libraries.braveContextSlf4j = "io.zipkin.brave:brave-context-slf4j:${versions.braveVersion}"
 libraries.commonsCodec = "commons-codec:commons-codec:1.17.1"
@@ -78,6 +84,7 @@ libraries.lombok = "org.projectlombok:lombok"
 libraries.mariaJdbcDriver = "org.mariadb.jdbc:mariadb-java-client"
 libraries.mockito = "org.mockito:mockito-core"
 libraries.mockitoJunit5 = "org.mockito:mockito-junit-jupiter"
+libraries.openSamlApi = "org.opensaml:opensaml-saml-api:${versions.opensaml}"
 libraries.passay = "org.passay:passay:1.6.6"
 libraries.postgresql = "org.postgresql:postgresql:42.7.4"
 libraries.selenium = "org.seleniumhq.selenium:selenium-java:${versions.seleniumVersion}"
@@ -103,7 +110,7 @@ libraries.springRetry = "org.springframework.retry:spring-retry"
 libraries.springSecurityConfig = "org.springframework.security:spring-security-config:${versions.springSecurityVersion}"
 libraries.springSecurityCore = "org.springframework.security:spring-security-core:${versions.springSecurityVersion}"
 libraries.springSecurityLdap = "org.springframework.security:spring-security-ldap:${versions.springSecurityVersion}"
-libraries.springSecuritySaml = "org.springframework.security.extensions:spring-security-saml2-core:${versions.springSecuritySamlVersion}"
+libraries.springSecuritySamlServiceProvider = "org.springframework.security:spring-security-saml2-service-provider:${versions.springSecurityVersion}"
 libraries.springSecurityTaglibs = "org.springframework.security:spring-security-taglibs:${versions.springSecurityVersion}"
 libraries.springSecurityTest = "org.springframework.security:spring-security-test:${versions.springSecurityVersion}"
 libraries.springSecurityWeb = "org.springframework.security:spring-security-web:${versions.springSecurityVersion}"
@@ -127,6 +134,7 @@ libraries.velocity = "org.apache.velocity:velocity-engine-core:2.4.1"
 libraries.xerces = "xerces:xercesImpl:2.12.2"
 libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.41.2"
 libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.3"
+libraries.xmlUnit = "org.xmlunit:xmlunit-assertj:2.10.0"
 libraries.orgJson = "org.json:json:20240303"
 libraries.owaspEsapi = "org.owasp.esapi:esapi:2.5.5.0"
 libraries.jodaTime = "joda-time:joda-time:2.13.0"
@@ -138,4 +146,4 @@ libraries.cargoGradlePlugin = "com.bmuschko:gradle-cargo-plugin:2.9.0"
 libraries.springBootGradlePlugin = "org.springframework.boot:spring-boot-gradle-plugin:${versions.springBootVersion}"
 libraries.springDependencyMangementGradlePlugin = "io.spring.gradle:dependency-management-plugin"
 libraries.gradleJcocoPlugin = "org.barfuin.gradle.jacocolog:gradle-jacoco-log:3.1.0"
-libraries.sonarqubePlugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:5.1.0.4882"
+libraries.sonarqubePlugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:5.1.0.4882"

lombok.config

@@ -0,0 +1 @@
+lombok.addLombokGeneratedAnnotation = true

metrics-data/src/main/java/org/cloudfoundry/identity/uaa/util/JsonUtils.java

@@ -26,7 +26,7 @@
 import java.util.Map;
 
 public class JsonUtils {
-    private static ObjectMapper objectMapper = new ObjectMapper();
+    private static final ObjectMapper objectMapper = new ObjectMapper();
 
     public static String writeValueAsString(Object object) throws JsonUtilException {
         try {
@@ -67,7 +67,7 @@ public static Map<String, Object> readValueAsMap(final String input) {
 
     public static <T> T readValue(byte[] data, Class<T> clazz) throws JsonUtilException {
         try {
-            if (data!=null && data.length>0) {
+            if (data != null && data.length > 0) {
                 return objectMapper.readValue(data, clazz);
             } else {
                 return null;
@@ -91,7 +91,7 @@ public static <T> T readValue(String s, TypeReference<T> typeReference) {
 
     public static <T> T readValue(byte[] data, TypeReference<T> typeReference) {
         try {
-            if (data!=null && data.length>0) {
+            if (data != null && data.length > 0) {
                 return objectMapper.readValue(data, typeReference);
             } else {
                 return null;
@@ -134,20 +134,18 @@ public static JsonNode readTree(String s) {
     }
 
     public static class JsonUtilException extends RuntimeException {
-
         private static final long serialVersionUID = -4804245225960963421L;
 
         public JsonUtilException(Throwable cause) {
             super(cause);
         }
-
     }
 
     public static String serializeExcludingProperties(Object object, String... propertiesToExclude) {
         String serialized = JsonUtils.writeValueAsString(object);
-        Map<String, Object> properties = JsonUtils.readValue(serialized, new TypeReference<Map<String, Object>>() {});
-        for(String property : propertiesToExclude) {
-            if(property.contains(".")) {
+        Map<String, Object> properties = JsonUtils.readValue(serialized, new TypeReference<>() {});
+        for (String property : propertiesToExclude) {
+            if (property.contains(".")) {
                 String[] split = property.split("\\.", 2);
                 if (properties != null && properties.containsKey(split[0])) {
                     Object inner = properties.get(split[0]);
@@ -180,19 +178,19 @@ public static boolean getNodeAsBoolean(JsonNode node, String fieldName, boolean
     public static Date getNodeAsDate(JsonNode node, String fieldName) {
         JsonNode typeNode = node.get(fieldName);
         long date = typeNode == null ? -1 : typeNode.asLong(-1);
-        if (date==-1) {
+        if (date == -1) {
             return null;
         } else {
             return new Date(date);
         }
     }
 
-    public static Map<String,Object> getNodeAsMap(JsonNode node) {
+    public static Map<String, Object> getNodeAsMap(JsonNode node) {
         return objectMapper.convertValue(node, Map.class);
     }
 
     public static boolean hasLength(CharSequence str) {
-        return !(str == null || str.length()==0);
+        return !(str == null || str.length() == 0);
     }
 
     public static boolean hasText(CharSequence str) {