wso2 · imesh94 · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025
diff --git a/...tity/extensions/auth/extensions/request/validator/FSRequestObjectValidationExtension.java b/...tity/extensions/auth/extensions/request/validator/FSRequestObjectValidationExtension.java
@@ -18,6 +18,7 @@
 
 package org.wso2.financial.services.accelerator.identity.extensions.auth.extensions.request.validator;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -44,6 +45,8 @@
  * The extension of RequestObjectValidatorImpl to enforce Financial services specific validations of the
  * request object.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSRequestObjectValidationExtension extends RequestObjectValidatorImpl {
 
     private static final Log log = LogFactory.getLog(FSRequestObjectValidationExtension.class);

diff --git a/...ntity/extensions/auth/extensions/response/handler/FSCodeResponseTypeHandlerExtension.java b/...ntity/extensions/auth/extensions/response/handler/FSCodeResponseTypeHandlerExtension.java
@@ -19,6 +19,7 @@
 package org.wso2.financial.services.accelerator.identity.extensions.auth.extensions.response.handler;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
@@ -34,6 +35,8 @@
 /**
  * Extension to append scope with FS_ prefix at the end of auth flow, before offering auth code.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSCodeResponseTypeHandlerExtension extends CodeResponseTypeHandler {
 
     private static final Log log = LogFactory.getLog(FSCodeResponseTypeHandlerExtension.class);

diff --git a/...ity/extensions/auth/extensions/response/handler/FSHybridResponseTypeHandlerExtension.java b/...ity/extensions/auth/extensions/response/handler/FSHybridResponseTypeHandlerExtension.java
@@ -19,6 +19,7 @@
 package org.wso2.financial.services.accelerator.identity.extensions.auth.extensions.response.handler;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
@@ -34,6 +35,8 @@
 /**
  * Extension to append scope with FS_ prefix at the end of auth flow, before offering auth code.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSHybridResponseTypeHandlerExtension extends HybridResponseTypeHandler {
 
     private static final Log log = LogFactory.getLog(FSHybridResponseTypeHandlerExtension.class);

diff --git a/...l/services/accelerator/identity/extensions/claims/FSDefaultOIDCClaimsCallbackHandler.java b/...l/services/accelerator/identity/extensions/claims/FSDefaultOIDCClaimsCallbackHandler.java
@@ -19,6 +19,7 @@
 package org.wso2.financial.services.accelerator.identity.extensions.claims;
 
 import com.nimbusds.jwt.JWTClaimsSet;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -37,6 +38,8 @@
 /**
  * This call back handler adds FS specific additional claims to the self-contained JWT access token.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSDefaultOIDCClaimsCallbackHandler extends DefaultOIDCClaimsCallbackHandler {
 
     private static Log log = LogFactory.getLog(FSDefaultOIDCClaimsCallbackHandler.class);

diff --git a/.../accelerator/identity/extensions/grant/type/handlers/FSAuthorizationCodeGrantHandler.java b/.../accelerator/identity/extensions/grant/type/handlers/FSAuthorizationCodeGrantHandler.java
@@ -18,6 +18,7 @@
 
 package org.wso2.financial.services.accelerator.identity.extensions.grant.type.handlers;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
@@ -37,6 +38,8 @@
  * FS specific authorization code grant handler.
  * main usage of extending is to handle the refresh token issuance and setting the refresh token validity period.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSAuthorizationCodeGrantHandler extends AuthorizationCodeGrantHandler {
 
     private static final Log log = LogFactory.getLog(FSAuthorizationCodeGrantHandler.class);

diff --git a/...l/services/accelerator/identity/extensions/grant/type/handlers/FSRefreshGrantHandler.java b/...l/services/accelerator/identity/extensions/grant/type/handlers/FSRefreshGrantHandler.java
@@ -18,6 +18,7 @@
 
 package org.wso2.financial.services.accelerator.identity.extensions.grant.type.handlers;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -40,6 +41,8 @@
 /**
  * FS specific refresh grant handler.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class FSRefreshGrantHandler extends RefreshGrantHandler {
 
     private static final Log log = LogFactory.getLog(FSRefreshGrantHandler.class);

diff --git a/...org/wso2/financial/services/accelerator/identity/extensions/util/IdentityCommonUtils.java b/...org/wso2/financial/services/accelerator/identity/extensions/util/IdentityCommonUtils.java
@@ -59,6 +59,8 @@
 /**
  * Common utility class for Identity Extensions.
  */
+@SuppressFBWarnings(value = {"CRLF_INJECTION_LOGS", "REPLACE_STR_LINE_TERMINATORS"},
+        justification = "Log messages are sanitized for CRLF injection.")
 public class IdentityCommonUtils {
 
     private static final Log log = LogFactory.getLog(IdentityCommonUtils.class);
@@ -378,10 +380,6 @@ public static boolean isRegulatoryApp(String clientId) throws FinancialServicesE
                 identityCache.addToCache(identityCacheKey, regulatoryProperty);
                 return Boolean.parseBoolean(regulatoryProperty.toString());
             } else {
-                if (log.isDebugEnabled()) {
-                    log.debug("Regulatory property not found in service provider metadata for clientId: "
-                            + clientId + ". Hence treating it as a non-regulatory application.");
-                }
                 return false;
             }
         } else {