diff --git a/cli/src/main/java/hudson/cli/CLI.java b/cli/src/main/java/hudson/cli/CLI.java
index 1b9b4856ad7e8f03d51a8b8662c2151ec13f7143..9c33baa358414584f74f40817aa10c1615519bef 100644
--- a/cli/src/main/java/hudson/cli/CLI.java
+++ b/cli/src/main/java/hudson/cli/CLI.java
@@ -23,6 +23,7 @@
  */
 package hudson.cli;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.cli.client.Messages;
 import java.io.DataInputStream;
 import javax.net.ssl.HostnameVerifier;
@@ -175,6 +176,7 @@ public class CLI {
                 HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
                 // bypass host name check, too.
                 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
+                    @SuppressFBWarnings(value = "WEAK_HOSTNAME_VERIFIER", justification = "User set parameter to skip verifier.")
                     public boolean verify(String s, SSLSession sslSession) {
                         return true;
                     }
@@ -188,7 +190,7 @@ public class CLI {
             	continue;
             }
             if(head.equals("-i") && args.size()>=2) {
-                File f = new File(args.get(1));
+                File f = getFileFromArguments(args);
                 if (!f.exists()) {
                     printUsage(Messages.CLI_NoSuchFileExists(f));
                     return -1;
@@ -290,7 +292,7 @@ public class CLI {
         if (userInfo != null) {
             factory = factory.basicAuth(userInfo);
         } else if (auth != null) {
-            factory = factory.basicAuth(auth.startsWith("@") ? FileUtils.readFileToString(new File(auth.substring(1)), Charset.defaultCharset()).trim() : auth);
+            factory = factory.basicAuth(auth.startsWith("@") ? readAuthFromFile(auth).trim() : auth);
         }
 
         if (mode == Mode.HTTP) {
@@ -304,6 +306,16 @@ public class CLI {
         throw new AssertionError();
     }
 
+    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    private static String readAuthFromFile(String auth) throws IOException {
+        return FileUtils.readFileToString(new File(auth.substring(1)), Charset.defaultCharset());
+    }
+
+    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    private static File getFileFromArguments(List<String> args) {
+        return new File(args.get(1));
+    }
+
     private static int webSocketConnection(String url, List<String> args, CLIConnectionFactory factory) throws Exception {
         LOGGER.fine(() -> "Trying to connect to " + url + " via plain protocol over WebSocket");
         class CLIEndpoint extends Endpoint {
diff --git a/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java b/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java
index 723e97f16c26805a3550a0d9b8fcb17476396fee..fe8db4511691c96e00c4187fa5f6df936a5da32d 100644
--- a/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java
+++ b/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java
@@ -1,5 +1,7 @@
 package hudson.cli;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -60,7 +62,7 @@ public class FullDuplexHttpStream {
 
         // server->client
         LOGGER.fine("establishing download side");
-        HttpURLConnection con = (HttpURLConnection) target.openConnection();
+        HttpURLConnection con = openHttpConnection(target);
         con.setDoOutput(true); // request POST to avoid caching
         con.setRequestMethod("POST");
         con.addRequestProperty("Session", uuid.toString());
@@ -78,7 +80,7 @@ public class FullDuplexHttpStream {
 
         // client->server uses chunked encoded POST for unlimited capacity.
         LOGGER.fine("establishing upload side");
-        con = (HttpURLConnection) target.openConnection();
+        con = openHttpConnection(target);
         con.setDoOutput(true); // request POST
         con.setRequestMethod("POST");
         con.setChunkedStreamingMode(0);
@@ -92,10 +94,15 @@ public class FullDuplexHttpStream {
         LOGGER.fine("established upload side");
     }
 
-    // As this transport mode is using POST, it is necessary to resolve possible redirections using GET first.
+    @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD", justification = "Client-side code doesn't involve SSRF.")
+    private HttpURLConnection openHttpConnection(URL target) throws IOException {
+        return (HttpURLConnection) target.openConnection();
+    }
+
+    // As this transport mode is using POST, it is necessary to resolve possible redirections using GET first.    @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD", justification = "Client-side code doesn't involve SSRF.")
     private URL tryToResolveRedirects(URL base, String authorization) {
         try {
-            HttpURLConnection con = (HttpURLConnection) base.openConnection();
+            HttpURLConnection con = openHttpConnection(base);
             if (authorization != null) {
                 con.addRequestProperty("Authorization", authorization);
             }
diff --git a/cli/src/main/java/hudson/cli/NoCheckTrustManager.java b/cli/src/main/java/hudson/cli/NoCheckTrustManager.java
index c69b3330c21073ad54f34b7d4e527b2181f9e28d..cceacf2b21cb4b84d1ab1da4c798df9f19ee88c0 100644
--- a/cli/src/main/java/hudson/cli/NoCheckTrustManager.java
+++ b/cli/src/main/java/hudson/cli/NoCheckTrustManager.java
@@ -1,5 +1,7 @@
 package hudson.cli;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import javax.net.ssl.X509TrustManager;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -8,12 +10,15 @@ import java.security.cert.X509Certificate;
  * @author Kohsuke Kawaguchi
  */
 public class NoCheckTrustManager implements X509TrustManager {
+    @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER", justification = "User set parameter to skip verifier.")
     public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
     }
 
+    @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER", justification = "User set parameter to skip verifier.")
     public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
     }
 
+    @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER", justification = "User set parameter to skip verifier.")
     public X509Certificate[] getAcceptedIssuers() {
         return new X509Certificate[0];
     }
diff --git a/cli/src/main/java/hudson/cli/SSHCLI.java b/cli/src/main/java/hudson/cli/SSHCLI.java
index 39dc9210a3e1615bac888932c689d97ad4dd1b4d..5321536c5c629c6ff6bcbfa81c52eb66ed496a6a 100644
--- a/cli/src/main/java/hudson/cli/SSHCLI.java
+++ b/cli/src/main/java/hudson/cli/SSHCLI.java
@@ -61,11 +61,10 @@ import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
  */
 class SSHCLI {
 
-    @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Due to whatever reason FindBugs reports it fot try-with-resources")
     static int sshConnection(String jenkinsUrl, String user, List<String> args, PrivateKeyProvider provider, final boolean strictHostKey) throws IOException {
         Logger.getLogger(SecurityUtils.class.getName()).setLevel(Level.WARNING); // suppress: BouncyCastle not registered, using the default JCE provider
         URL url = new URL(jenkinsUrl + "login");
-        URLConnection conn = url.openConnection();
+        URLConnection conn = openConnection(url);
         CLI.verifyJenkinsConnection(conn);
         String endpointDescription = conn.getHeaderField("X-SSH-Endpoint");
 
@@ -131,6 +130,11 @@ class SSHCLI {
         }
     }
 
+    @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD", justification = "Client-side code doesn't involve SSRF.")
+    private static URLConnection openConnection(URL url) throws IOException {
+        return url.openConnection();
+    }
+
     private SSHCLI() {}
 
 }
diff --git a/core/src/main/java/hudson/ClassicPluginStrategy.java b/core/src/main/java/hudson/ClassicPluginStrategy.java
index c5369614de87123480c526ddea82e5158c046b1d..e3af9fc07cc00603f0957aecada01aa03cad639d 100644
--- a/core/src/main/java/hudson/ClassicPluginStrategy.java
+++ b/core/src/main/java/hudson/ClassicPluginStrategy.java
@@ -431,6 +431,7 @@ public class ClassicPluginStrategy implements PluginStrategy {
         return null;
     }
 
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Administrator action installing a plugin, which could do far worse.")
     private static File resolve(File base, String relative) {
         File rel = new File(relative);
         if(rel.isAbsolute())
diff --git a/core/src/main/java/hudson/Proc.java b/core/src/main/java/hudson/Proc.java
index 6acb1ceebaf5f6e9af1c3a858a732d4a5d614de6..f387d6abcc4843a5309820a3dc330bc330aae49b 100644
--- a/core/src/main/java/hudson/Proc.java
+++ b/core/src/main/java/hudson/Proc.java
@@ -23,6 +23,7 @@
  */
 package hudson;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Launcher.ProcStarter;
 import hudson.model.TaskListener;
 import hudson.remoting.Channel;
@@ -215,6 +216,7 @@ public abstract class Proc {
          * @param err
          *      null to redirect stderr to stdout.
          */
+        @SuppressFBWarnings(value = "COMMAND_INJECTION", justification = "Command injection is the point of this old, barely used class.")
         public LocalProc(String[] cmd,String[] env,InputStream in,OutputStream out,OutputStream err,File workDir) throws IOException {
             this( calcName(cmd),
                   stderr(environment(new ProcessBuilder(cmd),env).directory(workDir), err==null || err== SELFPUMP_OUTPUT),
diff --git a/core/src/main/java/hudson/Util.java b/core/src/main/java/hudson/Util.java
index 7775b4ca6afe4361266670c997ec4f7031f602f9..776fea2c416230a5d5237923d0e100fbc40876f8 100644
--- a/core/src/main/java/hudson/Util.java
+++ b/core/src/main/java/hudson/Util.java
@@ -589,6 +589,8 @@ public class Util {
     /**
      * Computes MD5 digest of the given input stream.
      *
+     * This method should only be used for non-security applications where the MD5 weakness is not a problem.
+     *
      * @param source
      *      The stream will be closed by this method at the end of this method.
      * @return
@@ -598,7 +600,7 @@ public class Util {
     @Nonnull
     public static String getDigestOf(@Nonnull InputStream source) throws IOException {
         try {
-            MessageDigest md5 = MessageDigest.getInstance("MD5");
+            MessageDigest md5 = getMd5();
             DigestInputStream in = new DigestInputStream(source, md5);
             // Note: IOUtils.copy() buffers the input internally, so there is no
             // need to use a BufferedInputStream.
@@ -618,6 +620,14 @@ public class Util {
         */
     }
 
+    // TODO JENKINS-60563 remove MD5 from all usages in Jenkins
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification =
+            "This method should only be used for non-security applications where the MD5 weakness is not a problem.")
+    @Deprecated
+    private static MessageDigest getMd5() throws NoSuchAlgorithmException {
+        return MessageDigest.getInstance("MD5");
+    }
+
     @Nonnull
     public static String getDigestOf(@Nonnull String text) {
         try {
diff --git a/core/src/main/java/hudson/cli/Connection.java b/core/src/main/java/hudson/cli/Connection.java
index 1961447778d04ab829c9b550305ac016309bcd35..bdeb192fd3ee8fb2bd587354b23e4f0b4eb610f3 100644
--- a/core/src/main/java/hudson/cli/Connection.java
+++ b/core/src/main/java/hudson/cli/Connection.java
@@ -23,6 +23,7 @@
  */
 package hudson.cli;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.ClassFilter;
 import hudson.remoting.ObjectInputStreamEx;
 import hudson.remoting.SocketChannelStream;
@@ -113,6 +114,8 @@ public class Connection {
     /**
      * Receives an object sent by {@link #writeObject(Object)}
      */
+    // TODO JENKINS-60562 remove this class
+    @SuppressFBWarnings(value = "OBJECT_DESERIALIZATION", justification = "Not used. We should just remove it. Class is deprecated.")
     public <T> T readObject() throws IOException, ClassNotFoundException {
         ObjectInputStream ois = new ObjectInputStreamEx(in,
                 getClass().getClassLoader(), ClassFilter.DEFAULT);
@@ -194,16 +197,20 @@ public class Connection {
      */
     public Connection encryptConnection(SecretKey sessionKey, String algorithm) throws IOException, GeneralSecurityException {
         Cipher cout = Cipher.getInstance(algorithm);
-        cout.init(Cipher.ENCRYPT_MODE, sessionKey, new IvParameterSpec(sessionKey.getEncoded()));
+        cout.init(Cipher.ENCRYPT_MODE, sessionKey, createIv(sessionKey));
         CipherOutputStream o = new CipherOutputStream(out, cout);
 
         Cipher cin = Cipher.getInstance(algorithm);
-        cin.init(Cipher.DECRYPT_MODE, sessionKey, new IvParameterSpec(sessionKey.getEncoded()));
+        cin.init(Cipher.DECRYPT_MODE, sessionKey, createIv(sessionKey));
         CipherInputStream i = new CipherInputStream(in, cin);
 
         return new Connection(i,o);
     }
 
+    private IvParameterSpec createIv(SecretKey sessionKey) {
+        return new IvParameterSpec(sessionKey.getEncoded());
+    }
+
     /**
      * Given a byte array that contains arbitrary number of bytes, digests or expands those bits into the specified
      * number of bytes without loss of entropy.
diff --git a/core/src/main/java/hudson/console/AnnotatedLargeText.java b/core/src/main/java/hudson/console/AnnotatedLargeText.java
index c862d0c61b187ad53aa545b152064ed035e0fc56..36d2664e9208ba72d8cf890fb9986e2e2a3efe4b 100644
--- a/core/src/main/java/hudson/console/AnnotatedLargeText.java
+++ b/core/src/main/java/hudson/console/AnnotatedLargeText.java
@@ -25,6 +25,7 @@
  */
 package hudson.console;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import jenkins.model.Jenkins;
 import hudson.remoting.ObjectInputStreamEx;
 import java.util.concurrent.TimeUnit;
@@ -128,7 +129,7 @@ public class AnnotatedLargeText<T> extends LargeText {
                     long timestamp = ois.readLong();
                     if (TimeUnit.HOURS.toMillis(1) > abs(System.currentTimeMillis()-timestamp))
                         // don't deserialize something too old to prevent a replay attack
-                        return (ConsoleAnnotator) ois.readObject();
+                        return getConsoleAnnotator(ois);
                 } catch (RuntimeException ex) {
                     throw new IOException("Could not decode input", ex);
                 }
@@ -140,6 +141,11 @@ public class AnnotatedLargeText<T> extends LargeText {
         return ConsoleAnnotator.initial(context);
     }
 
+    @SuppressFBWarnings(value = "OBJECT_DESERIALIZATION", justification = "Deserialization is protected by logic.")
+    private ConsoleAnnotator getConsoleAnnotator(ObjectInputStream ois) throws IOException, ClassNotFoundException {
+        return (ConsoleAnnotator) ois.readObject();
+    }
+
     @CheckReturnValue
     @Override
     public long writeLogTo(long start, Writer w) throws IOException {
diff --git a/core/src/main/java/hudson/console/ConsoleNote.java b/core/src/main/java/hudson/console/ConsoleNote.java
index 4d2e2c2530cbba3d8d3e4ca7333f4acc522e53f4..e55f7c2629eb4f2aee213826c0f36fa512ea0695 100644
--- a/core/src/main/java/hudson/console/ConsoleNote.java
+++ b/core/src/main/java/hudson/console/ConsoleNote.java
@@ -23,6 +23,7 @@
  */
 package hudson.console;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.ExtensionPoint;
 import hudson.Functions;
 import hudson.MarkupText;
@@ -275,7 +276,7 @@ public abstract class ConsoleNote<T> implements Serializable, Describable<Consol
             try (ObjectInputStream ois = new ObjectInputStreamEx(new GZIPInputStream(new ByteArrayInputStream(buf)),
                     jenkins != null ? jenkins.pluginManager.uberClassLoader : ConsoleNote.class.getClassLoader(),
                     ClassFilter.DEFAULT)) {
-                return (ConsoleNote) ois.readObject();
+                return getConsoleNote(ois);
             }
         } catch (Error e) {
             // for example, bogus 'sz' can result in OutOfMemoryError.
@@ -284,6 +285,11 @@ public abstract class ConsoleNote<T> implements Serializable, Describable<Consol
         }
     }
 
+    @SuppressFBWarnings(value = "OBJECT_DESERIALIZATION", justification = "Deserialization is protected by logic.")
+    private static ConsoleNote getConsoleNote(ObjectInputStream ois) throws IOException, ClassNotFoundException {
+        return (ConsoleNote) ois.readObject();
+    }
+
     /**
      * Skips the encoded console note.
      */
diff --git a/core/src/main/java/hudson/scheduler/Hash.java b/core/src/main/java/hudson/scheduler/Hash.java
index 51592e6629dee17fefdf7dfa8aea98087449b095..833ee87e1c1989dd08ea6c8e3c2e79cad8967f66 100644
--- a/core/src/main/java/hudson/scheduler/Hash.java
+++ b/core/src/main/java/hudson/scheduler/Hash.java
@@ -23,6 +23,8 @@
  */
 package hudson.scheduler;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -51,10 +53,10 @@ public abstract class Hash {
      * Produces an integer in [0,n)
      */
     public abstract int next(int n);
-    
+
     public static Hash from(String seed) {
         try {
-            MessageDigest md5 = MessageDigest.getInstance("MD5");
+            MessageDigest md5 = getMd5();
             md5.update(seed.getBytes(StandardCharsets.UTF_8));
             byte[] digest = md5.digest();
 
@@ -77,6 +79,12 @@ public abstract class Hash {
         }
     }
 
+    // TODO JENKINS-60563 remove MD5 from all usages in Jenkins
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification = "Should not be used for security.")
+    private static MessageDigest getMd5() throws NoSuchAlgorithmException {
+        return MessageDigest.getInstance("MD5");
+    }
+
     /**
      * Creates a hash that always return 0.
      */
diff --git a/core/src/main/java/hudson/security/BasicAuthenticationFilter.java b/core/src/main/java/hudson/security/BasicAuthenticationFilter.java
index 62df185d16102cd83030053068a62b2d268aae8e..2c1c379d7d6f7c2d964c15773310eb7b2957ab4f 100644
--- a/core/src/main/java/hudson/security/BasicAuthenticationFilter.java
+++ b/core/src/main/java/hudson/security/BasicAuthenticationFilter.java
@@ -23,6 +23,7 @@
  */
 package hudson.security;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.User;
 import jenkins.model.Jenkins;
 import hudson.util.Scrambler;
@@ -162,8 +163,7 @@ public class BasicAuthenticationFilter implements Filter {
             path += '?'+q;
 
         // prepare a redirect
-        rsp.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
-        rsp.setHeader("Location",path);
+        prepareRedirect(rsp, path);
 
         // ... but first let the container authenticate this request
         RequestDispatcher d = servletContext.getRequestDispatcher("/j_security_check?j_username="+
@@ -171,6 +171,12 @@ public class BasicAuthenticationFilter implements Filter {
         d.include(req,rsp);
     }
 
+    @SuppressFBWarnings(value = "UNVALIDATED_REDIRECT", justification = "Redirect is validated as processed.")
+    private void prepareRedirect(HttpServletResponse rsp, String path) {
+        rsp.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
+        rsp.setHeader("Location",path);
+    }
+
     //public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
     //    HttpServletRequest req = (HttpServletRequest) request;
     //    String authorization = req.getHeader("Authorization");
diff --git a/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java b/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
index 4b86333f62d22f51980b043f11dc53e021fee445..43798635ad74f0634013cecd6a7ea5f635c42be3 100644
--- a/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
+++ b/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
@@ -23,6 +23,7 @@
  */
 package hudson.security;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Functions;
 
 import com.google.common.base.Strings;
@@ -100,15 +101,7 @@ public class HudsonAuthenticationEntryPoint extends AuthenticationProcessingFilt
             } catch (IllegalStateException e) {
                 out = rsp.getWriter();
             }
-            out.printf(
-                "<html><head>" +
-                "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
-                "<script>window.location.replace('%1$s');</script>" +
-                "</head>" +
-                "<body style='background-color:white; color:white;'>%n" +
-                "%n%n"+
-                "Authentication required%n"+
-                "<!--%n",loginForm);
+            printResponse(loginForm, out);
 
             if (cause!=null)
                 cause.report(out);
@@ -123,4 +116,17 @@ public class HudsonAuthenticationEntryPoint extends AuthenticationProcessingFilt
             out.close();
         }
     }
+
+    @SuppressFBWarnings(value = "XSS_SERVLET", justification = "Intermediate step for redirecting users to login page.")
+    private void printResponse(String loginForm, PrintWriter out) {
+        out.printf(
+            "<html><head>" +
+            "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
+            "<script>window.location.replace('%1$s');</script>" +
+            "</head>" +
+            "<body style='background-color:white; color:white;'>%n" +
+            "%n%n"+
+            "Authentication required%n"+
+            "<!--%n",loginForm);
+    }
 }
diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
index 3a404a49e5e3ef3bd5f8ae78114708c14af4363f..bbfd617ae608cc2c92b5b9c973a25ffd5acfe873 100644
--- a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
+++ b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -490,7 +490,7 @@ public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRea
         }
     }
 
-    @Restricted(NoExternalUse.class)
+    @Restricted(NoExternalUse.class) // _entryForm.jelly and signup.jelly
     public boolean isMailerPluginPresent() {
         try {
             // mail support has moved to a separate plugin
diff --git a/core/src/main/java/hudson/util/ConsistentHash.java b/core/src/main/java/hudson/util/ConsistentHash.java
index 61ef48a94da7abc3e60cc373ad34d8ad8f1e0101..16e5f3c5ef74e62dd5aa31c3de2ce8bd8b8fc2b2 100644
--- a/core/src/main/java/hudson/util/ConsistentHash.java
+++ b/core/src/main/java/hudson/util/ConsistentHash.java
@@ -26,6 +26,7 @@ package hudson.util;
 import java.lang.RuntimeException;
 import java.security.GeneralSecurityException;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
@@ -33,6 +34,7 @@ import java.util.Collection;
 import java.util.Iterator;
 import java.util.NoSuchElementException;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.util.Iterators.DuplicateFilterIterator;
 
 /**
@@ -290,7 +292,7 @@ public class ConsistentHash<T> {
      */
     private int md5(String s) {
         try {
-            MessageDigest md5 = MessageDigest.getInstance("MD5");
+            MessageDigest md5 = getMd5();
             md5.update(s.getBytes());
             byte[] digest = md5.digest();
 
@@ -303,6 +305,12 @@ public class ConsistentHash<T> {
         }
     }
 
+    // TODO JENKINS-60563 remove MD5 from all usages in Jenkins
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification = "Not used for security.")
+    private MessageDigest getMd5() throws NoSuchAlgorithmException {
+        return MessageDigest.getInstance("MD5");
+    }
+
     /**
      * unsigned byte->int.
      */
diff --git a/core/src/main/java/hudson/util/DOSToUnixPathHelper.java b/core/src/main/java/hudson/util/DOSToUnixPathHelper.java
index afe949c8db1407670af0ee06e3b85cb9af8180bc..c1eb489efc4576a1009f24d328e142e7d661c54a 100644
--- a/core/src/main/java/hudson/util/DOSToUnixPathHelper.java
+++ b/core/src/main/java/hudson/util/DOSToUnixPathHelper.java
@@ -1,5 +1,6 @@
 package hudson.util;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.EnvVars;
 import hudson.Util;
 import org.kohsuke.accmod.Restricted;
@@ -17,19 +18,23 @@ class DOSToUnixPathHelper {
         void validate(File fexe);
     }
     static private boolean checkPrefix(String prefix, Helper helper) {
-        File f = new File(prefix);
+        File f = constructFile(prefix);
         if(f.exists()) {
             helper.checkExecutable(f);
             return true;
         }
 
-        File fexe = new File(prefix+".exe");
+        File fexe = constructFile(prefix+".exe");
         if(fexe.exists()) {
             helper.checkExecutable(fexe);
             return true;
         }
         return false;
     }
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Limited use for locating shell executable by administrator.")
+    private static File constructFile(String prefix) {
+        return new File(prefix);
+    }
     static void iteratePath(String exe, Helper helper) {
         exe = fixEmpty(exe);
         if(exe==null) {
diff --git a/core/src/main/java/hudson/util/FormFieldValidator.java b/core/src/main/java/hudson/util/FormFieldValidator.java
index 292d5d114167549a3c74b451e699166643f492de..1de147efa2b90481ce5393b247a5902e5f4c5a2a 100644
--- a/core/src/main/java/hudson/util/FormFieldValidator.java
+++ b/core/src/main/java/hudson/util/FormFieldValidator.java
@@ -23,6 +23,7 @@
  */
 package hudson.util;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.FilePath;
 import hudson.ProxyConfiguration;
 import hudson.Util;
@@ -145,6 +146,7 @@ public abstract class FormFieldValidator {
     /**
      * Gets the parameter as a file.
      */
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Not used.")
     protected final File getFileParameter(String paramName) {
         return new File(Util.fixNull(request.getParameter(paramName)));
     }
@@ -329,7 +331,7 @@ public abstract class FormFieldValidator {
 
             try {
                 URL url = new URL(value);
-                HttpURLConnection con = (HttpURLConnection)url.openConnection();
+                HttpURLConnection con = openConnection(url);
                 con.connect();
                 if(con.getResponseCode()!=200
                 || con.getHeaderField("X-Hudson")==null) {
@@ -342,6 +344,11 @@ public abstract class FormFieldValidator {
                 handleIOException(value,e);
             }
         }
+
+        @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD", justification = "Not used.")
+        private HttpURLConnection openConnection(URL url) throws IOException {
+            return (HttpURLConnection)url.openConnection();
+        }
     }
 
     /**
diff --git a/core/src/main/java/jenkins/InitReactorRunner.java b/core/src/main/java/jenkins/InitReactorRunner.java
index fd76f912146975453fb74ade5558d6275583af62..be183b47e17c7d0324671993859ce933b0ff9f35 100644
--- a/core/src/main/java/jenkins/InitReactorRunner.java
+++ b/core/src/main/java/jenkins/InitReactorRunner.java
@@ -4,10 +4,12 @@ import com.google.common.collect.Lists;
 import jenkins.util.SystemProperties;
 import hudson.init.InitMilestone;
 import hudson.init.InitReactorListener;
+import hudson.security.ACL;
 import hudson.util.DaemonThreadFactory;
 import hudson.util.NamingThreadFactory;
 import jenkins.model.Configuration;
 import jenkins.model.Jenkins;
+import jenkins.security.ImpersonatingExecutorService;
 import org.jvnet.hudson.reactor.Milestone;
 import org.jvnet.hudson.reactor.Reactor;
 import org.jvnet.hudson.reactor.ReactorException;
@@ -45,7 +47,7 @@ public class InitReactorRunner {
         else
             es = Executors.newSingleThreadExecutor(new NamingThreadFactory(new DaemonThreadFactory(), "InitReactorRunner"));
         try {
-            reactor.execute(es,buildReactorListener());
+            reactor.execute(new ImpersonatingExecutorService(es, ACL.SYSTEM), buildReactorListener());
         } finally {
             es.shutdownNow();   // upon a successful return the executor queue should be empty. Upon an exception, we want to cancel all pending tasks
         }
diff --git a/core/src/main/java/jenkins/model/RunIdMigrator.java b/core/src/main/java/jenkins/model/RunIdMigrator.java
index 4af582072ece46d23b70e0dfbbfc89984dfda29b..0f08bdfa268b5dd061947ab42a91dccc38143709 100644
--- a/core/src/main/java/jenkins/model/RunIdMigrator.java
+++ b/core/src/main/java/jenkins/model/RunIdMigrator.java
@@ -24,6 +24,7 @@
 
 package jenkins.model;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.Job;
@@ -313,13 +314,19 @@ public final class RunIdMigrator {
         if (args.length != 1) {
             throw new Exception("pass one parameter, $JENKINS_HOME");
         }
-        File root = new File(args[0]);
+        File root = constructFile(args[0]);
         File jobs = new File(root, "jobs");
         if (!jobs.isDirectory()) {
             throw new FileNotFoundException("no such $JENKINS_HOME " + root);
         }
         new RunIdMigrator().unmigrateJobsDir(jobs);
     }
+
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Only invoked from the command line as a standalone utility")
+    private static File constructFile(String arg) {
+        return new File(arg);
+    }
+
     private void unmigrateJobsDir(File jobs) throws Exception {
         File[] jobDirs = jobs.listFiles();
         if (jobDirs == null) {
diff --git a/core/src/main/java/jenkins/model/identity/IdentityRootAction.java b/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
index 1ea465ec07ee5c52960e4b6acc69e446efa1f61d..dbdb88199cf3411630500f5c16d9e2eae6c57216 100644
--- a/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
+++ b/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
@@ -1,5 +1,6 @@
 package jenkins.model.identity;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.UnprotectedRootAction;
 import java.security.MessageDigest;
@@ -61,6 +62,7 @@ public class IdentityRootAction implements UnprotectedRootAction {
      *
      * @return the fingerprint of the public key.
      */
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification = "Not used for security. ")
     public String getFingerprint() {
         RSAPublicKey key = InstanceIdentityProvider.RSA.getPublicKey();
         if (key == null) {
@@ -68,7 +70,7 @@ public class IdentityRootAction implements UnprotectedRootAction {
         }
         // TODO replace with org.jenkinsci.remoting.util.KeyUtils once JENKINS-36871 changes are merged
         try {
-            MessageDigest digest = MessageDigest.getInstance("MD5");
+            MessageDigest digest = getMd5();
             digest.reset();
             byte[] bytes = digest.digest(key.getEncoded());
             StringBuilder result = new StringBuilder(Math.max(0, bytes.length * 3 - 1));
@@ -84,4 +86,10 @@ public class IdentityRootAction implements UnprotectedRootAction {
             throw new IllegalStateException("JLS mandates MD5 support");
         }
     }
+
+    // TODO JENKINS-60563 remove MD5 from all usages in Jenkins
+    @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_MD5", justification = "Not used for security. ")
+    private MessageDigest getMd5() throws NoSuchAlgorithmException {
+        return MessageDigest.getInstance("MD5");
+    }
 }
diff --git a/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java b/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java
index e1d85d782bdcabdfe63dad85b92bc559247b4dc1..fc6d134dc2b9dd46ee76a184a79cd8dbc78c6ccb 100644
--- a/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java
+++ b/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java
@@ -111,7 +111,7 @@ public class JnlpSlaveAgentProtocol4 extends AgentProtocol {
 
         // prepare our keyStore so we can provide our authentication
         keyStore = KeyStore.getInstance("JKS");
-        char[] password = "password".toCharArray();
+        char[] password = constructPassword();
         try {
             keyStore.load(null, password);
         } catch (IOException e) {
@@ -146,6 +146,10 @@ public class JnlpSlaveAgentProtocol4 extends AgentProtocol {
         sslContext.init(kmf.getKeyManagers(), trustManagers, null);
     }
 
+    private char[] constructPassword() {
+        return "password".toCharArray();
+    }
+
     /**
      * Inject the {@link IOHubProvider}
      *
@@ -182,7 +186,7 @@ public class JnlpSlaveAgentProtocol4 extends AgentProtocol {
                 LOGGER.log(Level.INFO, "Updating {0} TLS certificate to retain validity", getName());
                 X509Certificate identityCertificate = InstanceIdentityProvider.RSA.getCertificate();
                 RSAPrivateKey privateKey = InstanceIdentityProvider.RSA.getPrivateKey();
-                char[] password = "password".toCharArray();
+                char[] password = constructPassword();
                 keyStore.setKeyEntry("jenkins", privateKey, password, new X509Certificate[]{identityCertificate});
             }
         } catch (KeyStoreException e) {
diff --git a/core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly b/core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly
index ffdcd6d2f351a75f4e1fe6ecc9912259dbfe8ed6..f3da56cbcd5bc705868af7ea6222f52faa1381b1 100644
--- a/core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly
+++ b/core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly
@@ -100,7 +100,7 @@ THE SOFTWARE.
       <l:progressiveRendering handler="${it}" callback="display"/>
       <table class="sortable pane bigtable" id="people">
         <tr>
-          <th />
+          <th class="minimum-width" />
           <th>${%User ID}</th>
           <th>${%Name}</th>
           <th initialSortDir="up">${%Last Commit Activity}</th>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
index 69509462d521b8c2825cb63e2d4ccc38fb8c6c31..3a0bd5627b1710d7a3328741d26c730058e2d3c5 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
@@ -24,23 +24,41 @@ THE SOFTWARE.
 
 <!-- tag file used by both signup.jelly and addUser.jelly -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
+  <st:documentation>
+    <st:attribute name="it" use="required" type="hudson.security.HudsonPrivateSecurityRealm">
+      Context where the page is loaded.
+    </st:attribute>
+    <st:attribute name="title" use="required">
+      Title of the HTML page. Rendered in the page content inside a &lt;h1>.
+    </st:attribute>
+    <st:attribute name="action" use="required">
+      The method to call from within the HudsonPrivateSecurityRealm.
+    </st:attribute>
+    <st:attribute name="captcha" use="optional">
+      Determines if the tag will include the captcha.
+    </st:attribute>
+    <st:attribute name="data" use="optional" type="hudson.security.HudsonPrivateSecurityRealm.SignupInfo">
+      The wrapper for the data provided by the user and the error message(s) if any. Is null on first form display.
+    </st:attribute>
+  </st:documentation>
+
   <h1>${title}</h1>
-  <div style="margin: 2em;">
+  <div class="form-content">
     <j:if test="${data.errorMessage!=null}">
-      <div class="error" style="margin-bottom:1em">
+      <div class="error">
         ${data.errorMessage}
       </div>
     </j:if>
     <j:forEach var="error" items="${data.errors}">
-      <div class="error" style="margin-bottom:1em">
+      <div class="error">
         ${error.value}
       </div>
     </j:forEach>
       <table>
         <tr>
           <td>${%Username}:</td>
-          <td><input type="text" name="username" id="username" value="${data.username}" /></td>
+          <td><input type="text" name="username" id="username" value="${data.username}" autofocus="autofocus" /></td>
         </tr>
         <tr>
           <td>${%Password}:</td>
@@ -55,17 +73,17 @@ THE SOFTWARE.
           <td><input type="text" name="fullname" value="${data.fullname}" /></td>
         </tr>
         <j:if test="${it.mailerPluginPresent}">
-        <tr>
-          <td>${%E-mail address}:</td>
-          <td><input type="text" name="email" value="${data.email}" /></td>
-        </tr>
+          <tr>
+            <td>${%E-mail address}:</td>
+            <td><input type="text" name="email" value="${data.email}" /></td>
+          </tr>
         </j:if>
         <j:if test="${captcha}">
           <tr>
             <td>${%Enter text as shown}:</td>
             <td>
               <input type="text" name="captcha" autocomplete="off" /><br />
-              <img src="${rootURL}/securityRealm/captcha" alt="[${%captcha}]"/>
+              <img src="${rootURL}/securityRealm/captcha" alt="[${%captcha}]" />
             </td>
           </tr>
         </j:if>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
index 8009ad6518ed8c94505bbb7bdc8f7e23aef4172b..cb30e27bdf831f9cb443c2862a071a44632b793d 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
@@ -22,28 +22,36 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
 
-<!-- tag file used by both signup.jelly and addUser.jelly -->
+<!-- tag file used by signupWithFederatedIdentity.jelly, addUser.jelly and firstUser.jelly -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm">
+  <st:documentation>
+    <st:attribute name="host" use="required" type="hudson.security.HudsonPrivateSecurityRealm">
+      Corresponds to the "it" of Jelly, meaning the context where the page is loaded.
+    </st:attribute>
+    <st:attribute name="title" use="required">
+      Title of the HTML page. 
+      Rendered into &lt;title> tag, in the page content inside a &lt;h1> and as the label of the submit button.
+    </st:attribute>
+    <st:attribute name="action" use="required">
+      The method to call from within the HudsonPrivateSecurityRealm.
+    </st:attribute>
+    <st:attribute name="captcha" use="optional" type="boolean">
+      Determines if the tag will include the captcha.
+    </st:attribute>
+    <st:attribute name="data" use="optional" type="hudson.security.HudsonPrivateSecurityRealm.SignupInfo">
+      The wrapper for the data provided by the user and the error message(s) if any. Is null on first form display.
+    </st:attribute>
+  </st:documentation>
   <l:layout norefresh="true" title="${title}">
-    <l:header>
-      <style>
-        <!-- match width with captcha image -->
-        INPUT {
-          width:200px;
-        }
-      </style>
-    </l:header>
+    <st:adjunct includes="hudson.security.HudsonPrivateSecurityRealm._entryFormPage.resources" />
     <l:hasPermission permission="${app.READ}" it="${host}">
       <st:include page="sidepanel.jelly" it="${host}" />
     </l:hasPermission>
     <l:main-panel>
-      <form action="${rootURL}/securityRealm/${action}" method="post" style="text-size:smaller">
-        <local:_entryForm title="${title}" action="${action}" captcha="${captcha}" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm" />
+      <form action="${rootURL}/securityRealm/${action}" method="post">
+        <local:_entryForm title="${title}" action="${action}" captcha="${captcha}" it="${host}" data="${data}" />
         <f:submit value="${title}" />
-        <script>
-          $('username').focus();
-        </script>
       </form>
     </l:main-panel>
   </l:layout>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage/resources.css b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage/resources.css
new file mode 100644
index 0000000000000000000000000000000000000000..18e07446425e6a75cdf769f7860ca3a15578a12a
--- /dev/null
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage/resources.css
@@ -0,0 +1,12 @@
+input {
+	/* match width with captcha image */
+	width:200px;
+}
+
+.form-content {
+	margin: 2em;
+}
+
+.form-content .error {
+	margin-bottom: 1em;
+}
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
index daacc17bfc479390f379266536a1f3bbc3f79344..b9b3f246c73901c866e70696b5a62157d26d2d31 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
@@ -26,6 +26,6 @@ THE SOFTWARE.
   Page for admin to create a new user
 -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <local:_entryFormPage host="${it}" title="${%Create User}" action="createAccountByAdmin" captcha="${false}" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm" />
-</j:jelly>
\ No newline at end of file
+<j:jelly xmlns:j="jelly:core" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm">
+  <local:_entryFormPage host="${it}" title="${%Create User}" action="createAccountByAdmin" captcha="${false}" data="${data}" />
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/config.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/config.jelly
index 97571521688d05e3fd98b7b38db9b84ed3557d26..a36f9c14f0af1b0188019a67c53bcaf5cb040c0f 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/config.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/config.jelly
@@ -23,8 +23,7 @@ THE SOFTWARE.
 -->
 
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson"
-  xmlns:f="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:f="/lib/form">
   <f:entry field="allowsSignup">
     <f:checkbox default="false" title="${%Allow users to sign up}" />
   </f:entry>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
index 6ebd369ae0a1f0d7c10eaf619b13c221343d716d..b3568d1a6e1b86a3a57ad5ac7fc179291800a1be 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
@@ -26,6 +26,6 @@ THE SOFTWARE.
   This is used to create the first user.
 -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <local:_entryFormPage host="${it}" title="${%Create First Admin User}" action="createFirstAccount" captcha="${false}" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm" />
-</j:jelly>
\ No newline at end of file
+<j:jelly xmlns:j="jelly:core" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm">
+  <local:_entryFormPage host="${it}" title="${%Create First Admin User}" action="createFirstAccount" captcha="${false}" data="${data}"/>
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
index a7cad84726f1fda839af513793310c15b4aff4e3..29d3ffc4a2d7141f417e3f7d839dd728d2f405b6 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
@@ -23,7 +23,7 @@ THE SOFTWARE.
 -->
 
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout">
   <l:layout permission="${app.ADMINISTER}" title="${%Users}">
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
@@ -32,20 +32,20 @@ THE SOFTWARE.
       
       <table class="sortable pane bigtable" id="people">
         <tr>
-          <th style="width:32px"/>
+          <th class="minimum-width" />
           <th>${%User ID}</th>
           <th>${%Name}</th>
-          <th style="width:32px"/>
+          <th class="minimum-width" />
         </tr>
         <j:forEach var="user" items="${it.allUsers}">
           <tr>
-            <td><a href="${user.url}/" class="model-link inside"><img src="${h.getUserAvatar(user,'32x32')}" alt="" height="32" width="32"/></a></td>
+            <td><a href="${user.url}/" class="model-link inside"><img src="${h.getUserAvatar(user,'32x32')}" alt="" height="32" width="32" /></a></td>
             <td><a href="${user.url}/">${user.id}</a></td>
             <td><a href="${user.url}/">${user}</a></td>
             <td>
-              <a href="${user.url}/configure"><l:icon class="icon-gear2 icon-lg"/></a>
+              <a href="${user.url}/configure"><l:icon class="icon-gear2 icon-lg" /></a>
               <j:if test="${user.canDelete()}">
-                <a href="${user.url}/delete"><l:icon class="icon-edit-delete icon-md"/></a>
+                <a href="${user.url}/delete"><l:icon class="icon-edit-delete icon-md" /></a>
               </j:if>
             </td>
           </tr>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/loginLink.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/loginLink.jelly
index c2ef8305fa4827837d80e7c70a3665304b228549..ba75e740a89e557d9669617b78442c0af70b82b6 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/loginLink.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/loginLink.jelly
@@ -23,10 +23,10 @@ THE SOFTWARE.
 -->
 
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
   <st:include page="/hudson/security/SecurityRealm/loginLink.jelly" />
   <j:if test="${it.allowsSignup()}">
     |
     <a href="${rootURL}/signup"><b>${%sign up}</b></a>
   </j:if>
-</j:jelly>
\ No newline at end of file
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/sidepanel.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/sidepanel.jelly
index 6cc9f4456925a6c37cf58ff93097e8c7e479d847..8e3c84edcc1d74f4a66b41d6cd7b92316dc8486f 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/sidepanel.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/sidepanel.jelly
@@ -23,13 +23,13 @@ THE SOFTWARE.
 -->
 
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:s="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
   <l:header />
   <l:side-panel>
     <l:tasks>
-      <l:task href="${rootURL}/" icon="icon-up icon-md" title="${%Back to Dashboard}"/>
-      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.MANAGE}" title="${%Manage Jenkins}"/>
-      <l:task href="addUser" icon="icon-new-user icon-md" permission="${app.ADMINISTER}" title="${%Create User}"/>
+      <l:task href="${rootURL}/" icon="icon-up icon-md" title="${%Back to Dashboard}" />
+      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.MANAGE}" title="${%Manage Jenkins}" />
+      <l:task href="addUser" icon="icon-new-user icon-md" permission="${app.ADMINISTER}" title="${%Create User}" />
     </l:tasks>
   </l:side-panel>
-</j:jelly>
\ No newline at end of file
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
index 8daec8d38125220336aadd180767915648741af5..83f9eef9eccf084c0b7563a85eb976a8c9511d83 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
@@ -26,6 +26,6 @@ THE SOFTWARE.
   User self sign up page.
 -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <local:_entryFormPage host="${app}" title="${%Sign up}" action="createAccountWithFederatedIdentity" captcha="${true}" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm" />
-</j:jelly>
\ No newline at end of file
+<j:jelly xmlns:j="jelly:core" xmlns:local="/hudson/security/HudsonPrivateSecurityRealm">
+  <local:_entryFormPage host="${app}" title="${%Sign up}" action="createAccountWithFederatedIdentity" captcha="${true}" data="${data}" />
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
index 59363c6d1cbd8ab070605305b08c8fbe96fe4253..a6f137e1a2aad75ae6b8a05da33d1ba048d37558 100644
--- a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
+++ b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
@@ -23,7 +23,7 @@ THE SOFTWARE.
 -->
 
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout">
   <l:layout norefresh="true">
     <l:hasPermission permission="${app.READ}" it="${app}">
       <st:include page="sidepanel.jelly" it="${app}" />
diff --git a/core/src/main/resources/hudson/security/SecurityRealm/signup.jelly b/core/src/main/resources/hudson/security/SecurityRealm/signup.jelly
index 9f054b876cfefab2dba382142585351494f3f8e8..3609d384055b227c3b3f794348a6adb2dc5d4dd8 100644
--- a/core/src/main/resources/hudson/security/SecurityRealm/signup.jelly
+++ b/core/src/main/resources/hudson/security/SecurityRealm/signup.jelly
@@ -22,7 +22,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout">
     <st:statusCode value="404" />
     <st:include page="sidepanel.jelly" from="${app}" it="${app}" />
     <l:layout title="${%Signup not supported}">
diff --git a/core/src/main/resources/lib/layout/hasPermission.jelly b/core/src/main/resources/lib/layout/hasPermission.jelly
index d42a5f96891822fca9e2a7440d0c4f87bc853ab8..6371acc38293bee570cb849b13e2fd710701b74c 100644
--- a/core/src/main/resources/lib/layout/hasPermission.jelly
+++ b/core/src/main/resources/lib/layout/hasPermission.jelly
@@ -26,7 +26,13 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:d="jelly:define" xmlns:st="jelly:stapler">
   <st:documentation>
     Renders the body only if the current user has the specified permission
-    <st:attribute name="permission" use="required" type="Permission">
+    <st:attribute name="it" use="optional">
+      By default it will reuse the current context.
+      If the provided value does not inherit from hudson.security.AccessControlled, 
+      the tag will look for the first ancestor satisfying the condition.
+      The hasPermission will be performed against that value.
+    </st:attribute>
+    <st:attribute name="permission" use="required" type="hudson.security.Permission">
       permission object to check. If this is null, the body will be also rendered.
     </st:attribute>
   </st:documentation>
@@ -34,4 +40,4 @@ THE SOFTWARE.
   <j:if test="${h.hasPermission(it, permission)}">
     <d:invokeBody/>
   </j:if>
-</j:jelly>
\ No newline at end of file
+</j:jelly>
diff --git a/core/src/test/java/jenkins/util/xstream/XStreamDOMTest.java b/core/src/test/java/jenkins/util/xstream/XStreamDOMTest.java
index 3acf389a4249844334ffd5952128625c0f327ffb..a53dff38e295eb827184ef689f06818d4ff5a645 100644
--- a/core/src/test/java/jenkins/util/xstream/XStreamDOMTest.java
+++ b/core/src/test/java/jenkins/util/xstream/XStreamDOMTest.java
@@ -27,8 +27,11 @@ import hudson.util.XStream2;
 import org.apache.commons.io.IOUtils;
 import org.junit.Before;
 import org.junit.Test;
+import org.xmlunit.diff.DefaultNodeMatcher;
+import org.xmlunit.diff.ElementSelectors;
 
 import static org.junit.Assert.*;
+import static org.xmlunit.matchers.CompareMatcher.isSimilarTo;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -62,7 +65,8 @@ public class XStreamDOMTest {
         Foo foo = createSomeFoo();
         String xml = xs.toXML(foo);
         System.out.println(xml);
-        assertEquals(getTestData1().trim(), xml.trim());
+        assertThat(getTestData1().trim(), isSimilarTo(xml.trim()).ignoreWhitespace()
+                .withNodeMatcher(new DefaultNodeMatcher(ElementSelectors.byNameAndText)));
     }
 
     private String getTestData1() throws IOException {
@@ -100,7 +104,8 @@ public class XStreamDOMTest {
 
         String xml = xs.toXML(foo);
         System.out.println(xml);
-        assertEquals(getTestData1().trim(), xml.trim());
+        assertThat(getTestData1().trim(), isSimilarTo(xml.trim()).ignoreWhitespace()
+                .withNodeMatcher(new DefaultNodeMatcher(ElementSelectors.byNameAndText)));
     }
 
     @Test
diff --git a/pom.xml b/pom.xml
index ef8a27e010c9ce45d1e0ef91664d17e208a89762..4467f8b81f6239adde94d681d1376b4dd99e8979 100755
--- a/pom.xml
+++ b/pom.xml
@@ -407,6 +407,20 @@ THE SOFTWARE.
 	        <groupId>org.codehaus.mojo</groupId>
 	        <artifactId>animal-sniffer-maven-plugin</artifactId>
         </plugin>
+        <plugin>
+          <groupId>com.github.spotbugs</groupId>
+          <artifactId>spotbugs-maven-plugin</artifactId>
+          <configuration>
+            <plugins>
+              <plugin>
+                <groupId>com.h3xstream.findsecbugs</groupId>
+                <artifactId>findsecbugs-plugin</artifactId>
+                <version>1.10.1</version>
+              </plugin>
+            </plugins>
+            <maxHeap>768</maxHeap>
+          </configuration>
+        </plugin>
       </plugins>
     </pluginManagement>
 
diff --git a/src/findbugs/findbugs-excludes.xml b/src/findbugs/findbugs-excludes.xml
index 665871ffd14825e3722ccbb547db0e05171a6fe8..b7e091076a3205eeb8b3fcecc33b53aed34d11ac 100644
--- a/src/findbugs/findbugs-excludes.xml
+++ b/src/findbugs/findbugs-excludes.xml
@@ -13,4 +13,12 @@
       <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"/>
     </Or>
   </Match>
+  <Match>
+    <!--We don't care about this behavior.-->
+    <Bug pattern="CRLF_INJECTION_LOGS"/>
+  </Match>
+  <Match>
+    <!--Jenkins handles this issue differently or doesn't care about it.-->
+    <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE"/>
+  </Match>
 </FindBugsFilter>
diff --git a/test/src/test/java/hudson/PluginManagerTest.java b/test/src/test/java/hudson/PluginManagerTest.java
index 57cd87d9f9753336c40b4eed7389c7b17013ff2f..bb9ce486b828ab27f85a6253ea1ab9060675533d 100644
--- a/test/src/test/java/hudson/PluginManagerTest.java
+++ b/test/src/test/java/hudson/PluginManagerTest.java
@@ -503,6 +503,18 @@ public class PluginManagerTest {
         }
     }
 
+    @Issue("JENKINS-61071")
+    @Test
+    public void requireSystemInInitializer() throws Exception {
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
+        String pluginShortName = "require-system-in-initializer";
+        dynamicLoad(pluginShortName + ".jpi");
+        try (ACLContext context = ACL.as(User.getById("underprivileged", true).impersonate())) {
+            r.jenkins.pluginManager.start(Collections.singletonList(r.jenkins.pluginManager.getPlugin(pluginShortName)));
+        }
+    }
+
     private void dynamicLoad(String plugin) throws IOException, InterruptedException, RestartRequiredException {
         PluginManagerUtil.dynamicLoad(plugin, r.jenkins);
     }
diff --git a/test/src/test/resources/plugins/require-system-in-initializer.jpi b/test/src/test/resources/plugins/require-system-in-initializer.jpi
new file mode 100644
index 0000000000000000000000000000000000000000..8c0aaf186cdf684b5279721818a996758e19ea76
Binary files /dev/null and b/test/src/test/resources/plugins/require-system-in-initializer.jpi differ
diff --git a/war/pom.xml b/war/pom.xml
index fa9d4986a7ba70f0a335582b8ec89d575f6565b4..1d33e2299e884221e8831c4310912f9bd718e8cc 100644
--- a/war/pom.xml
+++ b/war/pom.xml
@@ -360,7 +360,7 @@ THE SOFTWARE.
                 <artifactItem>
                   <groupId>org.jenkins-ci.plugins</groupId>
                   <artifactId>script-security</artifactId>
-                  <version>1.68</version>
+                  <version>1.70</version>
                   <type>hpi</type>
                 </artifactItem>
                 <artifactItem>
diff --git a/war/src/main/webapp/css/style.css b/war/src/main/webapp/css/style.css
index b57dfd5dc412c99a0f63ef37315e32a246270ecd..252c86423b144e28c5c0d17c02212624eea2517a 100644
--- a/war/src/main/webapp/css/style.css
+++ b/war/src/main/webapp/css/style.css
@@ -522,6 +522,10 @@ table.bigtable.pane > tbody > tr > td:last-child {
   white-space: nowrap;
 }
 
+.bigtable th.minimum-width {
+  width: 1px;
+}
+
 .bigtable td {
   vertical-align: middle;
   padding: 3px 4px 3px 4px;