On Sep 5, 2014, at 3:00 PM, Daan Hoogland <daan.hoogl...@gmail.com> wrote:
> H,
>
> We are not anywhere near perfect (or arguably good) but according to
> coverity we are improving:
> <q>
> *3.17*
> Defect Density
> <q/> However:
> <q>Defect changes since previous build dated Aug 29, 2014
> *8* Newly detected
> *0* Eliminated
> </q> and <q>Defects by status for current build
> *2,961*Total defects
> *1,395*Outstanding
> *75*Dismissed
> *1,491*Fixed
> </q> lets keep it up all.
>
FWIW, there is a coverity scan Travis Add-on …so technically we could run
coverity on every commit…if everyone is bored and does not know what to do next
:)
>
>
> On Fri, Sep 5, 2014 at 2:07 PM, <scan-ad...@coverity.com> wrote:
>
>>
>> Hi,
>>
>>
>> Please find the latest report on new defect(s) introduced to cloudstack
>> found with Coverity Scan.
>>
>> Defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>>
>>
>> ** CID 1237195: Dereference null return value (NULL_RETURNS)
>> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
>> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
>> java.util.List)()
>>
>> ** CID 1237196: Dereference null return value (NULL_RETURNS)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>>
>> ** CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>>
>> ** CID 1232335: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>>
>> ** CID 1232337: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>>
>> ** CID 1232336: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>>
>> ** CID 1232334: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>>
>> ** CID 1232333: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>>
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1237195: Dereference null return value (NULL_RETURNS)
>> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
>> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
>> java.util.List)()
>> 299 SslCertResponse response = new SslCertResponse();
>> 300
>> 301 Account account =
>> _accountDao.findByIdIncludingRemoved(cert.getAccountId());
>> 302 if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
>> 303 // find the project
>> 304 Project project =
>> _projectMgr.findByProjectAccountIdIncludingRemoved(account.getId());
>>>>> CID 1237195: Dereference null return value (NULL_RETURNS)
>>>>> Calling a method on null object "project".
>> 305 response.setProjectId(project.getUuid());
>> 306 response.setProjectName(project.getName());
>> 307 } else {
>> 308 response.setAccountName(account.getAccountName());
>> 309 }
>> 310
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1237196: Dereference null return value (NULL_RETURNS)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 214 public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216 String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217 Signature signature = Signature.getInstance("SHA1withRSA");
>> 218 signature.initSign(signingKey);
>> 219 signature.update(url.getBytes());
>>>>> CID 1237196: Dereference null return value (NULL_RETURNS)
>>>>> Dereferencing a pointer that might be null
>> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
>> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
>> 220 return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221 }
>> 222
>> 223 public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224 Security.addProvider(new BouncyCastleProvider());
>> 225 KeyPairGenerator keyPairGenerator =
>> KeyPairGenerator.getInstance("RSA", "BC");
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 214 public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216 String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217 Signature signature = Signature.getInstance("SHA1withRSA");
>> 218 signature.initSign(signingKey);
>> 219 signature.update(url.getBytes());
>>>>> CID 1237196: Dereference null return value (NULL_RETURNS)
>>>>> Dereferencing a pointer that might be null
>> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
>> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
>> 220 return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221 }
>> 222
>> 223 public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224 Security.addProvider(new BouncyCastleProvider());
>> 225 KeyPairGenerator keyPairGenerator =
>> KeyPairGenerator.getInstance("RSA", "BC");
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 213
>> 214 public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216 String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217 Signature signature = Signature.getInstance("SHA1withRSA");
>> 218 signature.initSign(signingKey);
>>>>> CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
>>>>> Found reliance on default encoding: String.getBytes()
>> 219 signature.update(url.getBytes());
>> 220 return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221 }
>> 222
>> 223 public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224 Security.addProvider(new BouncyCastleProvider());
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1232335: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232335: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232335: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1232337: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232337: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1232336: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232336: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1232334: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232334: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1232333: Cross-site scripting (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446 public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447 try {
>> 448 byte[] data = content.getBytes();
>> 449 response.setContentLength(data.length);
>> 450 OutputStream os = response.getOutputStream();
>>>>> CID 1232333: Cross-site scripting (XSS)
>>>>> Printing to HTML output.
>> 451 os.write(data);
>> 452 os.close();
>> 453 } catch (Throwable e) {
>> 454 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455 }
>> 456 }
>>
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>> http://scan.coverity.com/projects/943?tab=overview
>>
>> To unsubscribe from the email notification for new defects,
>> http://scan5.coverity.com/cgi-bin/unsubscribe.py
>>
>>
>>
>>
>
>
> --
> Daan
