[GitHub] [drill] github-code-scanning[bot] commented on a diff in pull request #2631: [MINOR UPDATE]: Disable lgtm build

Sun, 04 Sep 2022 07:29:44 -0700 


github-code-scanning[bot] commented on code in PR #2631:
URL: https://github.com/apache/drill/pull/2631#discussion_r962323314


##########
contrib/udfs/src/main/java/org/apache/drill/exec/udfs/CryptoFunctions.java:
##########
@@ -285,7 +285,7 @@
         keyByteArray = java.util.Arrays.copyOf(keyByteArray, 16);
         javax.crypto.spec.SecretKeySpec secretKey = new 
javax.crypto.spec.SecretKeySpec(keyByteArray, "AES");
 
-        javax.crypto.Cipher cipher = 
javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding"); // lgtm 
[java/weak-cryptographic-algorithm]
+        javax.crypto.Cipher cipher = 
javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/ECB/PKCS5Padding](1) is weak and should not be 
used.
   
   [Show more 
details](https://github.com/apache/drill/security/code-scanning/35)



##########
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/CredentialResources.java:
##########
@@ -269,7 +269,7 @@
   }
 
   private JsonResult message(String message, Object... args) {
-    return new JsonResult(String.format(message, args)); // lgtm 
[java/tainted-format-string]
+    return new JsonResult(String.format(message, args));

Review Comment:
   ## Use of externally-controlled format string
   
   [User-provided value](1) flows to here and is used in a format string.
   [User-provided value](2) flows to here and is used in a format string.
   
   [Show more 
details](https://github.com/apache/drill/security/code-scanning/29)



##########
contrib/udfs/src/main/java/org/apache/drill/exec/udfs/CryptoFunctions.java:
##########
@@ -336,7 +336,7 @@
         keyByteArray = java.util.Arrays.copyOf(keyByteArray, 16);
         javax.crypto.spec.SecretKeySpec secretKey = new 
javax.crypto.spec.SecretKeySpec(keyByteArray, "AES");
 
-        javax.crypto.Cipher cipher = 
javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding"); // lgtm 
[java/weak-cryptographic-algorithm]
+        javax.crypto.Cipher cipher = 
javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/ECB/PKCS5Padding](1) is weak and should not be 
used.
   
   [Show more 
details](https://github.com/apache/drill/security/code-scanning/36)



##########
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/StorageResources.java:
##########
@@ -343,7 +343,7 @@
   }
 
   private JsonResult message(String message, Object... args) {
-    return new JsonResult(String.format(message, args));  // lgtm 
[java/tainted-format-string]
+    return new JsonResult(String.format(message, args));

Review Comment:
   ## Use of externally-controlled format string
   
   [User-provided value](1) flows to here and is used in a format string.
   [User-provided value](2) flows to here and is used in a format string.
   
   [Show more 
details](https://github.com/apache/drill/security/code-scanning/23)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@drill.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to