Hi all, As per the long discussion in the thread "[Mifos-developer] Application for GSOC 2017( Static Analysis of Apache Fineract )", I have
* done the static analysis with SonarQube * generated the vulnerability report, - sonarlint report [1] <https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8>, sonarqube <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> report [2] <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> * summarized <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U> [3] the types of vulnerabilities, * attended each of those vulnerabilities to check whether they are not false positives and * prepared the checklist [4] <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4> of vulnerabilities with fixes All the reports which are generated using different plugins, tools can be found here [5] <https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0>. Now we can go ahead and do the necessary changes to fix the reported vulnerabilities in the codebase. I am looking forward to creating tickets for each type of issues reported in summary. We need to verify the problems (vulnerabilities[4] <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>) and solutions that I have suggested in the summary [3] <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U> . According to the findings [4] <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>, I will create two tickets for co-related fixes for each topic (type of vulnerability) such as * Mutable fields should not be "public static" && "enum" fields should not be publicly mutable && "public static" fields should be constant * Generic exceptions should never be thrown && Throwable and Error should not be caught Expect the community ideas regarding this to validate the suggested solutions. [1] https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8 [2] https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c [3] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U [4] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4 [5] https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0 Thanks & regards -- T.T.C Philips (BSc.Eng (Undergrad)) Computer Science and Engineering, Sri Lanka Institute of Information Technology(SLIIT)
