Thisura created FINERACT-437:
--------------------------------
Summary: Fix security vulnerabilities of using generic exceptions
and catching throwable and errors
Key: FINERACT-437
URL: https://issues.apache.org/jira/browse/FINERACT-437
Project: Apache Fineract
Issue Type: Bug
Components: Accounting, Organization
Reporter: Thisura
Assignee: Markus Geiss
Priority: Minor
There are two types of vulnerabilities related to exceptions reported by sonar
1. Generic exceptions should never be thrown
[MITRE, CWE-397|http://cwe.mitre.org/data/definitions/397.html] - Declaration
of Throws for Generic Exception
2. Throwable and Error should not be caught
[MITRE, CWE-396|http://cwe.mitre.org/data/definitions/396.html] - Declaration
of Catch for Generic Exception
[CERT, ERR07-J|https://www.securecoding.cert.org/confluence/x/BoB3AQ] - Do not
throw RuntimeException, Exception, or Throwable
The rationale behind these vulnerabilities are explained in above links. The
proposed solutions are as follows.
1. Generic exceptions should never be thrown => Define and throw a dedicated
exception instead of using a generic one.
2. Throwable and Error should not be caught => Catch Exception instead of
Throwable.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
