Hi all, I have created two tickets [1][2] to track the fixes for security vulnerabilities reported by sonar. Thanks & Regards. [1] https://issues.apache.org/jira/browse/FINERACT-436 [2] https://issues.apache.org/jira/browse/FINERACT-437
On Fri, Apr 21, 2017 at 10:31 AM, Thisura Philips <[email protected]> wrote: > Hi all, > > As per the long discussion in the thread "[Mifos-developer] Application > for GSOC 2017( Static Analysis of Apache Fineract )", I have > > * done the static analysis with SonarQube > * generated the vulnerability report, - sonarlint report [1] > <https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8>, sonarqube > <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> report [2] > <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> > * summarized > <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U> > [3] the types of vulnerabilities, > * attended each of those vulnerabilities to check whether they are not > false positives and > * prepared the checklist [4] > <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4> > of vulnerabilities with fixes > > All the reports which are generated using different plugins, tools can be > found here [5] > <https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0>. > > Now we can go ahead and do the necessary changes to fix the reported > vulnerabilities in the codebase. I am looking forward to creating tickets > for each type of issues reported in summary. > > We need to verify the problems (vulnerabilities[4] > <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>) > and solutions that I have suggested in the summary [3] > <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U> > . > > According to the findings [4] > <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>, > I will create two tickets for co-related fixes for each topic (type of > vulnerability) such as > > * Mutable fields should not be "public static" && "enum" fields should not > be publicly mutable && "public static" fields should be constant > * Generic exceptions should never be thrown && Throwable and Error should > not be caught > > Expect the community ideas regarding this to validate the suggested > solutions. > > [1] https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8 > [2] https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c > [3] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcH > GBdh569aFJfB2U > [4] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU > 6sgBxpZul__1V4 > [5] https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0 > > Thanks & regards > -- > T.T.C Philips (BSc.Eng (Undergrad)) > Computer Science and Engineering, > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- T.T.C Philips (BSc.Eng (Undergrad)) Computer Science and Engineering, Sri Lanka Institute of Information Technology(SLIIT)
