[
https://issues.apache.org/jira/browse/FINERACT-436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990008#comment-15990008
]
ASF GitHub Bot commented on FINERACT-436:
-----------------------------------------
GitHub user ThisuraThejith opened a pull request:
https://github.com/apache/incubator-fineract/pull/343
FINERACT-436 Fixed CWE582,CWE607 issues in account and infrastructure
modules
See the updated security analysis document at [1]
[1]
https://docs.google.com/spreadsheets/d/1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4/
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ThisuraThejith/incubator-fineract FINERACT-436
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-fineract/pull/343.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #343
----
commit 1b8e7d2ac15e3a11c8c41d26974d3cddf182fca7
Author: ThisuraThejith <[email protected]>
Date: 2017-04-29T18:42:13Z
Fixing Fixed CWE582,CWE607 issues in account and infrastructure modules
----
> Fix security vulnerabilities related to using public mutable and nonconstant
> fields
> -----------------------------------------------------------------------------------
>
> Key: FINERACT-436
> URL: https://issues.apache.org/jira/browse/FINERACT-436
> Project: Apache Fineract
> Issue Type: Bug
> Components: Accounting, Organization
> Reporter: Thisura
> Assignee: Markus Geiss
>
> There are multiple security vulnerabilities found in fineract-provider as
> described in [this report
> \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> There are four types of vulnerabilities related to using public mutable and
> nonconstant fields.
> 1. Mutable fields should not be "public static"
> * MITRE, CWE-582 - Array Declared Public, Final, and Static
> * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 2. "static final" arrays should be "private"
> * MITRE, CWE-582 - Array Declared Public, Final, and Static
> * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 3. "public static" fields should be constant
> * MITRE, CWE-500 - Public Static Field Not Marked Final
> * CERT OBJ10-J - Do not use public static nonfinal variable
> 4. "enum" fields should not be publicly mutable
> The reported incident of type 2 is considered to be false positive. 1,3,4
> types are present as described in the
> [report\[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> The proposed
> [solutions\[2\]|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U]
> are as follows.(Solutions are respective to each vulnerability type above)
> 1. Mutable fields should not be "public static" => Make the respective
> members protected. If they are in a class move them to a separate class and
> lower the visibility.
> 2. "static final" arrays should be "private" => Make the arrays private
> 3. "public static" fields should be constant => Make the respective field
> final
> 4. "enum" fields should not be publicly mutable => Lower the visibility of
> the setter. Remove it altogether.
> \[1\]
> https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
> \[2\]
> https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
