[
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13475641#comment-13475641
]
Andy Seaborne commented on JENA-243:
------------------------------------
Re: JENA-243.null-dereference.patch
Which version is the patch against? It didn't apply for me but I have applied
the moral equivalent by using:
Lib.equal(serializationType, WebContent.contentTypeTextPlain)
etc each time. Lib.equal is a null-safe equals operation
How does this situation arise? I tried to provoke it but could see how. if the
content type not set, it default to XML results, and if its junk it cause a
415. Looking at the code, I can't see how it can happen but I have also
reinforced the ConNeg code because code anaysis alone may miss that null is
imposssible (as far as I can see).
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
> Key: JENA-243
> URL: https://issues.apache.org/jira/browse/JENA-243
> Project: Apache Jena
> Issue Type: Question
> Components: Fuseki
> Affects Versions: Fuseki 0.2.1
> Reporter: Brian Harris
> Attachments: JENA-243.null-dereference.patch,
> JENA-243.suggested-xss-fixes.patch, JENA-243.unreleased-resource.patch
>
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd
> like to pass along these findings to the community so they can be reviewed
> and possibly addressed. I am unsure if I should submit a ticket for each
> individual finding, submit a ticket that lumps the findings into logical
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
>
> It's quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
