[
https://issues.apache.org/jira/browse/KNOX-1441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626555#comment-16626555
]
Kevin Risden commented on KNOX-1441:
------------------------------------
Spotbugs is set to run during "verify". This is triggered during install as
well. Both regular and test code are checked for errors. Spotbugs looks for
static issues as described here
([https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html)]. That page
has an English description of all the specific errors that can be detected.
Spotbugs is also configured to look for security bugs with
[https://find-sec-bugs.github.io/.|https://find-sec-bugs.github.io/] This
detects the following patterns (https://find-sec-bugs.github.io/bugs.htm).
An example of an error:
{noformat}
[ERROR] Hard coded password found
[org.apache.knox.gateway.services.security.impl.X509CertificateUtil] At
X509CertificateUtil.java:[line 292] HARD_CODE_PASSWORD{noformat}
The error message stops the build and states:
# the class that caused the issue
# the line number of the problem
# the unique bug pattern id
The unique bug pattern id can be looked up in the bug descriptions or Googled.
In many cases the root cause can be fixed. In some cases, the error should be
suppressed due to the design being correct and no other work around.
There is a suppressions filter in src/spotbugs-filter.xml that allows you to
match certain patterns to ignore. The allowable filters are described here:
[https://spotbugs.readthedocs.io/en/stable/filter.html]
For the bug above (HARD_CODE_PASSWORD), it is correct to have the hardcoded
password for cacerts. Therefore the following was added to the
spotbugs-filter.xml.
{code:java}
<Match>
<Class
name="org.apache.knox.gateway.services.security.impl.X509CertificateUtil" />
<Method name="writeCertificateToJKS" />
<Bug pattern="HARD_CODE_PASSWORD" />
</Match>
{code}
This ensures that the class, method, and bug pattern are not triggered again
during the build. Other errors (if present) in the class would still be
identified.
> Enable spotbugs for static build checking
> -----------------------------------------
>
> Key: KNOX-1441
> URL: https://issues.apache.org/jira/browse/KNOX-1441
> Project: Apache Knox
> Issue Type: Improvement
> Components: Build
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 1.2.0
>
> Attachments: KNOX-1441.patch, KNOX-1441.patch
>
>
> Split out from KNOX-1284 specifically for spotbugs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
