[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored

Fri, 11 Nov 2022 03:19:16 -0800 


    [ 
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632263#comment-17632263
 ] 

Dénes Bodó commented on OOZIE-3671:
-----------------------------------

 Hey [~jmakai] 

Thanks for trying to fix this issue. I agree with your approach because it 
would be better if we didn't have to manually override the Jenkins build 
results.

But disabling a security check is never the best idea. Because the issue is 
present for long I accept to turn off the validation. BUT: in that case please 
open another Jira to track fixing the JPA bug and turn the spotbugs check back 
on.

 

Do you agree?

> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily 
> until it gets refactored
> ----------------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-3671
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3671
>             Project: Oozie
>          Issue Type: Task
>          Components: core
>    Affects Versions: 5.2.1
>            Reporter: Janos Makai
>            Assignee: Janos Makai
>            Priority: Major
>         Attachments: OOZIE-3671-001.patch
>
>
> Currently the SpotBugs tool indicates the following issues for every new 
> patches:
> {code:java}
> {color:#FF0000}-1{color} There are [5] new bugs found below threshold in 
> [core] that must be fixed.
> . You can find the SpotBugs diff here (look for the red and orange ones): 
> core/findbugs-new.html
> . The most important SpotBugs errors are:
> . At BulkJPAExecutor.java:[line 206]: This use of 
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
>  can be vulnerable to SQL/JPQL injection
> . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
> . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
> . This use of 
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
>  can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
> . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
> {code}
> The goal of this Jira is to exclude the JPA injection pattern 
> (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets 
> refactored.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to