[jira] [Commented] (JENA-243) Passing along HP Fortify findings to the community

[Andy Seaborne (JIRA)]

    [ 
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268449#comment-13268449
 ] 

Andy Seaborne commented on JENA-243:
------------------------------------

Thank you for the report.  There seem to be a large number of false positives 
relating to coding style.  

As to the XSS category: (lines 2-8):
1/ Fuseki runs standalone - there is no other Java code to 
2/ of those only line 7 refers to code which is not in the optional the 
management interface or helper apps to validate formats and that's for JSONP 
triggered by the client request.

                
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
>                 Key: JENA-243
>                 URL: https://issues.apache.org/jira/browse/JENA-243
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd 
> like to pass along these findings to the community so they can be reviewed 
> and possibly addressed. I am unsure if I should submit a ticket for each 
> individual finding, submit a ticket that lumps the findings into logical 
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
> Some of these are flagged as more important such as the XSS violation and 
> must be corrected prior to moving into a production environment. And, it's 
> quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira