DonalEvans commented on pull request #7348: URL: https://github.com/apache/geode/pull/7348#issuecomment-1048046693
> > * 2 for Dereferenced variable may be null > > This is within a class we had to introduce from JBoss modules to process the module.xml files. Waiting on JBoss-modules 2.0.3-Final to be released, as it contains the changes/PR we had submitted to resolve this within the jboss-modules library. The the GeodeModuleXmlParser.java class will be removed. > > * 2 for Potential input resource leak > > There is nothing we can do about this. We are constrained by the API of the library. I've tried to resolve this failure, but it causes a failure in the library. I suspect to change/affect/resolve this issue, changes to the 3rd party library needs to be made. > > * 1 for Use of a broken or risky cryptographic algorithm > > This is actually existing within the current `develop` branch within the `DeployedJar` class. This can easily be replaced with 'SHA-256', which is possibly more "secure" but would also take up more compute time. Either way, the usage of the 'MD5' hash is used for simple file equality comparison and has no impact on any security concerns of the system. Tested it with `SHA-256` can be made without any impact It's [possible to suppress](https://lgtm.com/help/lgtm/alert-suppression#java) spurious/unfixable LGTM warnings, which has been done in the past in the Geode codebase. Adding a comment along with the suppression to explain why it's being suppressed and when it should be un-suppressed could be an acceptable workaround here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@geode.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
