Julian Leichert created OFBIZ-9772:
--------------------------------------
Summary: [FB] Package org.apache.ofbiz.product.category
Key: OFBIZ-9772
URL: https://issues.apache.org/jira/browse/OFBIZ-9772
Project: OFBiz
Issue Type: Sub-task
Components: product
Affects Versions: Trunk
Reporter: Julian Leichert
Priority: Minor
CatalogUrlFilter.java:57, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString
should be package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
CatalogUrlFilter.java:58, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
javax.servlet.http.HttpServletResponse in
org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString from
instance method
org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl from instance
method
org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
CatalogUrlSeoFilter.java:40, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString
should be package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
CatalogUrlSeoFilter.java:41, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl should
be package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
javax.servlet.http.HttpServletResponse in
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString from
instance method
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl from instance
method
org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable;
consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
- RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 of
value previously dereferenced in
org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue,
String, Locale, String, Delegator, LocalDispatcher, String)
A value is checked here to see whether it is null, but this value can't be null
because it was previously dereferenced and if it were null a null pointer
exception would have occurred at the earlier dereference. Essentially, this
code and the previous dereference disagree as to whether this value is allowed
to be null. Either the check is redundant or the previous dereference is
erroneous.
CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in
org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String,
GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer,
boolean)
This method contains a redundant check of a known non-null value against the
constant null.
CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING
- Bx: Boxing/unboxing to parse a primitive
org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
A boxed primitive is created from a String, just to extract the unboxed
primitive value. It is more efficient to just call the static parseXXX method.
CategoryServices.java:245, DLS_DEAD_LOCAL_STORE
- DLS: Dead store to viewSize in
org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
This instruction assigns a value to a local variable, but the value is not read
or used in any subsequent instruction. Often, this indicates an error, because
the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local
variables. Because FindBugs is a bytecode-based tool, there is no easy way to
eliminate these false positives.
CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of productCategoryMembers, which is known to be
non-null in
org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
This method contains a redundant check of a known non-null value against the
constant null.
CategoryWorker.java:61, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest,
String)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CategoryWorker.java:106, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest,
String, boolean)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD
- UPM: Private method
org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String,
String) is never called
This private method is never called. Although it is possible that the method
will be invoked through reflection, it is more likely that the method is never
used, and should be removed.
CategoryWorker.java:243, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest,
String)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CategoryWorker.java:315, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CategoryWorker.java:321, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, List)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of subCat, which is known to be non-null in
org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map,
List, HttpServletRequest)
This method contains a redundant check of a known non-null value against the
constant null.
ControlServlet.java:33, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable;
consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
- Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows
the simple name of the superclass org.apache.ofbiz.webapp.control.ControlServlet
This class has a simple name that is identical to that of its superclass,
except that its superclass is in a different package (e.g., alpha.Foo extends
beta.Foo). This can be exceptionally confusing, create lots of situations in
which you have to look at import statements to resolve references and creates
many opportunities to accidentally define methods that do not override methods
in their superclasses.
ControlServlet.java:35, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
ControlServlet.java:36, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
ControlServlet.java:37, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.ControlServlet.defaultPage from instance
method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.ControlServlet.pageNotFound from instance
method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.ControlServlet.controlServlet from instance
method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is Serializable;
consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
SeoConfigUtil.java:510, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL
- MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString
isn't final but should be
This static field public but not final, and could be changed by malicious code
or by accident from another package. The field could be made final to avoid
this vulnerability.
SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL
- MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't
final but should be
This static field public but not final, and could be changed by malicious code
or by accident from another package. The field could be made final to avoid
this vulnerability.
SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
javax.servlet.http.HttpServletResponse in
org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION
- Nm: The field name
org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't start
with a lower case letter
Names of fields that are not final should be in mixed case with a lowercase
first letter and the first letters of subsequent words capitalized.
SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR
- WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig)
makes inefficient use of keySet iterator instead of entrySet iterator
This method accesses the value of a Map entry, using a key that was retrieved
from a keySet iterator. It is more efficient to use an iterator on the entrySet
of the map, to avoid the Map.get(key) lookup.
SeoContextFilter.java:94, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
SeoContextFilter.java:95, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
javax.servlet.http.HttpServletResponse in
org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
SeoContextFilter.java:181, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
SeoControlServlet.java:41, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable;
consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
SeoControlServlet.java:43, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
SeoControlServlet.java:44, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet should
be package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.SeoControlServlet.defaultPage from instance
method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field
org.apache.ofbiz.product.category.SeoControlServlet.controlServlet from
instance method
org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
This instance method writes to a static field. This is tricky to get correct if
multiple instances are being manipulated, and generally bad practice.
SeoControlServlet.java:77, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest,
HttpServletResponse)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
