[
https://issues.apache.org/jira/browse/OFBIZ-9772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Leichert updated OFBIZ-9772:
-----------------------------------
Attachment: OFBIZ-9772_org.apache.ofbiz.product.category_bugfixes.patch
> [FB] Package org.apache.ofbiz.product.category
> ----------------------------------------------
>
> Key: OFBIZ-9772
> URL: https://issues.apache.org/jira/browse/OFBIZ-9772
> Project: OFBiz
> Issue Type: Sub-task
> Components: product
> Affects Versions: Trunk
> Reporter: Julian Leichert
> Priority: Minor
> Attachments:
> OFBIZ-9772_org.apache.ofbiz.product.category_bugfixes.patch
>
>
> CatalogUrlFilter.java:57, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:58, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should
> be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
> javax.servlet.http.HttpServletResponse in
> org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString from
> instance method
> org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl from instance
> method
> org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:40, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:41, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
> javax.servlet.http.HttpServletResponse in
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString
> from instance method
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl from
> instance method
> org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable;
> consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> - RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114
> of value previously dereferenced in
> org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue,
> String, Locale, String, Delegator, LocalDispatcher, String)
> A value is checked here to see whether it is null, but this value can't be
> null because it was previously dereferenced and if it were null a null
> pointer exception would have occurred at the earlier dereference.
> Essentially, this code and the previous dereference disagree as to whether
> this value is allowed to be null. Either the check is redundant or the
> previous dereference is erroneous.
> CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in
> org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String,
> GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer,
> boolean)
> This method contains a redundant check of a known non-null value against the
> constant null.
> CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING
> - Bx: Boxing/unboxing to parse a primitive
> org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
> Map)
> A boxed primitive is created from a String, just to extract the unboxed
> primitive value. It is more efficient to just call the static parseXXX method.
> CategoryServices.java:245, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to viewSize in
> org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of productCategoryMembers, which is known to be
> non-null in
> org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
> Map)
> This method contains a redundant check of a known non-null value against the
> constant null.
> CategoryWorker.java:61, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest,
> String)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CategoryWorker.java:106, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest,
> String, boolean)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD
> - UPM: Private method
> org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String,
> String) is never called
> This private method is never called. Although it is possible that the method
> will be invoked through reflection, it is more likely that the method is
> never used, and should be removed.
> CategoryWorker.java:243, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest,
> String)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CategoryWorker.java:315, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CategoryWorker.java:321, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest,
> List)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of subCat, which is known to be non-null in
> org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map,
> List, HttpServletRequest)
> This method contains a redundant check of a known non-null value against the
> constant null.
> ControlServlet.java:33, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable;
> consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
> - Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows
> the simple name of the superclass
> org.apache.ofbiz.webapp.control.ControlServlet
> This class has a simple name that is identical to that of its superclass,
> except that its superclass is in a different package (e.g., alpha.Foo extends
> beta.Foo). This can be exceptionally confusing, create lots of situations in
> which you have to look at import statements to resolve references and creates
> many opportunities to accidentally define methods that do not override
> methods in their superclasses.
> ControlServlet.java:35, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be
> package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> ControlServlet.java:36, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be
> package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> ControlServlet.java:37, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should
> be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.ControlServlet.defaultPage from instance
> method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.ControlServlet.pageNotFound from instance
> method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.ControlServlet.controlServlet from instance
> method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is
> Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> SeoConfigUtil.java:510, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL
> - MS:
> org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString
> isn't final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't
> final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
> javax.servlet.http.HttpServletResponse in
> org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION
> - Nm: The field name
> org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't start
> with a lower case letter
> Names of fields that are not final should be in mixed case with a lowercase
> first letter and the first letters of subsequent words capitalized.
> SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR
> - WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig)
> makes inefficient use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved
> from a keySet iterator. It is more efficient to use an iterator on the
> entrySet of the map, to avoid the Map.get(key) lookup.
> SeoContextFilter.java:94, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> SeoContextFilter.java:95, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
> javax.servlet.http.HttpServletResponse in
> org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> SeoContextFilter.java:181, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
> ServletResponse, FilterChain)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> SeoControlServlet.java:41, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable;
> consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> SeoControlServlet.java:43, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should
> be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> SeoControlServlet.java:44, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.SeoControlServlet.defaultPage from instance
> method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field
> org.apache.ofbiz.product.category.SeoControlServlet.controlServlet from
> instance method
> org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct
> if multiple instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:77, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest,
> HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
