[
https://issues.apache.org/jira/browse/OFBIZ-9782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Balkir updated OFBIZ-9782:
---------------------------------
Attachment: OFBIZ-9782_org.apache.ofbiz.entity.jdbc_bugfixes.patch
Diamond Operators fixed
class CursorResultSet:
- didn’t change anything, since this is all inside the entity-engine and there
won’t be sql injections
class CursorStatement:
- didn’t change anything, since this is all inside the entity-engine and there
won’t be sql injections
class DatabaseUtil:
- Line 116: removed the if phrase, because {{getDriver()}} cannot produce null
as a result
- Line 261: removed the if phrase, because since the last time {{colInfo}} is
checked nothing is done with it, furthermore, if it would have been null, the
method would have already returned
- Line 686: added a default Locale to {{toUpperCase()}}
- Line 720: removed if phrase, because {{tableIndexList}} cannot be null at
this point
- Line 942: added a local variable {{lstmt}} for further use
- Line 944 & 945: changed the code, so that {{lstmt}} is uses instead of a
nameless new statement, which cannot be closed properly
- Line 987: removed the if phrase because {{tableSet}} cannot be null at this
point, since {{getTables()}} cannot produce null as a result
- Line 1021: added a default Locale to {{toUpperCase()}}
- Line 1157: added a default Locale to {{toUpperCase()}}
- Line 1251: added a default Locale to {{toUpperCase()}}
- Line 1361: added a default Locale to {{toUpperCase()}}
- Line 1365: added a default Locale to {{toUpperCase()}}
- Line 1370: added a default Locale to {{toUpperCase()}}
- Line 1377: added a default Locale to {{toUpperCase()}}
- Line 1389: added a default Locale to {{toUpperCase()}}
- Line 1479: added a default Locale to {{toLowerCase()}}
- Line 1496: added a default Locale to {{toUpperCase()}}
- Line 1505: added a default Locale to {{toUpperCase()}}
- Line 1506: put the if phrase inside the previous if phrase, because otherwise
a null variable will be dereferenced
- Line 1597 and following: removed all unread fields and changed all calls of
the constructor
- Line 1647: changed the use of the variable {{type}} to {{null}} since this
variable is always null when this is executed
- Line 1748: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 1790: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 1821: changed the use of the variable {{type}} to {{null}} since this
variable is always null when this is executed
- Line 1882: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 1914: changed the use of the variable {{type}} to {{null}} since this
variable is always null when this is executed
- Line 1932: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 1985: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2015: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2045: added a default Locale to {{toUpperCase()}}
- Line 2066: added a default Locale to {{toUpperCase()}}
- Line 2179: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2345: removed the if phrase, because {{connection}} cannot be null at
this time
——
Line 2355-2361: this method effectively just adds something to an array-list,
which is never even used. Is this method incomplete? what is it supposed to do?
This doesn’t really makes sense -> this and every use of this could be removed
——
- Line 2414: removed the if phrase, because {{connection}} cannot be null at
this time
——
Line 2427-2433: this method effectively just adds something to an array-list,
which is never even used. Is this method incomplete? what is it supposed to do?
This doesn’t really makes sense -> this and every use of this could be removed
——
- Line 2492: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2570: removed the if phrase, because {{connection}} cannot be null at
this time
——
Line 2612-2618: this method effectively just adds something to an array-list,
which is never even used. Is this method incomplete? what is it supposed to do?
This doesn’t really makes sense -> this and every use of this could be removed
——
- Line 2685: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2766: removed the if phrase, because {{connection}} cannot be null at
this time
——
Line 2805-2811: this method effectively just adds something to an array-list,
which is never even used. Is this method incomplete? what is it supposed to do?
This doesn’t really makes sense -> this and every use of this could be removed
——
- Line 2884: removed the if phrase, because {{connection}} cannot be null at
this time
- Line 2996: added a default Locale to {{toLowerCase()}}
- Line 2998: added a default Locale to {{toUppercase()}}
- Line 2958: changed the use of the variable {{type}} to {{null}} since this
variable is always null when this is executed
- Line 3014: it’s not necessary for the class to implement serialVerisonUID
- Line 3033: added a default Locale to {{toUpperCase()}}
- Line 3043: it’s not necessary for the class to implement serialVerisonUID
class JdbcValueHandler (this class produces more bugs in eclipse)
- removed unnecessary else
- Line 47: this was intended this way
- Line 185: added a default Locale to {{toUpperCase()}}
- Line 186: changed the String {{„(“}} to {{‚(‘}} because it is more efficient
- Line 290: this was intended this way
- Line 315: this was intended this way
- Line 342: this was intended this way
- Line 369: this was intended this way
- Line 395: this was intended this way
- Line 423: this was intended this way
- Line 509: this was intended this way
- Line 561: this was intended this way
- Line 587: this was intended this way
- Line 660: this was intended this way
- Line 685: this was intended this way
- Line 711: this was intended this way
- Line 736: this was intended this way
class SQLProcessor:
- Line 59, 60, 61: made the fields final
- Line 59: made the field private
didn’t change the rest, since this is all inside the entity-engine and there
won’t be sql injections
class SqlJdbcUtil:
- Line 228: removed unnecessary if phrase, {{whereCondition}} cannot be null at
this point
- Line 641: removed {{value instanceof String &&}} since {{value}} is declared
as a String one line above
> [FB] Package org.apache.ofbiz.entity.jdbc
> -----------------------------------------
>
> Key: OFBIZ-9782
> URL: https://issues.apache.org/jira/browse/OFBIZ-9782
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Dennis Balkir
> Priority: Minor
> Attachments: OFBIZ-9782_org.apache.ofbiz.entity.jdbc_bugfixes.patch
>
>
> --- CursorResultSet.java:38, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: new org.apache.ofbiz.entity.jdbc.CursorResultSet(Statement, String, int)
> passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- CursorResultSet.java:54, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.next() passes a nonconstant
> String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- CursorResultSet.java:59, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.close() passes a
> nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- CursorStatement.java:62, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorStatement.invoke(Object, Method,
> Object[]) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:117, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of java.sql.DriverManager.getDriver(String), which
> is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getConnection(String, String,
> Properties, String, String)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:264, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of colInfo, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean,
> boolean, boolean, boolean)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:670, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean,
> boolean, boolean, boolean)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:704, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of tableIndexList, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean,
> boolean, boolean, boolean)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:920, REC_CATCH_EXCEPTION
> REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData,
> Connection)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
>
> --- DatabaseUtil.java:927, OBL_UNSATISFIED_OBLIGATION
> OBL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData,
> Connection) may fail to clean up java.sql.Statement
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- DatabaseUtil.java:999, NP_NULL_ON_SOME_PATH
> NP: Possible null pointer dereference of tableSet in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)
> There is a branch of statement that, if executed, guarantees that a null
> value will be dereferenced, which would generate a NullPointerException when
> the code is executed. Of course, the problem might be that the branch or
> statement is infeasible and that the null pointer exception can't ever be
> executed; deciding that is beyond the ability of FindBugs.
> --- DatabaseUtil.java:1008, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1144, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getColumnInfo(Set, boolean,
> Collection, ExecutorService)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1238, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkPrimaryKeyInfo(ResultSet,
> String, boolean, Map, Collection)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1348, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getReferenceInfo(Set, Collection)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1466, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set, Collection,
> boolean[])
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1494, NP_NULL_ON_SOME_PATH
> NP: Possible null pointer dereference of indexName in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set, Collection,
> boolean[])
> There is a branch of statement that, if executed, guarantees that a null
> value will be dereferenced, which would generate a NullPointerException when
> the code is executed. Of course, the problem might be that the branch or
> statement is infeasible and that the null pointer exception can't ever be
> executed; deciding that is beyond the ability of FindBugs.
> --- DatabaseUtil.java:1593, URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD
> UrF: Unread public/protected field:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil$AbstractCountingCallable.modelEntities
> This field is never read. The field is public or protected, so perhaps it is
> intended to be used with classes not seen as part of the analysis. If not,
> consider removing it from the class.
> --- DatabaseUtil.java:1637, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map,
> boolean)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> --- DatabaseUtil.java:1732, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map,
> boolean) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:1737, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map,
> boolean)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:1774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity, List)
> passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:1781, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity, List)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:1814, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> --- DatabaseUtil.java:1841, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity,
> ModelField) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:1875, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:1909, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity,
> ModelField, String)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> --- DatabaseUtil.java:1922, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity,
> ModelField, String) passes a nonconstant String to an execute method on an
> SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:1927, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity,
> ModelField, String)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:1972, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity,
> ModelField, List) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:1982, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity,
> ModelField, List)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2046, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeTempFieldName(ModelField)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2067, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeFkConstraintName(ModelRelation,
> int)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2175, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity,
> ModelRelation, ModelEntity, int, String, boolean) passes a nonconstant String
> to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2180, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity,
> ModelRelation, ModelEntity, int, String, boolean)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2343, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity,
> ModelRelation, ModelEntity, int) passes a nonconstant String to an execute
> method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2348, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity,
> ModelRelation, ModelEntity, int)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2361, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified,
> but its value never go outside of the method or produce any side-effect.
> Either there is a mistake and object was intended to be used or it can be
> removed.
> This analysis rarely produces false-positives. Common false-positive cases
> include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2414, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity,
> boolean, int) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2419, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity,
> boolean, int)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2435, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified,
> but its value never go outside of the method or produce any side-effect.
> Either there is a mistake and object was intended to be used or it can be
> removed.
> This analysis rarely produces false-positives. Common false-positive cases
> include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2492, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity,
> boolean, int) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2499, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity,
> boolean, int)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2574, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity,
> ModelIndex) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2579, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity,
> ModelIndex)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2624, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified,
> but its value never go outside of the method or produce any side-effect.
> Either there is a mistake and object was intended to be used or it can be
> removed.
> This analysis rarely produces false-positives. Common false-positive cases
> include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2691, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity,
> ModelIndex) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2696, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity,
> ModelIndex)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity,
> ModelRelation, int) passes a nonconstant String to an execute method on an
> SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2779, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity,
> ModelRelation, int)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2821, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified,
> but its value never go outside of the method or produce any side-effect.
> Either there is a mistake and object was intended to be used or it can be
> removed.
> This analysis rarely produces false-positives. Common false-positive cases
> include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2894, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity,
> ModelRelation, int) passes a nonconstant String to an execute method on an
> SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2899, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity,
> ModelRelation, int)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- DatabaseUtil.java:2913, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.getSchemaName(DatabaseMetaData)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2963, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL:
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity,
> List) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- DatabaseUtil.java:2975, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity,
> List)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> --- DatabaseUtil.java:3031, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo is
> Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> --- DatabaseUtil.java:3050, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo.fixupTableName(String,
> String, boolean)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:3060, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ReferenceCheckInfo is
> Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> --- JdbcValueHandler.java:184, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.entity.jdbc.JdbcValueHandler.parseSqlType(String)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- JdbcValueHandler.java:470, DE_MIGHT_IGNORE
> DE:
> org.apache.ofbiz.entity.jdbc.JdbcValueHandler$ClobJdbcValueHandler.getValue(ResultSet,
> int) might ignore java.io.IOException
> This method might ignore an exception. In general, exceptions should be
> handled or reported in some way, or they should be thrown out of the method.
> --- SQLProcessor.java:59, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.CONNECTION_TEST_LIST isn't
> final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- SQLProcessor.java:60, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.MAX_CONNECTIONS isn't final but
> should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- SQLProcessor.java:61, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.ENABLE_TEST isn't final but
> should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- SQLProcessor.java:337,
> SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in
> org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String)
> The code creates an SQL prepared statement from a nonconstant String. If
> unchecked, tainted data from a user is used in building this String, SQL
> injection could be used to make the prepared statement do something
> unexpected and undesirable.
> --- SQLProcessor.java:350,
> SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in
> org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String, boolean,
> int, int)
> The code creates an SQL prepared statement from a nonconstant String. If
> unchecked, tainted data from a user is used in building this String, SQL
> injection could be used to make the prepared statement do something
> unexpected and undesirable.
> --- SQLProcessor.java:376,
> SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in
> org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String, boolean,
> int, int, int, int)
> The code creates an SQL prepared statement from a nonconstant String. If
> unchecked, tainted data from a user is used in building this String, SQL
> injection could be used to make the prepared statement do something
> unexpected and undesirable.
> --- SQLProcessor.java:416,
> SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in
> org.apache.ofbiz.entity.jdbc.SQLProcessor.executeQuery(String)
> The code creates an SQL prepared statement from a nonconstant String. If
> unchecked, tainted data from a user is used in building this String, SQL
> injection could be used to make the prepared statement do something
> unexpected and undesirable.
> --- SQLProcessor.java:449, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.SQLProcessor.executeUpdate(String) passes a
> nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a
> String that seems to be dynamically generated. Consider using a prepared
> statement instead. It is more efficient and less vulnerable to SQL injection
> attacks.
> --- SQLProcessor.java:513,
> SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in
> org.apache.ofbiz.entity.jdbc.SQLProcessor.execQuery(String,
> ExecQueryCallbackFunctionIF)
> The code creates an SQL prepared statement from a nonconstant String. If
> unchecked, tainted data from a user is used in building this String, SQL
> injection could be used to make the prepared statement do something
> unexpected and undesirable.
> --- SqlJdbcUtil.java:228, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of whereCondition, which is known to be non-null in
> org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.makeFromClause(ModelEntity,
> ModelFieldTypeReader, Datasource)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- SqlJdbcUtil.java:612, SF_SWITCH_NO_DEFAULT
> SF: Switch statement found in
> org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField,
> GenericEntity, ModelFieldTypeReader) where default case is missing
> This method contains a switch statement where default case is missing.
> Usually you need to provide a default case.
> Because the analysis only looks at the generated bytecode, this warning can
> be incorrect triggered if the default case is at the end of the switch
> statement and the switch statement doesn't contain break statements for other
> cases.
> --- SqlJdbcUtil.java:643, SIO_SUPERFLUOUS_INSTANCEOF
> SIO: org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int,
> ModelField, GenericEntity, ModelFieldTypeReader) does an unnecessary type
> check using instanceof operator when it can be determined statically
> Type check performed using the instanceof operator where it can be statically
> determined whether the object is of the type requested.
> --- SqlJdbcUtil.java:643, BC_VACUOUS_INSTANCEOF
> BC: instanceof will always return true for all nonnull values in
> org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField,
> GenericEntity, ModelFieldTypeReader), since all String are instances of String
> This instanceof test will always return true (unless the value being tested
> is null). Although this is safe, make sure it isn't an indication of some
> misunderstanding or some other logic error. If you really want to test the
> value for being null, perhaps it would be clearer to do better to do a null
> test rather than an instanceof test.
> --- SqlJdbcUtil.java:882, SF_SWITCH_NO_DEFAULT
> SF: Switch statement found in
> org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.setValue(SQLProcessor, ModelField,
> String, Object, ModelFieldTypeReader) where default case is missing
> This method contains a switch statement where default case is missing.
> Usually you need to provide a default case.
> Because the analysis only looks at the generated bytecode, this warning can
> be incorrect triggered if the default case is at the end of the switch
> statement and the switch statement doesn't contain break statements for other
> cases.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
