Dennis Balkir created OFBIZ-9859:
------------------------------------
Summary: [FB] Package org.apache.ofbiz.content.content
Key: OFBIZ-9859
URL: https://issues.apache.org/jira/browse/OFBIZ-9859
Project: OFBiz
Issue Type: Sub-task
Components: content
Affects Versions: Trunk
Reporter: Dennis Balkir
Priority: Minor
--- ContentKeywordIndex.java:59, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of delegator, which is known to be non-null in
org.apache.ofbiz.content.content.ContentKeywordIndex.indexKeywords(GenericValue,
boolean)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentKeywordIndex.java:73, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.ContentKeywordIndex.indexKeywords(GenericValue,
boolean)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- ContentMapFacade.java:54, MS_MUTABLE_COLLECTION_PKGPROTECT
Field is a mutable collection which should be package protected
A mutable collection instance is assigned to a final static field, thus can be
changed by malicious code or by accident from another package. The field could
be made package protected to avoid this vulnerability. Alternatively you may
wrap this field into Collections.unmodifiableSet/List/Map/etc. to avoid this
vulnerability.
--- ContentMapFacade.java:418, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.ContentMapFacade$Content.get(Object)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- ContentMapFacade.java:451, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.ContentMapFacade$SubContent.get(Object)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- ContentPermissionServices.java:181, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of entityAction, which is known to be non-null in
org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext,
Map)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentPermissionServices.java:238, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of auxGetter, which is known to be non-null in
org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext,
Map)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentPermissionServices.java:243, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of roleGetter, which is known to be non-null in
org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext,
Map)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentSearch.java:451, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint is
Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentSearch.java:564, HE_EQUALS_USE_HASHCODE
HE: org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint
defines equals and uses Object.hashCode()
This class overrides equals(Object), but does not override hashCode(), and
inherits the implementation of hashCode() from java.lang.Object (which returns
the identity hash code, an arbitrary value assigned to the object by the VM).
Therefore, the class is very likely to violate the invariant that equal objects
must have equal hashcodes.
If you don't think instances of this class will ever be inserted into a
HashMap/HashTable, the recommended hashCode implementation to use is:
public int hashCode() {
assert false : "hashCode not designed";
return 42; // any arbitrary constant will do
}
--- ContentSearch.java:564, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
BC: Equals method for
org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint assumes
the argument is of type ContentSearch$ContentAssocConstraint
The equals(Object o) method shouldn't make any assumptions about the type of o.
It should simply return false if o is not the same type as this.
--- ContentSearch.java:604, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint is
Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentSearch.java:685, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
BC: Equals method for
org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint assumes the
argument is of type ContentSearch$KeywordConstraint
The equals(Object o) method shouldn't make any assumptions about the type of o.
It should simply return false if o is not the same type as this.
--- ContentSearch.java:685, HE_EQUALS_USE_HASHCODE
HE: org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint defines
equals and uses Object.hashCode()
This class overrides equals(Object), but does not override hashCode(), and
inherits the implementation of hashCode() from java.lang.Object (which returns
the identity hash code, an arbitrary value assigned to the object by the VM).
Therefore, the class is very likely to violate the invariant that equal objects
must have equal hashcodes.
If you don't think instances of this class will ever be inserted into a
HashMap/HashTable, the recommended hashCode implementation to use is:
public int hashCode() {
assert false : "hashCode not designed";
return 42; // any arbitrary constant will do
}
--- ContentSearch.java:722, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint
is Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentSearch.java:723, EI_EXPOSE_REP2
EI2: new
org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint(Timestamp,
Timestamp) may expose internal representation by storing an externally mutable
object into ContentSearch$LastUpdatedRangeConstraint.fromDate
This code stores a reference to an externally mutable object into the internal
representation of the object. If instances are accessed by untrusted code, and
unchecked changes to the mutable object would compromise security or other
important properties, you will need to do something different. Storing a copy
of the object is better approach in many situations.
--- ContentSearch.java:724, EI_EXPOSE_REP2
EI2: new
org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint(Timestamp,
Timestamp) may expose internal representation by storing an externally mutable
object into ContentSearch$LastUpdatedRangeConstraint.thruDate
This code stores a reference to an externally mutable object into the internal
representation of the object. If instances are accessed by untrusted code, and
unchecked changes to the mutable object would compromise security or other
important properties, you will need to do something different. Storing a copy
of the object is better approach in many situations.
--- ContentSearch.java:773, HE_EQUALS_USE_HASHCODE
HE: org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint
defines equals and uses Object.hashCode()
This class overrides equals(Object), but does not override hashCode(), and
inherits the implementation of hashCode() from java.lang.Object (which returns
the identity hash code, an arbitrary value assigned to the object by the VM).
Therefore, the class is very likely to violate the invariant that equal objects
must have equal hashcodes.
If you don't think instances of this class will ever be inserted into a
HashMap/HashTable, the recommended hashCode implementation to use is:
public int hashCode() {
assert false : "hashCode not designed";
return 42; // any arbitrary constant will do
}
--- ContentSearch.java:773, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
BC: Equals method for
org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint
assumes the argument is of type ContentSearch$LastUpdatedRangeConstraint
The equals(Object o) method shouldn't make any assumptions about the type of o.
It should simply return false if o is not the same type as this.
--- ContentSearch.java:818, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.content.content.ContentSearch$SortKeywordRelevancy is
Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentSearch.java:858, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.content.content.ContentSearch$SortContentField is
Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentSearchSession.java:46, SE_NO_SERIALVERSIONID
SnVI:
org.apache.ofbiz.content.content.ContentSearchSession$ContentSearchOptions is
Serializable; consider declaring a serialVersionUID
This class implements the Serializable interface, but does not define a
serialVersionUID field. A change as simple as adding a reference to a .class
object will add synthetic fields to the class, which will unfortunately change
the implicit serialVersionUID (e.g., adding a reference to String.class will
generate a static field class$java$lang$String). Also, different source code to
bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure
interoperability of Serializable across versions, consider adding an explicit
serialVersionUID.
--- ContentServices.java:78, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.ContentServices.findRelatedContent(DispatchContext,
Map)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- ContentServices.java:837, DLS_DEAD_LOCAL_STORE
DLS: Dead store to subContentDataResourceView in
org.apache.ofbiz.content.content.ContentServices.renderSubContentAsText(DispatchContext,
Map)
This instruction assigns a value to a local variable, but the value is not read
or used in any subsequent instruction. Often, this indicates an error, because
the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local
variables. Because FindBugs is a bytecode-based tool, there is no easy way to
eliminate these false positives.
--- ContentServicesComplex.java:232, DLS_DEAD_LOCAL_STORE
DLS: Dead store to fromDate in
org.apache.ofbiz.content.content.ContentServicesComplex.getAssocAndContentAndDataResourceCacheMethod(Delegator,
String, String, String, Timestamp, String, List, List, Boolean, String, String)
This instruction assigns a value to a local variable, but the value is not read
or used in any subsequent instruction. Often, this indicates an error, because
the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local
variables. Because FindBugs is a bytecode-based tool, there is no easy way to
eliminate these false positives.
--- ContentUrlFilter.java:55, BC_UNCONFIRMED_CAST
BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
javax.servlet.http.HttpServletRequest in
org.apache.ofbiz.content.content.ContentUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
--- ContentUrlFilter.java:56, BC_UNCONFIRMED_CAST
BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
javax.servlet.http.HttpServletResponse in
org.apache.ofbiz.content.content.ContentUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
This cast is unchecked, and not all instances of the type casted from can be
cast to the type it is being cast to. Check that your program logic ensures
that this cast will not fail.
--- ContentWorker.java:155, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of targetLocaleString, which is known to be non-null
in
org.apache.ofbiz.content.content.ContentWorker.findContentForRendering(Delegator,
String, Locale, String, String, boolean)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentWorker.java:191, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
RCN: Nullcheck of dispatcher at line 198 of value previously dereferenced in
org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher,
GenericValue, Appendable, Map, Locale, String, boolean, List)
A value is checked here to see whether it is null, but this value can't be null
because it was previously dereferenced and if it were null a null pointer
exception would have occurred at the earlier dereference. Essentially, this
code and the previous dereference disagree as to whether this value is allowed
to be null. Either the check is redundant or the previous dereference is
erroneous.
--- ContentWorker.java:201, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of service, which is known to be non-null in
org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher,
GenericValue, Appendable, Map, Locale, String, boolean, List)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentWorker.java:292, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of textData, which is known to be non-null in
org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher,
GenericValue, Appendable, Map, Locale, String, boolean, List)
This method contains a redundant check of a known non-null value against the
constant null.
--- ContentWorker.java:305, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher,
GenericValue, Appendable, Map, Locale, String, boolean, List)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- ContentWorker.java:718, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in
org.apache.ofbiz.content.content.ContentWorker.selectKids(Map, Map)
The variable referenced at this point is known to be null due to an earlier
check against null. Although this is valid, it might be a mistake (perhaps you
intended to refer to a different variable, or perhaps the earlier check to see
if the variable is null should have been a check to see if it was non-null).
--- ContentWorker.java:1119, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in
org.apache.ofbiz.content.content.ContentWorker.getSubContentCache(Delegator,
String, String, GenericValue, List, Timestamp, Boolean, String)
The variable referenced at this point is known to be null due to an earlier
check against null. Although this is valid, it might be a mistake (perhaps you
intended to refer to a different variable, or perhaps the earlier check to see
if the variable is null should have been a check to see if it was non-null).
--- ContentWorker.java:1176, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in
org.apache.ofbiz.content.content.ContentWorker.getCurrentContent(Delegator,
List, GenericValue, Map, Boolean, String)
The variable referenced at this point is known to be null due to an earlier
check against null. Although this is valid, it might be a mistake (perhaps you
intended to refer to a different variable, or perhaps the earlier check to see
if the variable is null should have been a check to see if it was non-null).
--- ContentWorker.java:1253, NP_NULL_PARAM_DEREF
NP: Null passed for nonnull parameter of getPurposes(GenericValue) in
org.apache.ofbiz.content.content.ContentWorker.checkConditions(Delegator, Map,
Map, Map)
This method call passes a null value for a non-null method parameter. Either
the parameter is annotated as a parameter that should always be non-null, or
analysis has shown that it will always be dereferenced.
--- ContentWorker.java:1578, WMI_WRONG_MAP_ITERATOR
WMI: org.apache.ofbiz.content.content.ContentWorker.logMap(StringBuilder,
String, Map, StringBuilder) makes inefficient use of keySet iterator instead of
entrySet iterator
This method accesses the value of a Map entry, using a key that was retrieved
from a keySet iterator. It is more efficient to use an iterator on the entrySet
of the map, to avoid the Map.get(key) lookup.
--- PermissionRecorder.java:53, MS_PKGPROTECT
MS: org.apache.ofbiz.content.content.PermissionRecorder.opFields should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
--- PermissionRecorder.java:54, MS_PKGPROTECT
MS: org.apache.ofbiz.content.content.PermissionRecorder.fieldTitles should be
package protected
A mutable static field could be changed by malicious code or by accident. The
field could be made package protected to avoid this vulnerability.
--- PermissionRecorder.java:93, EI_EXPOSE_REP
EI:
org.apache.ofbiz.content.content.PermissionRecorder.getContentPurposeOperations()
may expose internal representation by returning
PermissionRecorder.contentPurposeOperations
Returning a reference to a mutable object value stored in one of the object's
fields exposes the internal representation of the object. If instances are
accessed by untrusted code, and unchecked changes to the mutable object would
compromise security or other important properties, you will need to do
something different. Returning a new copy of the object is better approach in
many situations.
--- PermissionRecorder.java:109, EI_EXPOSE_REP
EI: org.apache.ofbiz.content.content.PermissionRecorder.getStatusTargets() may
expose internal representation by returning PermissionRecorder.statusTargets
Returning a reference to a mutable object value stored in one of the object's
fields exposes the internal representation of the object. If instances are
accessed by untrusted code, and unchecked changes to the mutable object would
compromise security or other important properties, you will need to do
something different. Returning a new copy of the object is better approach in
many situations.
--- PermissionRecorder.java:117, EI_EXPOSE_REP
EI: org.apache.ofbiz.content.content.PermissionRecorder.getTargetOperations()
may expose internal representation by returning
PermissionRecorder.targetOperations
Returning a reference to a mutable object value stored in one of the object's
fields exposes the internal representation of the object. If instances are
accessed by untrusted code, and unchecked changes to the mutable object would
compromise security or other important properties, you will need to do
something different. Returning a new copy of the object is better approach in
many situations.
--- PermissionRecorder.java:287, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
org.apache.ofbiz.content.content.PermissionRecorder.renderResultRowHtml(Map,
Map)
A String is being converted to upper or lowercase, using the platform's default
encoding. This may result in improper conversions when used with international
characters. Use the
String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.
--- UploadContentAndImage.java:315, REC_CATCH_EXCEPTION
REC: Exception is caught when Exception is not thrown in
org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentAndImage(HttpServletRequest,
HttpServletResponse)
This method uses a try-catch block that catches Exception objects, but
Exception is not thrown within the try block, and RuntimeException is not
explicitly caught. It is a common bug pattern to say try { ... } catch
(Exception e) { something } as a shorthand for catching a number of types of
exception each of whose catch blocks is identical, but this construct also
accidentally catches RuntimeException as well, masking potential bugs.
A better approach is to either explicitly catch the specific exceptions that
are thrown, or to explicitly catch RuntimeException exception, rethrow it, and
then catch all non-Runtime Exceptions, as shown below:
try {
...
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
... deal with all non-runtime exceptions ...
}
--- UploadContentAndImage.java:353, DLS_DEAD_LOCAL_STORE
DLS: Dead store to imageBytes in
org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentStuff(HttpServletRequest,
HttpServletResponse)
This instruction assigns a value to a local variable, but the value is not read
or used in any subsequent instruction. Often, this indicates an error, because
the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local
variables. Because FindBugs is a bytecode-based tool, there is no easy way to
eliminate these false positives.
--- UploadContentAndImage.java:401, REC_CATCH_EXCEPTION
REC: Exception is caught when Exception is not thrown in
org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentStuff(HttpServletRequest,
HttpServletResponse)
This method uses a try-catch block that catches Exception objects, but
Exception is not thrown within the try block, and RuntimeException is not
explicitly caught. It is a common bug pattern to say try { ... } catch
(Exception e) { something } as a shorthand for catching a number of types of
exception each of whose catch blocks is identical, but this construct also
accidentally catches RuntimeException as well, masking potential bugs.
A better approach is to either explicitly catch the specific exceptions that
are thrown, or to explicitly catch RuntimeException exception, rethrow it, and
then catch all non-Runtime Exceptions, as shown below:
try {
...
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
... deal with all non-runtime exceptions ...
}
--- UploadContentAndImage.java:531, DLS_DEAD_LOCAL_STORE
DLS: Dead store to ftlResults in
org.apache.ofbiz.content.content.UploadContentAndImage.processContentUpload(Map,
String, HttpServletRequest)
This instruction assigns a value to a local variable, but the value is not read
or used in any subsequent instruction. Often, this indicates an error, because
the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local
variables. Because FindBugs is a bytecode-based tool, there is no easy way to
eliminate these false positives.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
