[
https://issues.apache.org/jira/browse/OFBIZ-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl reassigned OFBIZ-9819:
------------------------------------
Assignee: Michael Brohl
> [FB] Package org.apache.ofbiz.shipment.thirdparty.ups
> -----------------------------------------------------
>
> Key: OFBIZ-9819
> URL: https://issues.apache.org/jira/browse/OFBIZ-9819
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Dennis Balkir
> Assignee: Michael Brohl
> Priority: Minor
> Attachments:
> OFBIZ-9819_org.apache.ofbiz.shipment.thirdparty.ups_bugfixes.patch
>
>
> --- UpsServices.java:80, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsUpsToOfbiz
> isn't final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- UpsServices.java:81, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsOfbizToUps
> isn't final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- UpsServices.java:118, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:487, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> RCN: Nullcheck of shipmentPackage at line 487 of value previously
> dereferenced in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> A value is checked here to see whether it is null, but this value can't be
> null because it was previously dereferenced and if it were null a null
> pointer exception would have occurred at the earlier dereference.
> Essentially, this code and the previous dereference disagree as to whether
> this value is allowed to be null. Either the check is redundant or the
> previous dereference is erroneous.
> --- UpsServices.java:507, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- UpsServices.java:634, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:634, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:635, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:831, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:911, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:911, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:912, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:978, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1112, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale):
> String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1182, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale) may fail to
> close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1232, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1305, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:1305, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1306, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1431, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1505, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:1505, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1506, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1873, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of conStr, which is known to be non-null in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.sendUpsRequest(String,
> String, String, String, Delegator, Locale)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- UpsServices.java:1949, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableTotal in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:1952, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableQuantity in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:1955, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2063, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to maxWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2070, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to minWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2323, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:2669, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:2669, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:2670, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:2701, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to upsRateInquireMode in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2903, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
