[
https://issues.apache.org/jira/browse/OFBIZ-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl closed OFBIZ-9819.
--------------------------------
Resolution: Implemented
Fix Version/s: Upcoming Release
Thanks Dennis,
your patch is in trunk r1817687.
I've modified the patch to check the UPS connection string if it is empty and
throw an UpsConnectException instead of just doing nothing.
The solution in the patch would otherwise change the business functionality.
> [FB] Package org.apache.ofbiz.shipment.thirdparty.ups
> -----------------------------------------------------
>
> Key: OFBIZ-9819
> URL: https://issues.apache.org/jira/browse/OFBIZ-9819
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Dennis Balkir
> Assignee: Michael Brohl
> Priority: Minor
> Fix For: Upcoming Release
>
> Attachments:
> OFBIZ-9819_org.apache.ofbiz.shipment.thirdparty.ups_bugfixes.patch
>
>
> --- UpsServices.java:80, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsUpsToOfbiz
> isn't final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- UpsServices.java:81, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsOfbizToUps
> isn't final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> --- UpsServices.java:118, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:487, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> RCN: Nullcheck of shipmentPackage at line 487 of value previously
> dereferenced in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> A value is checked here to see whether it is null, but this value can't be
> null because it was previously dereferenced and if it were null a null
> pointer exception would have occurred at the earlier dereference.
> Essentially, this code and the previous dereference disagree as to whether
> this value is allowed to be null. Either the check is redundant or the
> previous dereference is erroneous.
> --- UpsServices.java:507, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- UpsServices.java:634, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findb...@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:634, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:635, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:831, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:911, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:911, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findb...@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:912, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:978, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1112, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale):
> String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1182, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
> GenericValue, List, Delegator, String, String, Map, Locale) may fail to
> close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1232, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1305, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findb...@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:1305, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1306, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1431, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:1505, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findb...@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:1505, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:1506, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:1873, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of conStr, which is known to be non-null in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.sendUpsRequest(String,
> String, String, String, Delegator, Locale)
> This method contains a redundant check of a known non-null value against the
> constant null.
> --- UpsServices.java:1949, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableTotal in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:1952, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableQuantity in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:1955, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to shippableWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2063, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to maxWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2070, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to minWeight in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2323, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
> RV: Exceptional return value of java.io.File.mkdirs() ignored in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map)
> This method returns a value that is not checked. The return value should be
> checked since it can indicate an unusual or unexpected function execution.
> For example, the File.delete() method returns false if the file could not be
> successfully deleted (rather than throwing an Exception). If you don't check
> the result, you won't notice if the method invocation signals unexpected
> behavior by returning an atypical return value.
> --- UpsServices.java:2669, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findb...@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UpsServices.java:2669, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UpsServices.java:2670, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UpsServices.java:2701, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to upsRateInquireMode in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UpsServices.java:2903, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
