[
https://issues.apache.org/jira/browse/OFBIZ-9820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl closed OFBIZ-9820.
--------------------------------
Resolution: Implemented
Fix Version/s: Upcoming Release
Thanks Dennis,
your patch is in trunk r1817688.
> [FB] Package org.apache.ofbiz.shipment.thirdparty.usps
> ------------------------------------------------------
>
> Key: OFBIZ-9820
> URL: https://issues.apache.org/jira/browse/OFBIZ-9820
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Dennis Balkir
> Assignee: Michael Brohl
> Priority: Minor
> Fix For: Upcoming Release
>
> Attachments:
> OFBIZ-9820_org.apache.ofbiz.shipment.thirdparty.usps_bugfixes.patch
>
>
> --- UspsMockApiServlet.java:47, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.shipment.thirdparty.usps.UspsMockApiServlet is
> Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a
> serialVersionUID field. A change as simple as adding a reference to a .class
> object will add synthetic fields to the class, which will unfortunately
> change the implicit serialVersionUID (e.g., adding a reference to
> String.class will generate a static field class$java$lang$String). Also,
> different source code to bytecode compilers may use different naming
> conventions for synthetic variables generated for references to class objects
> or inner classes. To ensure interoperability of Serializable across versions,
> consider adding an explicit serialVersionUID.
> --- UspsMockApiServlet.java:129, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsMockApiServlet.doGet(HttpServletRequest,
> HttpServletResponse): java.io.ByteArrayOutputStream.toString()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UspsServices.java:152, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsRateInquire(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- UspsServices.java:166, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to maxWeight in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsRateInquire(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UspsServices.java:296, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> RCN: Nullcheck of shipToAddress at line 296 of value previously dereferenced
> in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsInternationalRateInquire(DispatchContext,
> Map)
> A value is checked here to see whether it is null, but this value can't be
> null because it was previously dereferenced and if it were null a null
> pointer exception would have occurred at the earlier dereference.
> Essentially, this code and the previous dereference disagree as to whether
> this value is allowed to be null. Either the check is redundant or the
> previous dereference is erroneous.
> --- UspsServices.java:331, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to maxWeight in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsInternationalRateInquire(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UspsServices.java:361, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsInternationalRateInquire(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- UspsServices.java:1057, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to result in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsUpdateShipmentRateInfo(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UspsServices.java:1406, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsDeliveryConfirmation(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UspsServices.java:1447, OS_OPEN_STREAM_EXCEPTION_PATH
> OS:
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsDumpShipmentLabelImages(DispatchContext,
> Map) may fail to close stream on exception
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods, or return it, and does not appear to close it on
> all possible exception paths out of the method. This may result in a file
> descriptor leak. It is generally a good idea to use a finally block to
> ensure that streams are closed.
> --- UspsServices.java:1447, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
> OBL:
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsDumpShipmentLabelImages(DispatchContext,
> Map) may fail to clean up java.io.OutputStream on checked exception
> This method may fail to clean up (close, dispose of) a stream, database
> object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should
> use a try/finally block to ensure that the stream or resource is cleaned up
> before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and
> ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and
> hopefully better) static analysis technique. We are interested is getting
> feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to [email protected]
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern
> have not been extensively tuned, so reports about false positives are helpful
> to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling
> Mistakes, for a description of the analysis technique.
> --- UspsServices.java:1547, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to fromCustomsReference in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsPriorityMailInternationalLabel(DispatchContext,
> Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> --- UspsServices.java:1615, NP_NULL_ON_SOME_PATH_EXCEPTION
> NP: Possible null pointer dereference of product in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsPriorityMailInternationalLabel(DispatchContext,
> Map) on exception path
> A reference value which is null on some exception control path is
> dereferenced here. This may lead to a NullPointerException when the code is
> executed. Note that because FindBugs currently does not prune infeasible
> exception paths, this may be a false warning.
> Also note that FindBugs considers the default case of a switch statement to
> be an exception path, since the default case is often infeasible.
> --- UspsServices.java:1624, NP_NULL_ON_SOME_PATH_EXCEPTION
> NP: Possible null pointer dereference of originGeo in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsPriorityMailInternationalLabel(DispatchContext,
> Map) on exception path
> A reference value which is null on some exception control path is
> dereferenced here. This may lead to a NullPointerException when the code is
> executed. Note that because FindBugs currently does not prune infeasible
> exception paths, this may be a false warning.
> Also note that FindBugs considers the default case of a switch statement to
> be an exception path, since the default case is often infeasible.
> --- UspsServices.java:1647, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.uspsPriorityMailInternationalLabel(DispatchContext,
> Map): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UspsServices.java:1701, DM_DEFAULT_ENCODING
> Dm: Found reliance on default encoding in
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.sendUspsRequest(String,
> Document, Delegator, String, String, Locale):
> java.io.ByteArrayOutputStream.toString()
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> --- UspsServices.java:1755, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> PZLA: Should
> org.apache.ofbiz.shipment.thirdparty.usps.UspsServices.convertPoundsToPoundsOunces(BigDecimal)
> return a zero length array rather than null?
> It is often a better design to return a length zero array rather than a null
> reference to indicate that there are no results (i.e., an empty list of
> results). This way, no explicit check for null is needed by clients of the
> method.
> On the other hand, using null to indicate "there is no answer to this
> question" is probably appropriate. For example, File.listFiles() returns an
> empty list if given a directory containing no files, and returns null if the
> file is not a directory.
> --- UspsServicesTests.java:39, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.shipment.thirdparty.usps.UspsServicesTests.module isn't
> final but should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
