[ https://issues.apache.org/jira/browse/OFBIZ-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-9973. ---------------------------------- Resolution: Fixed Fix Version/s: 18.12.01 16.11.06 17.12.01 {noformat} Gniark, lost my previsous complete comment due to my FF setting. Doing it again but not as good, tired :/ {noformat} FindBugs is now deprecated and replaced by Spotbugs. Last time I forgot to encode productId as reported offline by Man Yue Mo from Semmle. This eventually fixes the "Relative path traversal" issue reported by Spotbugs by encoding the whole file name. It was also reported by OFBIZ-9777 but not fixed there. Spotbugs continues to report the same issue in trunk but not in R16 nor in R17 and R18. I suppose it's a cache issue and close. Fixed in Trunk r1864716 R18 r1864717 R17 r1864718 R16 r1864719 > [FB] Find Security Bugs > ----------------------- > > Key: OFBIZ-9973 > URL: https://issues.apache.org/jira/browse/OFBIZ-9973 > Project: OFBiz > Issue Type: Sub-task > Components: marketing, product > Affects Versions: Trunk, Release Branch 16.11 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > I recently > [found|https://www.ysofters.com/2015/08/31/taint-analysis-added-to-findbugs/] > FindBugs embeds an option [to Find Security > Bugs|https://find-sec-bugs.github.io/]: > I have tried this option: > https://github.com/find-sec-bugs/find-sec-bugs/wiki/Eclipse-Tutorial > Also later we should remember of OFBIZ-7963 and if possible run this tool in > [Builbot using > Gradle|https://search.maven.org/#search|gav|1|g:%22com.h3xstream.findsecbugs%22%20AND%20a:%22findsecbugs-plugin%22] > (did not check feasibility) -- This message was sent by Atlassian JIRA (v7.6.14#76016)