[
https://issues.apache.org/jira/browse/OFBIZ-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-9973.
----------------------------------
Resolution: Fixed
Fix Version/s: 18.12.01
16.11.06
17.12.01
{noformat}
Gniark, lost my previsous complete comment due to my FF setting. Doing it again
but not as good, tired :/
{noformat}
FindBugs is now deprecated and replaced by Spotbugs.
Last time I forgot to encode productId as reported offline by Man Yue Mo from
Semmle.
This eventually fixes the "Relative path traversal" issue reported by Spotbugs
by encoding the whole file name. It was also reported by OFBIZ-9777 but not
fixed there.
Spotbugs continues to report the same issue in trunk but not in R16 nor in R17
and R18. I suppose it's a cache issue and close.
Fixed in
Trunk r1864716
R18 r1864717
R17 r1864718
R16 r1864719
> [FB] Find Security Bugs
> -----------------------
>
> Key: OFBIZ-9973
> URL: https://issues.apache.org/jira/browse/OFBIZ-9973
> Project: OFBiz
> Issue Type: Sub-task
> Components: marketing, product
> Affects Versions: Trunk, Release Branch 16.11
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> I recently
> [found|https://www.ysofters.com/2015/08/31/taint-analysis-added-to-findbugs/]
> FindBugs embeds an option [to Find Security
> Bugs|https://find-sec-bugs.github.io/]:
> I have tried this option:
> https://github.com/find-sec-bugs/find-sec-bugs/wiki/Eclipse-Tutorial
> Also later we should remember of OFBIZ-7963 and if possible run this tool in
> [Builbot using
> Gradle|https://search.maven.org/#search|gav|1|g:%22com.h3xstream.findsecbugs%22%20AND%20a:%22findsecbugs-plugin%22]
> (did not check feasibility)
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
