[jira] [Assigned] (OFBIZ-9723) [FB] Package org.apache.ofbiz.entity.datasource

[Michael Brohl (JIRA)]

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Brohl reassigned OFBIZ-9723:
------------------------------------

    Assignee: Michael Brohl

> [FB] Package org.apache.ofbiz.entity.datasource
> -----------------------------------------------
>
>                 Key: OFBIZ-9723
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9723
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS, ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Assignee: Michael Brohl
>            Priority: Minor
>         Attachments: 
> OFBIZ-9723_org.apache.ofbiz.entity.datasource_bugfixes.patch
>
>
> GenericDAO.java:108, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.insert(GenericEntity)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:171, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.singleInsert(GenericEntity, 
> ModelEntity, List, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:187, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.updateAll(GenericEntity)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:197, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.update(GenericEntity)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:277, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.singleUpdate(GenericEntity, 
> ModelEntity, List, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:331, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.updateByCondition(ModelEntity, 
> Map, EntityCondition, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:501, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.select(GenericEntity, 
> SQLProcessor)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:521, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.select(GenericEntity, 
> SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:547, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE, Priorität: 
> Normal
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.partialSelect(GenericEntity, 
> Set)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:592, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.partialSelect(GenericEntity, 
> Set)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:763, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.selectListIteratorByCondition(Delegator,
>  ModelEntity, EntityCondition, EntityCondition, Collection, List, 
> EntityFindOptions)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:854, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of viewHavingEntityCondition, which is known to be 
> non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.makeConditionHavingString(StringBuilder,
>  String, ModelEntity, EntityCondition, List, List)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:913, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, 
> but its value never go outside of the method or produce any side-effect. 
> Either there is a mistake and object was intended to be used or it can be 
> removed.
> This analysis rarely produces false-positives. Common false-positive cases 
> include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> GenericDAO.java:976, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.selectByMultiRelation(GenericValue,
>  ModelRelation, ModelEntity, ModelRelation, ModelEntity, List)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:1106, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.selectCountByCondition(Delegator,
>  ModelEntity, EntityCondition, EntityCondition, List, EntityFindOptions)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:1161, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE, Priorität: 
> Normal
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in 
> org.apache.ofbiz.entity.datasource.GenericDAO.delete(GenericEntity, 
> SQLProcessor)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> GenericDAO.java:1174, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.delete(GenericEntity, 
> SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericDAO.java:1212, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in 
> org.apache.ofbiz.entity.datasource.GenericDAO.deleteByCondition(ModelEntity, 
> EntityCondition, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If 
> unchecked, tainted data from a user is used in building this String, SQL 
> injection could be used to make the prepared statement do something 
> unexpected and undesirable.
> GenericHelperFactory.java:38, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.entity.datasource.GenericHelperFactory.helperCache 
> isn't final but should be
> This static field public but not final, and could be changed by malicious 
> code or by accident from another package. The field could be made final to 
> avoid this vulnerability.
> GenericHelperFactory.java:81, NP_NULL_ON_SOME_PATH
> - NP: Possible null pointer dereference of helperConstructor in 
> org.apache.ofbiz.entity.datasource.GenericHelperFactory.getHelper(GenericHelperInfo)
> There is a branch of statement that, if executed, guarantees that a null 
> value will be dereferenced, which would generate a NullPointerException when 
> the code is executed. Of course, the problem might be that the branch or 
> statement is infeasible and that the null pointer exception can't ever be 
> executed; deciding that is beyond the ability of FindBugs.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)