[ https://issues.apache.org/jira/browse/OFBIZ-9772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl reassigned OFBIZ-9772: ------------------------------------ Assignee: Michael Brohl > [FB] Package org.apache.ofbiz.product.category > ---------------------------------------------- > > Key: OFBIZ-9772 > URL: https://issues.apache.org/jira/browse/OFBIZ-9772 > Project: OFBiz > Issue Type: Sub-task > Components: product > Affects Versions: Trunk > Reporter: Julian Leichert > Assignee: Michael Brohl > Priority: Minor > Attachments: > OFBIZ-9772_org.apache.ofbiz.product.category_bugfixes.patch > > > CatalogUrlFilter.java:57, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString > should be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > CatalogUrlFilter.java:58, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should > be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to > javax.servlet.http.HttpServletResponse in > org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString from > instance method > org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl from instance > method > org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > CatalogUrlSeoFilter.java:40, MS_PKGPROTECT > - MS: > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString > should be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > CatalogUrlSeoFilter.java:41, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl > should be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to > javax.servlet.http.HttpServletResponse in > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString > from instance method > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl from > instance method > org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID > - SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable; > consider declaring a serialVersionUID > This class implements the Serializable interface, but does not define a > serialVersionUID field. A change as simple as adding a reference to a .class > object will add synthetic fields to the class, which will unfortunately > change the implicit serialVersionUID (e.g., adding a reference to > String.class will generate a static field class$java$lang$String). Also, > different source code to bytecode compilers may use different naming > conventions for synthetic variables generated for references to class objects > or inner classes. To ensure interoperability of Serializable across versions, > consider adding an explicit serialVersionUID. > CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE > - RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 > of value previously dereferenced in > org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue, > String, Locale, String, Delegator, LocalDispatcher, String) > A value is checked here to see whether it is null, but this value can't be > null because it was previously dereferenced and if it were null a null > pointer exception would have occurred at the earlier dereference. > Essentially, this code and the previous dereference disagree as to whether > this value is allowed to be null. Either the check is redundant or the > previous dereference is erroneous. > CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > - RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in > org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String, > GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer, > boolean) > This method contains a redundant check of a known non-null value against the > constant null. > CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING > - Bx: Boxing/unboxing to parse a primitive > org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, > Map) > A boxed primitive is created from a String, just to extract the unboxed > primitive value. It is more efficient to just call the static parseXXX method. > CategoryServices.java:245, DLS_DEAD_LOCAL_STORE > - DLS: Dead store to viewSize in > org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, > Map) > This instruction assigns a value to a local variable, but the value is not > read or used in any subsequent instruction. Often, this indicates an error, > because the value computed is never used. > Note that Sun's javac compiler often generates dead stores for final local > variables. Because FindBugs is a bytecode-based tool, there is no easy way to > eliminate these false positives. > CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > - RCN: Redundant nullcheck of productCategoryMembers, which is known to be > non-null in > org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, > Map) > This method contains a redundant check of a known non-null value against the > constant null. > CategoryWorker.java:61, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest, > String) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CategoryWorker.java:106, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest, > String, boolean) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD > - UPM: Private method > org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String, > String) is never called > This private method is never called. Although it is possible that the method > will be invoked through reflection, it is more likely that the method is > never used, and should be removed. > CategoryWorker.java:243, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, > String) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CategoryWorker.java:315, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CategoryWorker.java:321, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, > List) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > - RCN: Redundant nullcheck of subCat, which is known to be non-null in > org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map, > List, HttpServletRequest) > This method contains a redundant check of a known non-null value against the > constant null. > ControlServlet.java:33, SE_NO_SERIALVERSIONID > - SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable; > consider declaring a serialVersionUID > This class implements the Serializable interface, but does not define a > serialVersionUID field. A change as simple as adding a reference to a .class > object will add synthetic fields to the class, which will unfortunately > change the implicit serialVersionUID (e.g., adding a reference to > String.class will generate a static field class$java$lang$String). Also, > different source code to bytecode compilers may use different naming > conventions for synthetic variables generated for references to class objects > or inner classes. To ensure interoperability of Serializable across versions, > consider adding an explicit serialVersionUID. > ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS > - Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows > the simple name of the superclass > org.apache.ofbiz.webapp.control.ControlServlet > This class has a simple name that is identical to that of its superclass, > except that its superclass is in a different package (e.g., alpha.Foo extends > beta.Foo). This can be exceptionally confusing, create lots of situations in > which you have to look at import statements to resolve references and creates > many opportunities to accidentally define methods that do not override > methods in their superclasses. > ControlServlet.java:35, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be > package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > ControlServlet.java:36, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be > package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > ControlServlet.java:37, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should > be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.ControlServlet.defaultPage from instance > method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.ControlServlet.pageNotFound from instance > method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.ControlServlet.controlServlet from instance > method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID > - SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is > Serializable; consider declaring a serialVersionUID > This class implements the Serializable interface, but does not define a > serialVersionUID field. A change as simple as adding a reference to a .class > object will add synthetic fields to the class, which will unfortunately > change the implicit serialVersionUID (e.g., adding a reference to > String.class will generate a static field class$java$lang$String). Also, > different source code to bytecode compilers may use different naming > conventions for synthetic variables generated for references to class objects > or inner classes. To ensure interoperability of Serializable across versions, > consider adding an explicit serialVersionUID. > SeoConfigUtil.java:510, DM_CONVERT_CASE > - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. > SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL > - MS: > org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString > isn't final but should be > This static field public but not final, and could be changed by malicious > code or by accident from another package. The field could be made final to > avoid this vulnerability. > SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL > - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't > final but should be > This static field public but not final, and could be changed by malicious > code or by accident from another package. The field could be made final to > avoid this vulnerability. > SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to > javax.servlet.http.HttpServletResponse in > org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION > - Nm: The field name > org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't start > with a lower case letter > Names of fields that are not final should be in mixed case with a lowercase > first letter and the first letters of subsequent words capitalized. > SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR > - WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig) > makes inefficient use of keySet iterator instead of entrySet iterator > This method accesses the value of a Map entry, using a key that was retrieved > from a keySet iterator. It is more efficient to use an iterator on the > entrySet of the map, to avoid the Map.get(key) lookup. > SeoContextFilter.java:94, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to > javax.servlet.http.HttpServletRequest in > org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > SeoContextFilter.java:95, BC_UNCONFIRMED_CAST > - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to > javax.servlet.http.HttpServletResponse in > org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > This cast is unchecked, and not all instances of the type casted from can be > cast to the type it is being cast to. Check that your program logic ensures > that this cast will not fail. > SeoContextFilter.java:181, DM_CONVERT_CASE > - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, > ServletResponse, FilterChain) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. > SeoControlServlet.java:41, SE_NO_SERIALVERSIONID > - SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable; > consider declaring a serialVersionUID > This class implements the Serializable interface, but does not define a > serialVersionUID field. A change as simple as adding a reference to a .class > object will add synthetic fields to the class, which will unfortunately > change the implicit serialVersionUID (e.g., adding a reference to > String.class will generate a static field class$java$lang$String). Also, > different source code to bytecode compilers may use different naming > conventions for synthetic variables generated for references to class objects > or inner classes. To ensure interoperability of Serializable across versions, > consider adding an explicit serialVersionUID. > SeoControlServlet.java:43, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should > be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > SeoControlServlet.java:44, MS_PKGPROTECT > - MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet > should be package protected > A mutable static field could be changed by malicious code or by accident. The > field could be made package protected to avoid this vulnerability. > SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.SeoControlServlet.defaultPage from instance > method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD > - ST: Write to static field > org.apache.ofbiz.product.category.SeoControlServlet.controlServlet from > instance method > org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig) > This instance method writes to a static field. This is tricky to get correct > if multiple instances are being manipulated, and generally bad practice. > SeoControlServlet.java:77, DM_CONVERT_CASE > - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest, > HttpServletResponse) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. -- This message was sent by Atlassian JIRA (v6.4.14#64029)