cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CASSANDRA-12547) Privacy Violation
Date Thu, 25 Aug 2016 18:00:27 GMT
Eduardo Aguinaga created CASSANDRA-12547:
--------------------------------------------

             Summary: Privacy Violation
                 Key: CASSANDRA-12547
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12547
             Project: Cassandra
          Issue Type: Sub-task
            Reporter: Eduardo Aguinaga


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.

Issue:
In the file GetCompactionThreshold.java on line 46 the method execute() mishandles sensitive
information. Sensitive information should be handled carefully to avoid divulging it to unauthorized
parties.

{code:java}
GetCompactionThreshold.java, lines 44-47:
44 ColumnFamilyStoreMBean cfsProxy = probe.getCfsProxy(ks, cf);
45 System.out.println("Current compaction thresholds for " + ks + "/" + cf + ": \n" +
46         " min = " + cfsProxy.getMinimumCompactionThreshold() + ", " +
47         " max = " + cfsProxy.getMaximumCompactionThreshold());
{code}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message