cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daan Hoogland <daan.hoogl...@gmail.com>
Subject Re: New Defects reported by Coverity Scan for cloudstack
Date Fri, 05 Sep 2014 13:00:04 GMT
H,

We are not anywhere near perfect (or arguably good) but according to
coverity we are improving:
<q>
*3.17*
Defect Density
  <q/> However:
<q>Defect changes since previous build dated Aug 29, 2014
  *8* Newly detected
 *0* Eliminated
  </q> and <q>Defects by status for current build
  *2,961*Total defects
 *1,395*Outstanding
 *75*Dismissed
 *1,491*Fixed
 </q> lets keep it up all.



On Fri, Sep 5, 2014 at 2:07 PM, <scan-admin@coverity.com> wrote:

>
> Hi,
>
>
> Please find the latest report on new defect(s) introduced to cloudstack
> found with Coverity Scan.
>
> Defect(s) Reported-by: Coverity Scan
> Showing 8 of 8 defect(s)
>
>
> ** CID 1237195:  Dereference null return value  (NULL_RETURNS)
> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
> java.util.List)()
>
> ** CID 1237196:  Dereference null return value  (NULL_RETURNS)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
>
> ** CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
>
> ** CID 1232335:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232337:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232336:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232334:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232333:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1237195:  Dereference null return value  (NULL_RETURNS)
> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
> java.util.List)()
> 299             SslCertResponse response = new SslCertResponse();
> 300
> 301             Account account =
> _accountDao.findByIdIncludingRemoved(cert.getAccountId());
> 302             if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
> 303                 // find the project
> 304                 Project project =
> _projectMgr.findByProjectAccountIdIncludingRemoved(account.getId());
> >>>     CID 1237195:  Dereference null return value  (NULL_RETURNS)
> >>>     Calling a method on null object "project".
> 305                 response.setProjectId(project.getUuid());
> 306                 response.setProjectName(project.getName());
> 307             } else {
> 308                 response.setAccountName(account.getAccountName());
> 309             }
> 310
>
>
> ________________________________________________________________________________________________________
> *** CID 1237196:  Dereference null return value  (NULL_RETURNS)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 214         public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215                 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216             String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217             Signature signature = Signature.getInstance("SHA1withRSA");
> 218             signature.initSign(signingKey);
> 219             signature.update(url.getBytes());
> >>>     CID 1237196:  Dereference null return value  (NULL_RETURNS)
> >>>     Dereferencing a pointer that might be null
> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
> 220             return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221         }
> 222
> 223         public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224             Security.addProvider(new BouncyCastleProvider());
> 225             KeyPairGenerator keyPairGenerator =
> KeyPairGenerator.getInstance("RSA", "BC");
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 214         public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215                 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216             String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217             Signature signature = Signature.getInstance("SHA1withRSA");
> 218             signature.initSign(signingKey);
> 219             signature.update(url.getBytes());
> >>>     CID 1237196:  Dereference null return value  (NULL_RETURNS)
> >>>     Dereferencing a pointer that might be null
> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
> 220             return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221         }
> 222
> 223         public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224             Security.addProvider(new BouncyCastleProvider());
> 225             KeyPairGenerator keyPairGenerator =
> KeyPairGenerator.getInstance("RSA", "BC");
>
>
> ________________________________________________________________________________________________________
> *** CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 213
> 214         public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215                 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216             String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217             Signature signature = Signature.getInstance("SHA1withRSA");
> 218             signature.initSign(signingKey);
> >>>     CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
> >>>     Found reliance on default encoding: String.getBytes()
> 219             signature.update(url.getBytes());
> 220             return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221         }
> 222
> 223         public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224             Security.addProvider(new BouncyCastleProvider());
>
>
> ________________________________________________________________________________________________________
> *** CID 1232335:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232335:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232335:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232337:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232337:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232336:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232336:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232334:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232334:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232333:  Cross-site scripting  (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446         public static void endResponse(HttpServletResponse response,
> String content) {
> 447             try {
> 448                 byte[] data = content.getBytes();
> 449                 response.setContentLength(data.length);
> 450                 OutputStream os = response.getOutputStream();
> >>>     CID 1232333:  Cross-site scripting  (XSS)
> >>>     Printing to HTML output.
> 451                 os.write(data);
> 452                 os.close();
> 453             } catch (Throwable e) {
> 454                 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455             }
> 456         }
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> http://scan.coverity.com/projects/943?tab=overview
>
> To unsubscribe from the email notification for new defects,
> http://scan5.coverity.com/cgi-bin/unsubscribe.py
>
>
>
>


-- 
Daan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message