cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebgoa <run...@gmail.com>
Subject Re: New Defects reported by Coverity Scan for cloudstack
Date Fri, 05 Sep 2014 13:09:12 GMT

On Sep 5, 2014, at 3:00 PM, Daan Hoogland <daan.hoogland@gmail.com> wrote:

> H,
> 
> We are not anywhere near perfect (or arguably good) but according to
> coverity we are improving:
> <q>
> *3.17*
> Defect Density
>  <q/> However:
> <q>Defect changes since previous build dated Aug 29, 2014
>  *8* Newly detected
> *0* Eliminated
>  </q> and <q>Defects by status for current build
>  *2,961*Total defects
> *1,395*Outstanding
> *75*Dismissed
> *1,491*Fixed
> </q> lets keep it up all.
> 

FWIW, there is a coverity scan Travis Add-on …so technically we could run coverity on every
commit…if everyone is bored and does not know what to do next :)

> 
> 
> On Fri, Sep 5, 2014 at 2:07 PM, <scan-admin@coverity.com> wrote:
> 
>> 
>> Hi,
>> 
>> 
>> Please find the latest report on new defect(s) introduced to cloudstack
>> found with Coverity Scan.
>> 
>> Defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>> 
>> 
>> ** CID 1237195:  Dereference null return value  (NULL_RETURNS)
>> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
>> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
>> java.util.List)()
>> 
>> ** CID 1237196:  Dereference null return value  (NULL_RETURNS)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 
>> ** CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 
>> ** CID 1232335:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 
>> ** CID 1232337:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 
>> ** CID 1232336:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 
>> ** CID 1232334:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 
>> ** CID 1232333:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1237195:  Dereference null return value  (NULL_RETURNS)
>> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
>> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
>> java.util.List)()
>> 299             SslCertResponse response = new SslCertResponse();
>> 300
>> 301             Account account =
>> _accountDao.findByIdIncludingRemoved(cert.getAccountId());
>> 302             if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
>> 303                 // find the project
>> 304                 Project project =
>> _projectMgr.findByProjectAccountIdIncludingRemoved(account.getId());
>>>>>    CID 1237195:  Dereference null return value  (NULL_RETURNS)
>>>>>    Calling a method on null object "project".
>> 305                 response.setProjectId(project.getUuid());
>> 306                 response.setProjectName(project.getName());
>> 307             } else {
>> 308                 response.setAccountName(account.getAccountName());
>> 309             }
>> 310
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1237196:  Dereference null return value  (NULL_RETURNS)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 214         public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215                 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216             String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217             Signature signature = Signature.getInstance("SHA1withRSA");
>> 218             signature.initSign(signingKey);
>> 219             signature.update(url.getBytes());
>>>>>    CID 1237196:  Dereference null return value  (NULL_RETURNS)
>>>>>    Dereferencing a pointer that might be null
>> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
>> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
>> 220             return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221         }
>> 222
>> 223         public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224             Security.addProvider(new BouncyCastleProvider());
>> 225             KeyPairGenerator keyPairGenerator =
>> KeyPairGenerator.getInstance("RSA", "BC");
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 214         public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215                 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216             String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217             Signature signature = Signature.getInstance("SHA1withRSA");
>> 218             signature.initSign(signingKey);
>> 219             signature.update(url.getBytes());
>>>>>    CID 1237196:  Dereference null return value  (NULL_RETURNS)
>>>>>    Dereferencing a pointer that might be null
>> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
>> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
>> 220             return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221         }
>> 222
>> 223         public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224             Security.addProvider(new BouncyCastleProvider());
>> 225             KeyPairGenerator keyPairGenerator =
>> KeyPairGenerator.getInstance("RSA", "BC");
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
>> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
>> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
>> java.security.PrivateKey)()
>> 213
>> 214         public static String generateSAMLRequestSignature(String
>> urlEncodedString, PrivateKey signingKey)
>> 215                 throws NoSuchAlgorithmException, SignatureException,
>> InvalidKeyException, UnsupportedEncodingException {
>> 216             String url = urlEncodedString + "&SigAlg=" +
>> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
>> HttpUtils.UTF_8);
>> 217             Signature signature = Signature.getInstance("SHA1withRSA");
>> 218             signature.initSign(signingKey);
>>>>>    CID 1237197:  Dm: Dubious method used  (FB.DM_DEFAULT_ENCODING)
>>>>>    Found reliance on default encoding: String.getBytes()
>> 219             signature.update(url.getBytes());
>> 220             return
>> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
>> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
>> 221         }
>> 222
>> 223         public static KeyPair generateRandomKeyPair() throws
>> NoSuchProviderException, NoSuchAlgorithmException {
>> 224             Security.addProvider(new BouncyCastleProvider());
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1232335:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232335:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232335:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1232337:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232337:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1232336:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232336:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1232334:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232334:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> 
>> 
>> ________________________________________________________________________________________________________
>> *** CID 1232333:  Cross-site scripting  (XSS)
>> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
>> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
>> javax.servlet.http.HttpServletResponse)()
>> 445
>> 446         public static void endResponse(HttpServletResponse response,
>> String content) {
>> 447             try {
>> 448                 byte[] data = content.getBytes();
>> 449                 response.setContentLength(data.length);
>> 450                 OutputStream os = response.getOutputStream();
>>>>>    CID 1232333:  Cross-site scripting  (XSS)
>>>>>    Printing to HTML output.
>> 451                 os.write(data);
>> 452                 os.close();
>> 453             } catch (Throwable e) {
>> 454                 logger.error("Unexpected exception " + e.getMessage(),
>> e);
>> 455             }
>> 456         }
>> 
>> 
>> 
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>> http://scan.coverity.com/projects/943?tab=overview
>> 
>> To unsubscribe from the email notification for new defects,
>> http://scan5.coverity.com/cgi-bin/unsubscribe.py
>> 
>> 
>> 
>> 
> 
> 
> -- 
> Daan


Mime
View raw message