fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thisura Philips <ttcphil...@gmail.com>
Subject Re: [GSOC2017] Fixing security vulnerabilities reported by sonar scan
Date Sun, 23 Apr 2017 12:23:24 GMT
Hi all,

I have created two tickets [1][2] to track the fixes for security
vulnerabilities reported by sonar.
Thanks & Regards.
[1] https://issues.apache.org/jira/browse/FINERACT-436
[2] https://issues.apache.org/jira/browse/FINERACT-437

On Fri, Apr 21, 2017 at 10:31 AM, Thisura Philips <ttcphilips@gmail.com>
wrote:

> Hi all,
>
> As per the long discussion in the thread "[Mifos-developer] Application
> for GSOC 2017( Static Analysis of Apache Fineract )", I have
>
> * done the static analysis with SonarQube
> * generated the vulnerability report, - sonarlint report [1]
> <https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8>, sonarqube
> <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> report [2]
> <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c>
> * summarized
> <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U>
> [3] the types of vulnerabilities,
> * attended each of those vulnerabilities to check whether they are not
> false positives and
> * prepared the checklist [4]
> <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>
> of vulnerabilities with fixes
>
> All the reports which are generated using different plugins, tools can be
> found here [5]
> <https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0>.
>
> Now we can go ahead and do the necessary changes to fix the reported
> vulnerabilities in the codebase. I am looking forward to creating tickets
> for each type of issues reported in summary.
>
> We need to verify the problems (vulnerabilities[4]
> <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>)
> and solutions that I have suggested in the summary [3]
> <https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U>
> .
>
> According to the findings [4]
> <https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>,
> I will create two tickets for co-related  fixes for each topic (type of
> vulnerability) such as
>
> * Mutable fields should not be "public static" && "enum" fields should not
> be publicly mutable && "public static" fields should be constant
> * Generic exceptions should never be thrown && Throwable and Error should
> not be caught
>
> Expect the community ideas regarding this to validate the suggested
> solutions.
>
> [1] https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8
> [2] https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c
> [3] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcH
> GBdh569aFJfB2U
> [4] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU
> 6sgBxpZul__1V4
> [5] https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0
>
> Thanks & regards
> --
> T.T.C Philips (BSc.Eng (Undergrad))
> Computer Science and Engineering,
> Sri Lanka Institute of Information Technology(SLIIT)
>
>
>
>


-- 
T.T.C Philips (BSc.Eng (Undergrad))
Computer Science and Engineering,
Sri Lanka Institute of Information Technology(SLIIT)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message