fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thisura Philips <>
Subject [GSOC2017] Fixing security vulnerabilities reported by sonar scan
Date Fri, 21 Apr 2017 05:01:26 GMT
Hi all,

As per the long discussion in the thread "[Mifos-developer] Application for
GSOC 2017( Static Analysis of Apache Fineract )", I have

* done the static analysis with SonarQube
* generated the vulnerability report, - sonarlint report [1]
<>, sonarqube
<> report [2]
* summarized
[3] the types of vulnerabilities,
* attended each of those vulnerabilities to check whether they are not
false positives and
* prepared the checklist [4]
of vulnerabilities with fixes

All the reports which are generated using different plugins, tools can be
found here [5]

Now we can go ahead and do the necessary changes to fix the reported
vulnerabilities in the codebase. I am looking forward to creating tickets
for each type of issues reported in summary.

We need to verify the problems (vulnerabilities[4]
and solutions that I have suggested in the summary [3]

According to the findings [4]
I will create two tickets for co-related  fixes for each topic (type of
vulnerability) such as

* Mutable fields should not be "public static" && "enum" fields should not
be publicly mutable && "public static" fields should be constant
* Generic exceptions should never be thrown && Throwable and Error should
not be caught

Expect the community ideas regarding this to validate the suggested


Thanks & regards
T.T.C Philips (BSc.Eng (Undergrad))
Computer Science and Engineering,
Sri Lanka Institute of Information Technology(SLIIT)

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message