fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thisura Philips <ttcphil...@gmail.com>
Subject [GSOC2017] Fixing security vulnerabilities reported by sonar scan
Date Fri, 21 Apr 2017 05:01:26 GMT
Hi all,

As per the long discussion in the thread "[Mifos-developer] Application for
GSOC 2017( Static Analysis of Apache Fineract )", I have

* done the static analysis with SonarQube
* generated the vulnerability report, - sonarlint report [1]
<https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8>, sonarqube
<https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c> report [2]
<https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c>
* summarized
<https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U>
[3] the types of vulnerabilities,
* attended each of those vulnerabilities to check whether they are not
false positives and
* prepared the checklist [4]
<https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>
of vulnerabilities with fixes

All the reports which are generated using different plugins, tools can be
found here [5]
<https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0>.

Now we can go ahead and do the necessary changes to fix the reported
vulnerabilities in the codebase. I am looking forward to creating tickets
for each type of issues reported in summary.

We need to verify the problems (vulnerabilities[4]
<https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>)
and solutions that I have suggested in the summary [3]
<https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U>
.

According to the findings [4]
<https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4>,
I will create two tickets for co-related  fixes for each topic (type of
vulnerability) such as

* Mutable fields should not be "public static" && "enum" fields should not
be publicly mutable && "public static" fields should be constant
* Generic exceptions should never be thrown && Throwable and Error should
not be caught

Expect the community ideas regarding this to validate the suggested
solutions.

[1] https://drive.google.com/open?id=0B6WV3fK5Tak7Uy1uOWk0SW81Wm8
[2] https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c
[3]
https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
[4]
https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
[5] https://drive.google.com/open?id=0B6WV3fK5Tak7ZVJkVGV3WVZ3OE0

Thanks & regards
-- 
T.T.C Philips (BSc.Eng (Undergrad))
Computer Science and Engineering,
Sri Lanka Institute of Information Technology(SLIIT)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message