fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FINERACT-437) Fix security vulnerabilities of using generic exceptions and catching throwable and errors
Date Sun, 25 Jun 2017 05:49:01 GMT

    [ https://issues.apache.org/jira/browse/FINERACT-437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062219#comment-16062219
] 

ASF GitHub Bot commented on FINERACT-437:
-----------------------------------------

GitHub user ThisuraThejith opened a pull request:

    https://github.com/apache/fineract/pull/375

    FINERACT-437-Remove generic exceptions

    Add well defined exception for exceptions thrown by the fineract to resolve error MITRE,
CWE-397 - Declaration of Throws for Generic Exception.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ThisuraThejith/incubator-fineract FINERACT-437

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/fineract/pull/375.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #375
    
----
commit 3be98325e1b81f6b75dc1e0d5202c53ad365a866
Author: ThisuraThejith <ttcphilips@gmail.com>
Date:   2017-06-25T05:45:54Z

    Add welldefined exception for exceptions thrown by the fineract

----


> Fix security vulnerabilities of using generic exceptions and catching throwable and errors
> ------------------------------------------------------------------------------------------
>
>                 Key: FINERACT-437
>                 URL: https://issues.apache.org/jira/browse/FINERACT-437
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Accounting, Organization
>            Reporter: Thisura
>            Assignee: Markus Geiss
>            Priority: Minor
>              Labels: gsoc2017
>
> There are two types of vulnerabilities related to exceptions reported by sonar
> 1. Generic exceptions should never be thrown
> [MITRE, CWE-397|http://cwe.mitre.org/data/definitions/397.html] - Declaration of Throws
for Generic Exception
> 2. Throwable and Error should not be caught
> [MITRE, CWE-396|http://cwe.mitre.org/data/definitions/396.html] - Declaration of Catch
for Generic Exception
> [CERT, ERR07-J|https://www.securecoding.cert.org/confluence/x/BoB3AQ] - Do not throw
RuntimeException, Exception, or Throwable
> The rationale behind these vulnerabilities are explained in above links. The proposed
solutions are as follows.
> 1. Generic exceptions should never be thrown =>  Define and throw a dedicated exception
instead of using a generic one.
> 2. Throwable and Error should not be caught => Catch Exception instead of Throwable.




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message