Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 4CAFB200CC0 for ; Sun, 25 Jun 2017 07:49:13 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4B25E160BF3; Sun, 25 Jun 2017 05:49:13 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 90C94160BE6 for ; Sun, 25 Jun 2017 07:49:12 +0200 (CEST) Received: (qmail 91204 invoked by uid 500); 25 Jun 2017 05:49:11 -0000 Mailing-List: contact dev-help@fineract.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@fineract.apache.org Delivered-To: mailing list dev@fineract.apache.org Received: (qmail 91193 invoked by uid 99); 25 Jun 2017 05:49:11 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Jun 2017 05:49:11 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 219F2189218 for ; Sun, 25 Jun 2017 05:49:11 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id q_KkkzFSblya for ; Sun, 25 Jun 2017 05:49:10 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 55F2B5FC57 for ; Sun, 25 Jun 2017 05:49:09 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 4006BE0C1B for ; Sun, 25 Jun 2017 05:49:03 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1944B21942 for ; Sun, 25 Jun 2017 05:49:01 +0000 (UTC) Date: Sun, 25 Jun 2017 05:49:01 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@fineract.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (FINERACT-437) Fix security vulnerabilities of using generic exceptions and catching throwable and errors MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 25 Jun 2017 05:49:13 -0000 [ https://issues.apache.org/jira/browse/FINERACT-437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062219#comment-16062219 ] ASF GitHub Bot commented on FINERACT-437: ----------------------------------------- GitHub user ThisuraThejith opened a pull request: https://github.com/apache/fineract/pull/375 FINERACT-437-Remove generic exceptions Add well defined exception for exceptions thrown by the fineract to resolve error MITRE, CWE-397 - Declaration of Throws for Generic Exception. You can merge this pull request into a Git repository by running: $ git pull https://github.com/ThisuraThejith/incubator-fineract FINERACT-437 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/fineract/pull/375.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #375 ---- commit 3be98325e1b81f6b75dc1e0d5202c53ad365a866 Author: ThisuraThejith Date: 2017-06-25T05:45:54Z Add welldefined exception for exceptions thrown by the fineract ---- > Fix security vulnerabilities of using generic exceptions and catching throwable and errors > ------------------------------------------------------------------------------------------ > > Key: FINERACT-437 > URL: https://issues.apache.org/jira/browse/FINERACT-437 > Project: Apache Fineract > Issue Type: Bug > Components: Accounting, Organization > Reporter: Thisura > Assignee: Markus Geiss > Priority: Minor > Labels: gsoc2017 > > There are two types of vulnerabilities related to exceptions reported by sonar > 1. Generic exceptions should never be thrown > [MITRE, CWE-397|http://cwe.mitre.org/data/definitions/397.html] - Declaration of Throws for Generic Exception > 2. Throwable and Error should not be caught > [MITRE, CWE-396|http://cwe.mitre.org/data/definitions/396.html] - Declaration of Catch for Generic Exception > [CERT, ERR07-J|https://www.securecoding.cert.org/confluence/x/BoB3AQ] - Do not throw RuntimeException, Exception, or Throwable > The rationale behind these vulnerabilities are explained in above links. The proposed solutions are as follows. > 1. Generic exceptions should never be thrown => Define and throw a dedicated exception instead of using a generic one. > 2. Throwable and Error should not be caught => Catch Exception instead of Throwable. -- This message was sent by Atlassian JIRA (v6.4.14#64029)