incubator-jena-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Seaborne (JIRA)" <>
Subject [jira] [Commented] (JENA-243) Passing along HP Fortify findings to the community
Date Fri, 04 May 2012 15:26:58 GMT


Andy Seaborne commented on JENA-243:

Thank you for the report.  There seem to be a large number of false positives relating to
coding style.  

As to the XSS category: (lines 2-8):
1/ Fuseki runs standalone - there is no other Java code to 
2/ of those only line 7 refers to code which is not in the optional the management interface
or helper apps to validate formats and that's for JSONP triggered by the client request.

> Passing along HP Fortify findings to the community
> --------------------------------------------------
>                 Key: JENA-243
>                 URL:
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd like to pass
along these findings to the community so they can be reviewed and possibly addressed. I am
unsure if I should submit a ticket for each individual finding, submit a ticket that lumps
the findings into logical groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
> Some of these are flagged as more important such as the XSS violation and must be corrected
prior to moving into a production environment. And, it's quite possible some of these are
false positives.
> Any direction is greatly appreciated. Thanks!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message