incubator-jena-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Harris (JIRA)" <>
Subject [jira] [Created] (JENA-243) Passing along HP Fortify findings to the community
Date Fri, 04 May 2012 14:26:47 GMT
Brian Harris created JENA-243:

             Summary: Passing along HP Fortify findings to the community
                 Key: JENA-243
             Project: Apache Jena
          Issue Type: Question
          Components: Fuseki
    Affects Versions: Fuseki 0.2.1
            Reporter: Brian Harris

Our customer has run an HP Fortify scan against the Fuseki code base. I'd like to pass along
these findings to the community so they can be reviewed and possibly addressed. I am unsure
if I should submit a ticket for each individual finding, submit a ticket that lumps the findings
into logical groups or submit one large ticket.

In all - there are 123 finding that fall into the following categories:

Cross-Site Scripting: Reflected
Dead Code: Expression is Always false
Dead Code: Expression is Always true
Header Manipulation
Missing Check against Null
Null Dereference
Often Misused: File Upload
Poor Error Handling: Empty Catch Block
Poor Error Handling: Overly Broad Catch
Poor Logging Practice: Use of a System Output Stream
Poor Style: Identifier Contains Dollar Symbol ($)
Poor Style: Non-final Public Static Field
System Information Leak
System Information Leak: Incomplete Servlet Error Handling
Trust Boundary Violation
Unreleased Resource: Streams

Some of these are flagged as more important such as the XSS violation and must be corrected
prior to moving into a production environment. And, it's quite possible some of these are
false positives.

Any direction is greatly appreciated. Thanks!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message