incubator-jena-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Harris (JIRA)" <>
Subject [jira] [Updated] (JENA-243) Passing along HP Fortify findings to the community
Date Fri, 04 May 2012 14:50:55 GMT


Brian Harris updated JENA-243:

    Attachment:     (was: Sanitized Fuseki Scan Findings.xlsx)
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>                 Key: JENA-243
>                 URL:
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd like to pass
along these findings to the community so they can be reviewed and possibly addressed. I am
unsure if I should submit a ticket for each individual finding, submit a ticket that lumps
the findings into logical groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
> Some of these are flagged as more important such as the XSS violation and must be corrected
prior to moving into a production environment. And, it's quite possible some of these are
false positives.
> Any direction is greatly appreciated. Thanks!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message