ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Leichert (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Deleted] (OFBIZ-9689) [FB] Package org.apache.ofbiz.base.crypto
Date Fri, 08 Sep 2017 10:46:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Julian Leichert updated OFBIZ-9689:
-----------------------------------
    Comment: was deleted

(was: The patch fixes the problems given by the FindBugs tool.)

> [FB] Package org.apache.ofbiz.base.crypto
> -----------------------------------------
>
>                 Key: OFBIZ-9689
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9689
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: base
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Priority: Minor
>
> BlowFishCrypt.java:56, DE_MIGHT_IGNORE
> -DE: new org.apache.ofbiz.base.crypto.BlowFishCrypt(byte[]) might ignore java.lang.Exception
> This method might ignore an exception.  In general, exceptions should be handled or reported
in some way, or they should be thrown out of the method.
> BlowFishCrypt.java:66, OS_OPEN_STREAM
> -OS: new org.apache.ofbiz.base.crypto.BlowFishCrypt(File) may fail to close stream
> The method creates an IO stream object, does not assign it to any fields, pass it to
other methods that might close it, or return it, and does not appear to close the stream on
all paths out of the method.  This may result in a file descriptor leak.  It is generally
a good idea to use a finally block to ensure that streams are closed.
> BlowFishCrypt.java:71, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in new org.apache.ofbiz.base.crypto.BlowFishCrypt(File):
String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> BlowFishCrypt.java:74, DE_MIGHT_IGNORE
> -DE: new org.apache.ofbiz.base.crypto.BlowFishCrypt(File) might ignore java.lang.Exception
> This method might ignore an exception.  In general, exceptions should be handled or reported
in some way, or they should be thrown out of the method.
> BlowFishCrypt.java:74, REC_CATCH_EXCEPTION
> -REC: Exception is caught when Exception is not thrown in new org.apache.ofbiz.base.crypto.BlowFishCrypt(File)
> This method uses a try-catch block that catches Exception objects, but Exception is not
thrown within the try block, and RuntimeException is not explicitly caught. It is a common
bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching
a number of types of exception each of whose catch blocks is identical, but this construct
also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown,
or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime
Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> BlowFishCrypt.java:82, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.encrypt(String):
String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> BlowFishCrypt.java:90, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.decrypt(String):
String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> BlowFishCrypt.java:103, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> -PZLA: Should org.apache.ofbiz.base.crypto.BlowFishCrypt.encrypt(byte[]) return a zero
length array rather than null?
> It is often a better design to return a length zero array rather than a null reference
to indicate that there are no results (i.e., an empty list of results). This way, no explicit
check for null is needed by clients of the method.
> On the other hand, using null to indicate "there is no answer to this question" is probably
appropriate. For example, File.listFiles() returns an empty list if given a directory containing
no files, and returns null if the file is not a directory.
> BlowFishCrypt.java:118, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> -PZLA: Should org.apache.ofbiz.base.crypto.BlowFishCrypt.decrypt(byte[]) return a zero
length array rather than null?
> It is often a better design to return a length zero array rather than a null reference
to indicate that there are no results (i.e., an empty list of results). This way, no explicit
check for null is needed by clients of the method.
> On the other hand, using null to indicate "there is no answer to this question" is probably
appropriate. For example, File.listFiles() returns an empty list if given a directory containing
no files, and returns null if the file is not a directory.
> BlowFishCrypt.java:146, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.testKey(byte[]):
new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> BlowFishCrypt.java:166, OS_OPEN_STREAM
> -OS: org.apache.ofbiz.base.crypto.BlowFishCrypt.main(String[]) may fail to close stream
> The method creates an IO stream object, does not assign it to any fields, pass it to
other methods that might close it, or return it, and does not appear to close the stream on
all paths out of the method.  This may result in a file descriptor leak.  It is generally
a good idea to use a finally block to ensure that streams are closed.
> BlowFishCrypt.java:167, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.main(String[]):
new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:68, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.comparePassword(String,
String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:126, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.cryptPassword(String,
String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:140, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.cryptValue(String,
String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:197, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.pbkdf2HashCrypt(String,
String, String): new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:197, RV_RETURN_VALUE_IGNORED
> -RV: Return value of StringBuilder.toString() ignored in org.apache.ofbiz.base.crypto.HashCrypt.pbkdf2HashCrypt(String,
String, String)
> The return value of this method should be checked. One common cause of this warning is
to invoke a method on an immutable object, thinking that it updates the object. For example,
in the following code fragment,
> String dateString = getHeaderField(name);
> dateString.trim();
> the programmer seems to be thinking that the trim() method will update the String referenced
by dateString. But since Strings are immutable, the trim() function returns a new String value,
which is being ignored here. The code should be corrected to:
> String dateString = getHeaderField(name);
> dateString = dateString.trim();
> HashCrypt.java:212, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.doComparePbkdf2(String,
String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:250, DMI_INVOKING_TOSTRING_ON_ARRAY
> -USELESS_STRING: Invocation of toString on salt in org.apache.ofbiz.base.crypto.HashCrypt.getSalt()
> The code invokes toString on an array, which will generate a fairly useless result such
as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String
that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
> HashCrypt.java:284, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.digestHash(String,
String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> HashCrypt.java:363, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.digestHashOldFunnyHex(String,
String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message