ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Leichert (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-9772) [FB] Package org.apache.ofbiz.product.category
Date Mon, 25 Sep 2017 09:56:00 GMT
Julian Leichert created OFBIZ-9772:
--------------------------------------

             Summary: [FB] Package org.apache.ofbiz.product.category
                 Key: OFBIZ-9772
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9772
             Project: OFBiz
          Issue Type: Sub-task
          Components: product
    Affects Versions: Trunk
            Reporter: Julian Leichert
            Priority: Minor


CatalogUrlFilter.java:57, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString should be package
protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

CatalogUrlFilter.java:58, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should be package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString
from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl
from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

CatalogUrlSeoFilter.java:40, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString should be
package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

CatalogUrlSeoFilter.java:41, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl should be package
protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString
from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl
from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable; consider declaring
a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
- RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 of value previously
dereferenced in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue,
String, Locale, String, Delegator, LocalDispatcher, String)

A value is checked here to see whether it is null, but this value can't be null because it
was previously dereferenced and if it were null a null pointer exception would have occurred
at the earlier dereference. Essentially, this code and the previous dereference disagree as
to whether this value is allowed to be null. Either the check is redundant or the previous
dereference is erroneous.

CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String,
GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer, boolean)

This method contains a redundant check of a known non-null value against the constant null.

CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING
- Bx: Boxing/unboxing to parse a primitive org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)

A boxed primitive is created from a String, just to extract the unboxed primitive value. It
is more efficient to just call the static parseXXX method.

CategoryServices.java:245, DLS_DEAD_LOCAL_STORE
- DLS: Dead store to viewSize in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of productCategoryMembers, which is known to be non-null in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)

This method contains a redundant check of a known non-null value against the constant null.

CategoryWorker.java:61, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest,
String)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CategoryWorker.java:106, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest, String,
boolean)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD
- UPM: Private method org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String,
String) is never called

This private method is never called. Although it is possible that the method will be invoked
through reflection, it is more likely that the method is never used, and should be removed.

CategoryWorker.java:243, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, String)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CategoryWorker.java:315, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CategoryWorker.java:321, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, List)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
- RCN: Redundant nullcheck of subCat, which is known to be non-null in org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map,
List, HttpServletRequest)

This method contains a redundant check of a known non-null value against the constant null.

ControlServlet.java:33, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable; consider declaring
a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
- Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows the simple name
of the superclass org.apache.ofbiz.webapp.control.ControlServlet

This class has a simple name that is identical to that of its superclass, except that its
superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally
confusing, create lots of situations in which you have to look at import statements to resolve
references and creates many opportunities to accidentally define methods that do not override
methods in their superclasses.

ControlServlet.java:35, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

ControlServlet.java:36, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

ControlServlet.java:37, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should be package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.defaultPage from
instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.pageNotFound
from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.controlServlet
from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is Serializable; consider declaring
a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

SeoConfigUtil.java:510, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

    String.toUpperCase( Locale l )
    String.toLowerCase( Locale l )

versions instead.

SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL
- MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString isn't final
but should be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL
- MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't final but should
be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION
- Nm: The field name org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't
start with a lower case letter

Names of fields that are not final should be in mixed case with a lowercase first letter and
the first letters of subsequent words capitalized.

SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR
- WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig) makes inefficient
use of keySet iterator instead of entrySet iterator

This method accesses the value of a Map entry, using a key that was retrieved from a keySet
iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the
Map.get(key) lookup.

SeoContextFilter.java:94, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

SeoContextFilter.java:95, BC_UNCONFIRMED_CAST
- BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)

This cast is unchecked, and not all instances of the type casted from can be cast to the type
it is being cast to. Check that your program logic ensures that this cast will not fail.

SeoContextFilter.java:181, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

    String.toUpperCase( Locale l )
    String.toLowerCase( Locale l )

versions instead.

SeoControlServlet.java:41, SE_NO_SERIALVERSIONID
- SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable; consider declaring
a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

SeoControlServlet.java:43, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should be package protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

SeoControlServlet.java:44, MS_PKGPROTECT
- MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet should be package
protected

A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.

SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.defaultPage
from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
- ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.controlServlet
from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)

This instance method writes to a static field. This is tricky to get correct if multiple instances
are being manipulated, and generally bad practice.

SeoControlServlet.java:77, DM_CONVERT_CASE
- Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest,
HttpServletResponse)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

    String.toUpperCase( Locale l )
    String.toLowerCase( Locale l )

versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message