ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Leichert (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-9772) [FB] Package org.apache.ofbiz.product.category
Date Mon, 25 Sep 2017 10:16:01 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Julian Leichert updated OFBIZ-9772:
-----------------------------------
    Attachment: OFBIZ-9772_org.apache.ofbiz.product.category_bugfixes.patch

> [FB] Package org.apache.ofbiz.product.category
> ----------------------------------------------
>
>                 Key: OFBIZ-9772
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9772
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: product
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Priority: Minor
>         Attachments: OFBIZ-9772_org.apache.ofbiz.product.category_bugfixes.patch
>
>
> CatalogUrlFilter.java:57, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString should be
package protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:58, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString
from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl
from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:40, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString should
be package protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:41, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString
from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl
from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable; consider
declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> - RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 of value
previously dereferenced in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue,
String, Locale, String, Delegator, LocalDispatcher, String)
> A value is checked here to see whether it is null, but this value can't be null because
it was previously dereferenced and if it were null a null pointer exception would have occurred
at the earlier dereference. Essentially, this code and the previous dereference disagree as
to whether this value is allowed to be null. Either the check is redundant or the previous
dereference is erroneous.
> CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String,
GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer, boolean)
> This method contains a redundant check of a known non-null value against the constant
null.
> CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING
> - Bx: Boxing/unboxing to parse a primitive org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
> A boxed primitive is created from a String, just to extract the unboxed primitive value.
It is more efficient to just call the static parseXXX method.
> CategoryServices.java:245, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to viewSize in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
> This instruction assigns a value to a local variable, but the value is not read or used
in any subsequent instruction. Often, this indicates an error, because the value computed
is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables.
Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
> CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of productCategoryMembers, which is known to be non-null in
org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext,
Map)
> This method contains a redundant check of a known non-null value against the constant
null.
> CategoryWorker.java:61, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest,
String)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CategoryWorker.java:106, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest, String,
boolean)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD
> - UPM: Private method org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String,
String) is never called
> This private method is never called. Although it is possible that the method will be
invoked through reflection, it is more likely that the method is never used, and should be
removed.
> CategoryWorker.java:243, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, String)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CategoryWorker.java:315, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CategoryWorker.java:321, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, List)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of subCat, which is known to be non-null in org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map,
List, HttpServletRequest)
> This method contains a redundant check of a known non-null value against the constant
null.
> ControlServlet.java:33, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable; consider declaring
a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
> - Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows the simple
name of the superclass org.apache.ofbiz.webapp.control.ControlServlet
> This class has a simple name that is identical to that of its superclass, except that
its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally
confusing, create lots of situations in which you have to look at import statements to resolve
references and creates many opportunities to accidentally define methods that do not override
methods in their superclasses.
> ControlServlet.java:35, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> ControlServlet.java:36, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> ControlServlet.java:37, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.defaultPage
from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.pageNotFound
from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.controlServlet
from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is Serializable; consider
declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> SeoConfigUtil.java:510, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.
> SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString isn't
final but should be
> This static field public but not final, and could be changed by malicious code or by
accident from another package. The field could be made final to avoid this vulnerability.
> SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't final but
should be
> This static field public but not final, and could be changed by malicious code or by
accident from another package. The field could be made final to avoid this vulnerability.
> SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION
> - Nm: The field name org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't
start with a lower case letter
> Names of fields that are not final should be in mixed case with a lowercase first letter
and the first letters of subsequent words capitalized.
> SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR
> - WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig) makes inefficient
use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved from a
keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid
the Map.get(key) lookup.
> SeoContextFilter.java:94, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest
in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> SeoContextFilter.java:95, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse
in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse,
FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to
the type it is being cast to. Check that your program logic ensures that this cast will not
fail.
> SeoContextFilter.java:181, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest,
ServletResponse, FilterChain)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.
> SeoControlServlet.java:41, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable; consider
declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> SeoControlServlet.java:43, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> SeoControlServlet.java:44, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet should be package
protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.defaultPage
from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.controlServlet
from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple
instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:77, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest,
HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message