ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Balkir (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-9782) [FB] Package org.apache.ofbiz.entity.jdbc
Date Mon, 25 Sep 2017 13:12:00 GMT
Dennis Balkir created OFBIZ-9782:
------------------------------------

             Summary: [FB] Package org.apache.ofbiz.entity.jdbc
                 Key: OFBIZ-9782
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9782
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Trunk
            Reporter: Dennis Balkir
            Priority: Minor


--- CursorResultSet.java:38, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: new org.apache.ofbiz.entity.jdbc.CursorResultSet(Statement, String, int) passes a nonconstant
String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- CursorResultSet.java:54, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.next() passes a nonconstant String to an
execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- CursorResultSet.java:59, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.close() passes a nonconstant String to an
execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- CursorStatement.java:62, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.CursorStatement.invoke(Object, Method, Object[]) passes
a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:117, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of java.sql.DriverManager.getDriver(String), which is known to be
non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getConnection(String, String, Properties,
String, String)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:264, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of colInfo, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map,
List, List, boolean, boolean, boolean, boolean)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:670, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map,
List, List, boolean, boolean, boolean, boolean)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:704, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of tableIndexList, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map,
List, List, boolean, boolean, boolean, boolean)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:920, REC_CATCH_EXCEPTION
REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData,
Connection)

This method uses a try-catch block that catches Exception objects, but Exception is not thrown
within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern
to say try { ... } catch (Exception e) { something } as a shorthand for catching a number
of types of exception each of whose catch blocks is identical, but this construct also accidentally
catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or
to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime
Exceptions, as shown below:

  try {
    ...
  } catch (RuntimeException e) {
    throw e;
  } catch (Exception e) {
    ... deal with all non-runtime exceptions ...
  }
  
--- DatabaseUtil.java:927, OBL_UNSATISFIED_OBLIGATION
OBL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData, Connection)
may fail to clean up java.sql.Statement

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- DatabaseUtil.java:999, NP_NULL_ON_SOME_PATH
NP: Possible null pointer dereference of tableSet in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)

There is a branch of statement that, if executed, guarantees that a null value will be dereferenced,
which would generate a NullPointerException when the code is executed. Of course, the problem
might be that the branch or statement is infeasible and that the null pointer exception can't
ever be executed; deciding that is beyond the ability of FindBugs.

--- DatabaseUtil.java:1008, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:1144, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getColumnInfo(Set,
boolean, Collection, ExecutorService)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:1238, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkPrimaryKeyInfo(ResultSet,
String, boolean, Map, Collection)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:1348, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getReferenceInfo(Set,
Collection)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:1466, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set,
Collection, boolean[])

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:1494, NP_NULL_ON_SOME_PATH
NP: Possible null pointer dereference of indexName in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set,
Collection, boolean[])

There is a branch of statement that, if executed, guarantees that a null value will be dereferenced,
which would generate a NullPointerException when the code is executed. Of course, the problem
might be that the branch or statement is infeasible and that the null pointer exception can't
ever be executed; deciding that is beyond the ability of FindBugs.

--- DatabaseUtil.java:1593, URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD
UrF: Unread public/protected field: org.apache.ofbiz.entity.jdbc.DatabaseUtil$AbstractCountingCallable.modelEntities

This field is never read.  The field is public or protected, so perhaps it is intended to
be used with classes not seen as part of the analysis. If not, consider removing it from the
class.

--- DatabaseUtil.java:1637, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity,
Map, boolean)

The variable referenced at this point is known to be null due to an earlier check against
null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different
variable, or perhaps the earlier check to see if the variable is null should have been a check
to see if it was non-null).

--- DatabaseUtil.java:1732, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map, boolean) passes
a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:1737, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity,
Map, boolean)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:1774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity, List) passes a nonconstant
String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:1781, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity,
List)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:1814, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity,
ModelField)

The variable referenced at this point is known to be null due to an earlier check against
null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different
variable, or perhaps the earlier check to see if the variable is null should have been a check
to see if it was non-null).

--- DatabaseUtil.java:1841, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField) passes a
nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:1875, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity,
ModelField)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:1909, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity,
ModelField, String)

The variable referenced at this point is known to be null due to an earlier check against
null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different
variable, or perhaps the earlier check to see if the variable is null should have been a check
to see if it was non-null).

--- DatabaseUtil.java:1922, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity, ModelField, String)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:1927, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity,
ModelField, String)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:1972, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity, ModelField, List)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:1982, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity,
ModelField, List)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2046, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeTempFieldName(ModelField)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:2067, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeFkConstraintName(ModelRelation,
int)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:2175, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity, ModelRelation,
ModelEntity, int, String, boolean) passes a nonconstant String to an execute method on an
SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2180, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity,
ModelRelation, ModelEntity, int, String, boolean)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2343, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity, ModelRelation,
ModelEntity, int) passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2348, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity,
ModelRelation, ModelEntity, int)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2361, UC_USELESS_OBJECT
Useless object created

Our analysis shows that this object is useless. It's created and modified, but its value never
go outside of the method or produce any side-effect. Either there is a mistake and object
was intended to be used or it can be removed.

This analysis rarely produces false-positives. Common false-positive cases include:

- This object used to implicitly throw some obscure exception.
- This object used as a stub to generalize the code.
- This object used to hold strong references to weak/soft-referenced objects.

--- DatabaseUtil.java:2414, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity, boolean, int)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2419, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity,
boolean, int)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2435, UC_USELESS_OBJECT
Useless object created

Our analysis shows that this object is useless. It's created and modified, but its value never
go outside of the method or produce any side-effect. Either there is a mistake and object
was intended to be used or it can be removed.

This analysis rarely produces false-positives. Common false-positive cases include:

- This object used to implicitly throw some obscure exception.
- This object used as a stub to generalize the code.
- This object used to hold strong references to weak/soft-referenced objects.

--- DatabaseUtil.java:2492, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity, boolean, int)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2499, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity,
boolean, int)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2574, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity, ModelIndex)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2579, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity,
ModelIndex)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2624, UC_USELESS_OBJECT
Useless object created

Our analysis shows that this object is useless. It's created and modified, but its value never
go outside of the method or produce any side-effect. Either there is a mistake and object
was intended to be used or it can be removed.

This analysis rarely produces false-positives. Common false-positive cases include:

- This object used to implicitly throw some obscure exception.
- This object used as a stub to generalize the code.
- This object used to hold strong references to weak/soft-referenced objects.

--- DatabaseUtil.java:2691, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity, ModelIndex)
passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2696, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity,
ModelIndex)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity, ModelRelation,
int) passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2779, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity,
ModelRelation, int)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2821, UC_USELESS_OBJECT
Useless object created

Our analysis shows that this object is useless. It's created and modified, but its value never
go outside of the method or produce any side-effect. Either there is a mistake and object
was intended to be used or it can be removed.

This analysis rarely produces false-positives. Common false-positive cases include:

- This object used to implicitly throw some obscure exception.
- This object used as a stub to generalize the code.
- This object used to hold strong references to weak/soft-referenced objects.

--- DatabaseUtil.java:2894, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity, ModelRelation,
int) passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2899, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity,
ModelRelation, int)

This method contains a redundant check of a known non-null value against the constant null.

--- DatabaseUtil.java:2913, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getSchemaName(DatabaseMetaData)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:2963, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity,
List) passes a nonconstant String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- DatabaseUtil.java:2975, NP_LOAD_OF_KNOWN_NULL_VALUE
NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity,
List)

The variable referenced at this point is known to be null due to an earlier check against
null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different
variable, or perhaps the earlier check to see if the variable is null should have been a check
to see if it was non-null).

--- DatabaseUtil.java:3031, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo is Serializable; consider
declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

--- DatabaseUtil.java:3050, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo.fixupTableName(String,
String, boolean)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- DatabaseUtil.java:3060, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ReferenceCheckInfo is Serializable; consider
declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.
 A change as simple as adding a reference to a .class object will add synthetic fields to
the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference
to String.class will generate a static field class$java$lang$String). Also, different source
code to bytecode compilers may use different naming conventions for synthetic variables generated
for references to class objects or inner classes. To ensure interoperability of Serializable
across versions, consider adding an explicit serialVersionUID.

--- JdbcValueHandler.java:184, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.JdbcValueHandler.parseSqlType(String)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- JdbcValueHandler.java:470, DE_MIGHT_IGNORE
DE: org.apache.ofbiz.entity.jdbc.JdbcValueHandler$ClobJdbcValueHandler.getValue(ResultSet,
int) might ignore java.io.IOException

This method might ignore an exception.  In general, exceptions should be handled or reported
in some way, or they should be thrown out of the method.

--- SQLProcessor.java:59, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.CONNECTION_TEST_LIST isn't final but should
be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

--- SQLProcessor.java:60, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.MAX_CONNECTIONS isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

--- SQLProcessor.java:61, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.ENABLE_TEST isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

--- SQLProcessor.java:337, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String)

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted
data from a user is used in building this String, SQL injection could be used to make the
prepared statement do something unexpected and undesirable.

--- SQLProcessor.java:350, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String,
boolean, int, int)

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted
data from a user is used in building this String, SQL injection could be used to make the
prepared statement do something unexpected and undesirable.

--- SQLProcessor.java:376, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String,
boolean, int, int, int, int)

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted
data from a user is used in building this String, SQL injection could be used to make the
prepared statement do something unexpected and undesirable.

--- SQLProcessor.java:416, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.executeQuery(String)

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted
data from a user is used in building this String, SQL injection could be used to make the
prepared statement do something unexpected and undesirable.

--- SQLProcessor.java:449, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL: org.apache.ofbiz.entity.jdbc.SQLProcessor.executeUpdate(String) passes a nonconstant
String to an execute method on an SQL statement

The method invokes the execute or addBatch method on an SQL statement with a String that seems
to be dynamically generated. Consider using a prepared statement instead. It is more efficient
and less vulnerable to SQL injection attacks.

--- SQLProcessor.java:513, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.execQuery(String,
ExecQueryCallbackFunctionIF)

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted
data from a user is used in building this String, SQL injection could be used to make the
prepared statement do something unexpected and undesirable.

--- SqlJdbcUtil.java:228, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of whereCondition, which is known to be non-null in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.makeFromClause(ModelEntity,
ModelFieldTypeReader, Datasource)

This method contains a redundant check of a known non-null value against the constant null.

--- SqlJdbcUtil.java:612, SF_SWITCH_NO_DEFAULT
SF: Switch statement found in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet,
int, ModelField, GenericEntity, ModelFieldTypeReader) where default case is missing

This method contains a switch statement where default case is missing. Usually you need to
provide a default case.

Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered
if the default case is at the end of the switch statement and the switch statement doesn't
contain break statements for other cases.

--- SqlJdbcUtil.java:643, SIO_SUPERFLUOUS_INSTANCEOF
SIO: org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField, GenericEntity,
ModelFieldTypeReader) does an unnecessary type check using instanceof operator when it can
be determined statically

Type check performed using the instanceof operator where it can be statically determined whether
the object is of the type requested.

--- SqlJdbcUtil.java:643, BC_VACUOUS_INSTANCEOF
BC: instanceof will always return true for all nonnull values in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet,
int, ModelField, GenericEntity, ModelFieldTypeReader), since all String are instances of String

This instanceof test will always return true (unless the value being tested is null). Although
this is safe, make sure it isn't an indication of some misunderstanding or some other logic
error. If you really want to test the value for being null, perhaps it would be clearer to
do better to do a null test rather than an instanceof test.

--- SqlJdbcUtil.java:882, SF_SWITCH_NO_DEFAULT
SF: Switch statement found in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.setValue(SQLProcessor,
ModelField, String, Object, ModelFieldTypeReader) where default case is missing

This method contains a switch statement where default case is missing. Usually you need to
provide a default case.

Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered
if the default case is at the end of the switch statement and the switch statement doesn't
contain break statements for other cases.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message