ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Balkir (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-9819) [FB] Package org.apache.ofbiz.shipment.thirdparty.ups
Date Fri, 06 Oct 2017 09:50:00 GMT
Dennis Balkir created OFBIZ-9819:
------------------------------------

             Summary: [FB] Package org.apache.ofbiz.shipment.thirdparty.ups
                 Key: OFBIZ-9819
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9819
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Trunk
            Reporter: Dennis Balkir
            Priority: Minor


--- UpsServices.java:80, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsUpsToOfbiz isn't final but should
be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

--- UpsServices.java:81, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.unitsOfbizToUps isn't final but should
be

This static field public but not final, and could be changed by malicious code or by accident
from another package. The field could be made final to avoid this vulnerability.

--- UpsServices.java:118, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:487, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
RCN: Nullcheck of shipmentPackage at line 487 of value previously dereferenced in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map)

A value is checked here to see whether it is null, but this value can't be null because it
was previously dereferenced and if it were null a null pointer exception would have occurred
at the earlier dereference. Essentially, this code and the previous dereference disagree as
to whether this value is allowed to be null. Either the check is redundant or the previous
dereference is erroneous.

--- UpsServices.java:507, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

--- UpsServices.java:634, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
OBL: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map) may fail to clean up java.io.OutputStream on checked exception

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- UpsServices.java:634, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:635, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentConfirm(DispatchContext,
Map): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:831, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
Map)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:911, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
Map) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:911, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
OBL: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
Map) may fail to clean up java.io.OutputStream on checked exception

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- UpsServices.java:912, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAccept(DispatchContext,
Map): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:978, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
GenericValue, List, Delegator, String, String, Map, Locale)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:1112, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
GenericValue, List, Delegator, String, String, Map, Locale): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:1182, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.handleUpsShipmentAcceptResponse(Document,
GenericValue, List, Delegator, String, String, Map, Locale) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:1232, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
Map)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:1305, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
OBL: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
Map) may fail to clean up java.io.OutputStream on checked exception

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- UpsServices.java:1305, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
Map) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:1306, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsVoidShipment(DispatchContext,
Map): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:1431, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
Map)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:1505, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
OBL: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
Map) may fail to clean up java.io.OutputStream on checked exception

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- UpsServices.java:1505, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
Map) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:1506, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsTrackShipment(DispatchContext,
Map): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:1873, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of conStr, which is known to be non-null in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.sendUpsRequest(String,
String, String, String, Delegator, Locale)

This method contains a redundant check of a known non-null value against the constant null.

--- UpsServices.java:1949, DLS_DEAD_LOCAL_STORE
DLS: Dead store to shippableTotal in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:1952, DLS_DEAD_LOCAL_STORE
DLS: Dead store to shippableQuantity in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:1955, DLS_DEAD_LOCAL_STORE
DLS: Dead store to shippableWeight in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:2063, DLS_DEAD_LOCAL_STORE
DLS: Dead store to maxWeight in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:2070, DLS_DEAD_LOCAL_STORE
DLS: Dead store to minWeight in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsRateInquireByPostalCode(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:2323, RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
RV: Exceptional return value of java.io.File.mkdirs() ignored in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
Map)

This method returns a value that is not checked. The return value should be checked since
it can indicate an unusual or unexpected function execution. For example, the File.delete()
method returns false if the file could not be successfully deleted (rather than throwing an
Exception). If you don't check the result, you won't notice if the method invocation signals
unexpected behavior by returning an atypical return value.

--- UpsServices.java:2669, OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
OBL: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
Map) may fail to clean up java.io.OutputStream on checked exception

This method may fail to clean up (close, dispose of) a stream, database object, or other resource
requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally
block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE
bug patterns, but is based on a different (and hopefully better) static analysis technique.
We are interested is getting feedback about the usefulness of this bug pattern. To send feedback,
either:

send email to findbugs@cs.umd.edu
file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
In particular, the false-positive suppression heuristics for this bug pattern have not been
extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description
of the analysis technique.

--- UpsServices.java:2669, OS_OPEN_STREAM_EXCEPTION_PATH
OS: org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
Map) may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other
methods, or return it, and does not appear to close it on all possible exception paths out
of the method.  This may result in a file descriptor leak.  It is generally a good idea to
use a finally block to ensure that streams are closed.

--- UpsServices.java:2670, DM_DEFAULT_ENCODING
Dm: Found reliance on default encoding in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsEmailReturnLabel(DispatchContext,
Map): String.getBytes()

Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.

--- UpsServices.java:2701, DLS_DEAD_LOCAL_STORE
DLS: Dead store to upsRateInquireMode in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
Map)

This instruction assigns a value to a local variable, but the value is not read or used in
any subsequent instruction. Often, this indicates an error, because the value computed is
never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because
FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

--- UpsServices.java:2903, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.shipment.thirdparty.ups.UpsServices.upsShipmentAlternateRatesInquiry(DispatchContext,
Map)

A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message