ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brohl (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (OFBIZ-9720) [FB] Package org.apache.ofbiz.entity.util
Date Fri, 08 Dec 2017 20:20:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9720?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Brohl reassigned OFBIZ-9720:
------------------------------------

    Assignee: Michael Brohl

> [FB] Package org.apache.ofbiz.entity.util
> -----------------------------------------
>
>                 Key: OFBIZ-9720
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9720
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS, ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Assignee: Michael Brohl
>            Priority: Minor
>         Attachments: OFBIZ-9720_org.apache.ofbiz.entity.util_bugfixes.patch
>
>
> ByteWrapper.java:35, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.entity.util.ByteWrapper is Serializable; consider declaring
a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> ByteWrapper.java:38, EI_EXPOSE_REP2
> - EI2: new org.apache.ofbiz.entity.util.ByteWrapper(byte[]) may expose internal representation
by storing an externally mutable object into ByteWrapper.bytes
> This code stores a reference to an externally mutable object into the internal representation
of the object.  If instances are accessed by untrusted code, and unchecked changes to the
mutable object would compromise security or other important properties, you will need to do
something different. Storing a copy of the object is better approach in many situations.
> ByteWrapper.java:42, EI_EXPOSE_REP
> - EI: org.apache.ofbiz.entity.util.ByteWrapper.getBytes() may expose internal representation
by returning ByteWrapper.bytes
> Returning a reference to a mutable object value stored in one of the object's fields
exposes the internal representation of the object.  If instances are accessed by untrusted
code, and unchecked changes to the mutable object would compromise security or other important
properties, you will need to do something different. Returning a new copy of the object is
better approach in many situations.
> EntityCrypto.java:-1, CI_CONFUSED_INHERITANCE
> - CI: Class org.apache.ofbiz.entity.util.EntityCrypto is final but declares protected
field org.apache.ofbiz.entity.util.EntityCrypto.delegator
> This class is declared to be final, but declares fields to be protected. Since the class
is final, it can not be derived from, and the use of protected is confusing. The access modifier
for the field should be changed to private or public to represent the true use for the field.
> EntityCrypto.java:-1, CI_CONFUSED_INHERITANCE
> - CI: Class org.apache.ofbiz.entity.util.EntityCrypto is final but declares protected
field org.apache.ofbiz.entity.util.EntityCrypto.NormalHashStorageHandler
> This class is declared to be final, but declares fields to be protected. Since the class
is final, it can not be derived from, and the use of protected is confusing. The access modifier
for the field should be changed to private or public to represent the true use for the field.
> EntityCrypto.java:-1, CI_CONFUSED_INHERITANCE
> - CI: Class org.apache.ofbiz.entity.util.EntityCrypto is final but declares protected
field org.apache.ofbiz.entity.util.EntityCrypto.OldFunnyHashStorageHandler
> This class is declared to be final, but declares fields to be protected. Since the class
is final, it can not be derived from, and the use of protected is confusing. The access modifier
for the field should be changed to private or public to represent the true use for the field.
> EntityCrypto.java:-1, CI_CONFUSED_INHERITANCE
> - CI: Class org.apache.ofbiz.entity.util.EntityCrypto is final but declares protected
field org.apache.ofbiz.entity.util.EntityCrypto.keyMap
> This class is declared to be final, but declares fields to be protected. Since the class
is final, it can not be derived from, and the use of protected is confusing. The access modifier
for the field should be changed to private or public to represent the true use for the field.
> EntityCrypto.java:-1, CI_CONFUSED_INHERITANCE
> - CI: Class org.apache.ofbiz.entity.util.EntityCrypto is final but declares protected
field org.apache.ofbiz.entity.util.EntityCrypto.handlers
> This class is declared to be final, but declares fields to be protected. Since the class
is final, it can not be derived from, and the use of protected is confusing. The access modifier
for the field should be changed to private or public to represent the true use for the field.
> EntityCrypto.java:175, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> - PZLA: Should org.apache.ofbiz.entity.util.EntityCrypto.findKey(String, EntityCrypto$StorageHandler)
return a zero length array rather than null?
> It is often a better design to return a length zero array rather than a null reference
to indicate that there are no results (i.e., an empty list of results). This way, no explicit
check for null is needed by clients of the method.
> On the other hand, using null to indicate "there is no answer to this question" is probably
appropriate. For example, File.listFiles() returns an empty list if given a directory containing
no files, and returns null if the file is not a directory.
> EntityCrypto.java:342, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in org.apache.ofbiz.entity.util.EntityCrypto$3.getHashedKeyName(String):
String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> EntityCrypto.java:377, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in org.apache.ofbiz.entity.util.EntityCrypto$SaltedBase64StorageHandler.getHashedKeyName(String):
String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> EntityDataLoader.java:162, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.util.EntityDataLoader.getUrlList(String,
String, List)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> EntityDataLoader.java:167, NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE
> - NP: Possible null pointer dereference in org.apache.ofbiz.entity.util.EntityDataLoader.getUrlList(String,
String, List) due to return value of called method
> The return value from a method is dereferenced without a null check, and the return value
of that method is one that should generally be checked for null. This may lead to a NullPointerException
when the code is executed.
> EntityDataLoader.java:258, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.entity.util.EntityDataLoader.loadData(URL,
String, Delegator, List, int, boolean, boolean, boolean)
> This method uses a try-catch block that catches Exception objects, but Exception is not
thrown within the try block, and RuntimeException is not explicitly caught. It is a common
bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching
a number of types of exception each of whose catch blocks is identical, but this construct
also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown,
or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime
Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> EntityFindOptions.java:44, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.entity.util.EntityFindOptions is Serializable; consider declaring
a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> EntityListIterator.java:151, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of StringBuilder.toString(), which is known to be non-null
in org.apache.ofbiz.entity.util.EntityListIterator.close()
> This method contains a redundant check of a known non-null value against the constant
null.
> EntityQuery.java:327, EI_EXPOSE_REP2
> - EI2: org.apache.ofbiz.entity.util.EntityQuery.filterByDate(Timestamp) may expose internal
representation by storing an externally mutable object into EntityQuery.filterByDateMoment
> This code stores a reference to an externally mutable object into the internal representation
of the object.  If instances are accessed by untrusted code, and unchecked changes to the
mutable object would compromise security or other important properties, you will need to do
something different. Storing a copy of the object is better approach in many situations.
> EntityQuery.java:365, EI_EXPOSE_REP2
> - EI2: org.apache.ofbiz.entity.util.EntityQuery.filterByDate(Timestamp, String[]) may
expose internal representation by storing an externally mutable object into EntityQuery.filterByDateMoment
> This code stores a reference to an externally mutable object into the internal representation
of the object.  If instances are accessed by untrusted code, and unchecked changes to the
mutable object would compromise security or other important properties, you will need to do
something different. Storing a copy of the object is better approach in many situations.
> EntitySaxReader.java:236, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.entity.util.EntitySaxReader.parse(InputStream,
String)
> This method uses a try-catch block that catches Exception objects, but Exception is not
thrown within the try block, and RuntimeException is not explicitly caught. It is a common
bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching
a number of types of exception each of whose catch blocks is identical, but this construct
also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown,
or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime
Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> EntitySaxReader.java:315, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in org.apache.ofbiz.entity.util.EntitySaxReader.endElement(String,
String, String): new java.io.InputStreamReader(InputStream)
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> EntitySaxReader.java:372, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in org.apache.ofbiz.entity.util.EntitySaxReader.endElement(String,
String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion,
and will assume that the default platform encoding is suitable. This will cause the application
behaviour to vary between platforms. Use an alternative API and specify a charset name or
Charset object explicitly.
> EntitySaxReader.java:378, DMI_INVOKING_TOSTRING_ON_ARRAY
> - USELESS_STRING: Invocation of toString on EntitySaxReader.currentFieldValue in org.apache.ofbiz.entity.util.EntitySaxReader.endElement(String,
String, String)
> The code invokes toString on an array, which will generate a fairly useless result such
as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String
that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
> EntityStoreOptions.java:28, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.entity.util.EntityStoreOptions is Serializable; consider declaring
a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> EntityUtilProperties.java:50, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.entity.util.EntityUtilProperties is Serializable; consider declaring
a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID
field.  A change as simple as adding a reference to a .class object will add synthetic fields
to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding
a reference to String.class will generate a static field class$java$lang$String). Also, different
source code to bytecode compilers may use different naming conventions for synthetic variables
generated for references to class objects or inner classes. To ensure interoperability of
Serializable across versions, consider adding an explicit serialVersionUID.
> SequenceUtil.java:226, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> - SQL: org.apache.ofbiz.entity.util.SequenceUtil$SequenceBank.fillBank(long) passes a
nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that
seems to be dynamically generated. Consider using a prepared statement instead. It is more
efficient and less vulnerable to SQL injection attacks.
> SequenceUtil.java:253, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.util.SequenceUtil$SequenceBank.fillBank(long)
> This method contains a redundant check of a known non-null value against the constant
null.
> SequenceUtil.java:258, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.entity.util.SequenceUtil$SequenceBank.fillBank(long)
> This method uses a try-catch block that catches Exception objects, but Exception is not
thrown within the try block, and RuntimeException is not explicitly caught. It is a common
bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching
a number of types of exception each of whose catch blocks is identical, but this construct
also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown,
or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime
Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message