zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2731) Cleanup findbug warnings in branch-3.4: Malicious code vulnerability Warnings
Date Mon, 24 Apr 2017 19:14:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981705#comment-15981705
] 

ASF GitHub Bot commented on ZOOKEEPER-2731:
-------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/232#discussion_r113032297
  
    --- Diff: src/java/main/org/apache/jute/compiler/JType.java ---
    @@ -27,7 +27,7 @@
     	private String mCName;
         private String mCppName;
         private String mCsharpName;
    -    private String mJavaName;
    +    protected String mJavaName;
    --- End diff --
    
    @rakeshadr this fixes findbugs issues added by ZOOKEEPER-1045:
    
    > Bug type EI_EXPOSE_REP
    > In class org.apache.zookeeper.server.quorum.QuorumAuthPacket
    > In method org.apache.zookeeper.server.quorum.QuorumAuthPacket.getToken()
    > Field org.apache.zookeeper.server.quorum.QuorumAuthPacket.token
    > At QuorumAuthPacket.java:[line 50]
    
    and
    
    > Bug type EI_EXPOSE_REP2
    > In class org.apache.zookeeper.server.quorum.QuorumAuthPacket
    > In method new org.apache.zookeeper.server.quorum.QuorumAuthPacket(long, int, byte[])
    > Field org.apache.zookeeper.server.quorum.QuorumAuthPacket.token
    > Local variable named token
    > At QuorumAuthPacket.java:[line 35]
    
    These issues are newer than the findbugs report included with the ZOOKEEPER-2728, which
is why they are not listed there. 
    
    @hanm The reason that this solution is not used in 3.5 (and in other classes of 3.4) is
because we ignore similar issues by including the following in findbugsExcludeFile.xml: 
    
    ```
      <Match>
        <Package name="org.apache.jute.compiler.generated" />
      </Match>
    
      <Match>
        <Package name="~org\.apache\.zookeeper\.(proto|data|txn)" />
        <Bug code="EI, EI2" />
      </Match>
    
      <Match>
        <Class name="org.apache.zookeeper.server.DataNode" />
          <Bug code="EI2"/>
      </Match>
    
      <Match>
        <Class name="org.apache.zookeeper.server.quorum.QuorumPacket" />
           <Bug code="EI2, EI" />
      </Match>
    
      <Match>
        <Class name="org.apache.zookeeper.ClientCnxn"/>
          <Bug code="EI, EI2" />
      </Match>
    ```
    
    I went ahead and updated the patch to remove these entries and made some additional changes
to get rid of all the findbugs warnings. 
    
    Although I am very concerned about the potential performance impact of including all of
these extra clone() operations, particularly as it relates to "node data". What do you think,
should we just ignore the warning on `QuorumAuthPacket.java` or fix the cause?


> Cleanup findbug warnings in branch-3.4: Malicious code vulnerability Warnings
> -----------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2731
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2731
>             Project: ZooKeeper
>          Issue Type: Sub-task
>    Affects Versions: 3.4.9
>            Reporter: Rakesh R
>            Assignee: Abraham Fine
>             Fix For: 3.4.11
>
>
> Please refer the attached sheet in parent jira. Below is the details of findbug warnings.
> {code}
> MS	org.apache.zookeeper.Environment.JAAS_CONF_KEY isn't final but should be
> Bug type MS_SHOULD_BE_FINAL (click for details) 
> In class org.apache.zookeeper.Environment
> Field org.apache.zookeeper.Environment.JAAS_CONF_KEY
> At Environment.java:[line 34]
> MS	org.apache.zookeeper.server.ServerCnxn.cmd2String is a mutable collection which should
be package protected
> Bug type MS_MUTABLE_COLLECTION_PKGPROTECT (click for details) 
> In class org.apache.zookeeper.server.ServerCnxn
> Field org.apache.zookeeper.server.ServerCnxn.cmd2String
> At ServerCnxn.java:[line 230]
> MS	org.apache.zookeeper.ZooDefs$Ids.OPEN_ACL_UNSAFE is a mutable collection
> Bug type MS_MUTABLE_COLLECTION (click for details) 
> In class org.apache.zookeeper.ZooDefs$Ids
> Field org.apache.zookeeper.ZooDefs$Ids.OPEN_ACL_UNSAFE
> At ZooDefs.java:[line 100]
> MS	org.apache.zookeeper.ZooKeeperMain.commandMap is a mutable collection which should
be package protected
> Bug type MS_MUTABLE_COLLECTION_PKGPROTECT (click for details) 
> In class org.apache.zookeeper.ZooKeeperMain
> Field org.apache.zookeeper.ZooKeeperMain.commandMap
> At ZooKeeperMain.java:[line 53]
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message