Eduardo Aguinaga created CASSANDRA-12325: --------------------------------------------
Summary: Access Specifier Manipulation Key: CASSANDRA-12325 URL: https://issues.apache.org/jira/browse/CASSANDRA-12325 Project: Cassandra Issue Type: Bug Reporter: Eduardo Aguinaga Fix For: 3.0.5 Overview: In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below. Issue: There are 18 instances in the Cassandra source code where setAccessible() is used to suppress Java language access checking. Static analysis automation tools, like Fortify, will log every instance of the use of setAccessible() and its use represents a possible security issue. The use of setAccessble() can cause security problems if the Java access checking is suppressed longer than required or another approach could be taken other than suppressing access checking. This issue will list all 18 instances where setAccessible() is used and the usage of this method should be reviewed and checked to make sure it is not used inappropriately. setAccessible() is used in the following places: UDHelper.java Line 49 HadoopCompat.java Line 109, 113, 118, 150, 152, 154 Memory.java Line 42 GCInspector.java Line 68 Locks.java Line 33 Ref.java Line 626 FastByteOperations.java Line 150 FBUtilities.java Line 539 Hex.java Line 128 MemoryUtil.java Line 61 SyncUtil.java Line 33, 45, 57 UDHelper.java, lines 45-56: {code:java} 45 try 46 { 47 Class<?> cls = Class.forName("com.datastax.driver.core.DataTypeClassNameParser"); 48 Method m = cls.getDeclaredMethod("parseOne", String.class, ProtocolVersion.class, CodecRegistry.class); 49 m.setAccessible(true); 50 methodParseOne = MethodHandles.lookup().unreflect(m); 51 codecRegistry = new CodecRegistry(); 52 } 53 catch (Exception e) 54 { 55 throw new RuntimeException(e); 56 } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)