[ https://issues.apache.org/jira/browse/CASSANDRA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eduardo Aguinaga updated CASSANDRA-12325: ----------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Access Specifier Manipulation > ----------------------------- > > Key: CASSANDRA-12325 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12325 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are 18 instances in the Cassandra source code where setAccessible() is > used to suppress Java language access checking. Static analysis automation > tools, like Fortify, will log every instance of the use of setAccessible() > and its use represents a possible security issue. > The use of setAccessble() can cause security problems if the Java access > checking is suppressed longer than required or another approach could be > taken other than suppressing access checking. This issue will list all 18 > instances where setAccessible() is used and the usage of this method should > be reviewed and checked to make sure it is not used inappropriately. > setAccessible() is used in the following places: > UDHelper.java Line 49 > HadoopCompat.java Line 109, 113, 118, 150, 152, 154 > Memory.java Line 42 > GCInspector.java Line 68 > Locks.java Line 33 > Ref.java Line 626 > FastByteOperations.java Line 150 > FBUtilities.java Line 539 > Hex.java Line 128 > MemoryUtil.java Line 61 > SyncUtil.java Line 33, 45, 57 > UDHelper.java, lines 45-56: > {code:java} > 45 try > 46 { > 47 Class<?> cls = > Class.forName("com.datastax.driver.core.DataTypeClassNameParser"); > 48 Method m = cls.getDeclaredMethod("parseOne", String.class, > ProtocolVersion.class, CodecRegistry.class); > 49 m.setAccessible(true); > 50 methodParseOne = MethodHandles.lookup().unreflect(m); > 51 codecRegistry = new CodecRegistry(); > 52 } > 53 catch (Exception e) > 54 { > 55 throw new RuntimeException(e); > 56 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)