[
https://issues.apache.org/jira/browse/OFBIZ-9681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl reassigned OFBIZ-9681:
------------------------------------
Assignee: Michael Brohl
> [FB] Package org.apache.ofbiz.common
> ------------------------------------
>
> Key: OFBIZ-9681
> URL: https://issues.apache.org/jira/browse/OFBIZ-9681
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Julian Leichert
> Assignee: Michael Brohl
> Priority: Minor
> Attachments: OFBIZ-No_org.apache.ofbiz.common_bugfixes.patch
>
>
> CommonEvents.java:173, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to followerListStr in
> org.apache.ofbiz.common.CommonEvents.setAppletFollower(HttpServletRequest,
> HttpServletResponse)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> CommonEvents.java:292, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.common.CommonEvents.jsonResponseFromRequestAttributes(HttpServletRequest,
> HttpServletResponse)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
> CommonEvents.java:300, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of jsonStr, which is known to be non-null in
> org.apache.ofbiz.common.CommonEvents.writeJSONtoResponse(JSON,
> HttpServletRequest, HttpServletResponse)
> This method contains a redundant check of a known non-null value against the
> constant null.
> CommonEvents.java:488, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.common.CommonEvents.getCaptcha(HttpServletRequest,
> HttpServletResponse)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
> CommonServices.java:220, DM_GC
> - Dm: org.apache.ofbiz.common.CommonServices.forceGc(DispatchContext, Map)
> forces garbage collection; extremely dubious except in benchmarking code
> Code explicitly invokes garbage collection. Except for specific use in
> benchmarking, this is very dubious.
> In the past, situations where people have explicitly invoked the garbage
> collector in routines such as close or finalize methods has led to huge
> performance black holes. Garbage collection can be expensive. Any situation
> that forces hundreds or thousands of garbage collections will bring the
> machine to a crawl.
> CommonServices.java:474, OS_OPEN_STREAM
> - OS: org.apache.ofbiz.common.CommonServices.streamTest(DispatchContext, Map)
> may fail to close stream
> The method creates an IO stream object, does not assign it to any fields,
> pass it to other methods that might close it, or return it, and does not
> appear to close the stream on all paths out of the method. This may result
> in a file descriptor leak. It is generally a good idea to use a finally
> block to ensure that streams are closed.
> CommonServices.java:474, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in
> org.apache.ofbiz.common.CommonServices.streamTest(DispatchContext, Map): new
> java.io.InputStreamReader(InputStream)
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> CommonServices.java:477, DM_DEFAULT_ENCODING
> - Dm: Found reliance on default encoding in
> org.apache.ofbiz.common.CommonServices.streamTest(DispatchContext, Map): new
> java.io.OutputStreamWriter(OutputStream)
> Found a call to a method which will perform a byte to String (or String to
> byte) conversion, and will assume that the default platform encoding is
> suitable. This will cause the application behaviour to vary between
> platforms. Use an alternative API and specify a charset name or Charset
> object explicitly.
> CommonServices.java:500, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to count in
> org.apache.ofbiz.common.CommonServices.ping(DispatchContext, Map)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> FindServices.java:74, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.common.FindServices.entityOperators isn't final but
> should be
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability.
> FindServices.java:127, WMI_WRONG_MAP_ITERATOR
> - WMI: org.apache.ofbiz.common.FindServices.prepareField(Map, Map, Map) makes
> inefficient use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved
> from a keySet iterator. It is more efficient to use an iterator on the
> entrySet of the map, to avoid the Map.get(key) lookup.
> FindServices.java:345, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.common.FindServices.createSingleCondition(ModelField,
> String, Object, boolean, Delegator, Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> FindServices.java:444, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.common.FindServices.performFindList(DispatchContext, Map)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
> FindServices.java:705, WMI_WRONG_MAP_ITERATOR
> - WMI: org.apache.ofbiz.common.FindServices.buildReducedQueryString(Map,
> String, Delegator) makes inefficient use of keySet iterator instead of
> entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved
> from a keySet iterator. It is more efficient to use an iterator on the
> entrySet of the map, to avoid the Map.get(key) lookup.
> FindServices.java:758, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.common.FindServices.performFindItem(DispatchContext, Map)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
> JsLanguageFileMappingCreator.java:96, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.common.JsLanguageFileMappingCreator.createJsLanguageFileMapping(DispatchContext,
> Map)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> JsLanguageFileMappingCreator.java:198, REC_CATCH_EXCEPTION
> - REC: Exception is caught when Exception is not thrown in
> org.apache.ofbiz.common.JsLanguageFileMappingCreator.createJsLanguageFileMapping(DispatchContext,
> Map)
> This method uses a try-catch block that catches Exception objects, but
> Exception is not thrown within the try block, and RuntimeException is not
> explicitly caught. It is a common bug pattern to say try { ... } catch
> (Exception e) { something } as a shorthand for catching a number of types of
> exception each of whose catch blocks is identical, but this construct also
> accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that
> are thrown, or to explicitly catch RuntimeException exception, rethrow it,
> and then catch all non-Runtime Exceptions, as shown below:
> try {
> ...
> } catch (RuntimeException e) {
> throw e;
> } catch (Exception e) {
> ... deal with all non-runtime exceptions ...
> }
> JsLanguageFilesMapping.java:32, NM_CLASS_NAMING_CONVENTION
> - Nm: The class name org.apache.ofbiz.common.JsLanguageFilesMapping$datejs
> doesn't start with an upper case letter
> Class names should be nouns, in mixed case with the first letter of each
> internal word capitalized. Try to keep your class names simple and
> descriptive. Use whole words-avoid acronyms and abbreviations (unless the
> abbreviation is much more widely used than the long form, such as URL or
> HTML).
> JsLanguageFilesMapping.java:208, NM_CLASS_NAMING_CONVENTION
> - Nm: The class name org.apache.ofbiz.common.JsLanguageFilesMapping$jquery
> doesn't start with an upper case letter
> Class names should be nouns, in mixed case with the first letter of each
> internal word capitalized. Try to keep your class names simple and
> descriptive. Use whole words-avoid acronyms and abbreviations (unless the
> abbreviation is much more widely used than the long form, such as URL or
> HTML).
> JsLanguageFilesMapping.java:383, NM_CLASS_NAMING_CONVENTION
> - Nm: The class name
> org.apache.ofbiz.common.JsLanguageFilesMapping$validation doesn't start with
> an upper case letter
> Class names should be nouns, in mixed case with the first letter of each
> internal word capitalized. Try to keep your class names simple and
> descriptive. Use whole words-avoid acronyms and abbreviations (unless the
> abbreviation is much more widely used than the long form, such as URL or
> HTML).
> JsLanguageFilesMapping.java:557, NM_CLASS_NAMING_CONVENTION
> - Nm: The class name org.apache.ofbiz.common.JsLanguageFilesMapping$dateTime
> doesn't start with an upper case letter
> Class names should be nouns, in mixed case with the first letter of each
> internal word capitalized. Try to keep your class names simple and
> descriptive. Use whole words-avoid acronyms and abbreviations (unless the
> abbreviation is much more widely used than the long form, such as URL or
> HTML).
> KeywordSearchUtil.java:195, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.common.KeywordSearchUtil.makeKeywordSet(String, String,
> boolean)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> UrlServletHelper.java:51, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.common.UrlServletHelper.setRequestAttributes(ServletRequest,
> Delegator, ServletContext)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> UrlServletHelper.java:92, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.common.UrlServletHelper.setViewQueryParameters(ServletRequest,
> StringBuilder)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> UrlServletHelper.java:154, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to
> javax.servlet.http.HttpServletRequest in
> org.apache.ofbiz.common.UrlServletHelper.checkPathAlias(ServletRequest,
> ServletResponse, Delegator, String)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
> UrlServletHelper.java:155, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to
> javax.servlet.http.HttpServletResponse in
> org.apache.ofbiz.common.UrlServletHelper.checkPathAlias(ServletRequest,
> ServletResponse, Delegator, String)
> This cast is unchecked, and not all instances of the type casted from can be
> cast to the type it is being cast to. Check that your program logic ensures
> that this cast will not fail.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
