[ https://issues.apache.org/jira/browse/OFBIZ-10837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-10837: ------------------------------------ Parent: OFBIZ-1525 Issue Type: Sub-task (was: Bug) > Improve ObjectInputStream class (CVE-2019-0189) > ----------------------------------------------- > > Key: OFBIZ-10837 > URL: https://issues.apache.org/jira/browse/OFBIZ-10837 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > As reported by FindBugs and Sonar, it's troubling (a Bad practice in > Sonar[1], a code smell in Findbugs[2]) when extending to use the same name > than the extended Object.[3] > [1] > [https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false] > [2] [https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html] > [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows > the simple name of the superclass java.io.ObjectInputStream > This class has a simple name that is identical to that of its superclass, > except that its superclass is in a different package (e.g., alpha.Foo extends > beta.Foo). This can be exceptionally confusing, create lots of situations in > which you have to look at import statements to resolve references and creates > many opportunities to accidentally define methods that do not override > methods in their superclasses. > Rank: Troubling (14), confidence: High > Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS > Type: Nm, Category: BAD_PRACTICE (Bad practice) > {color:#de350b}2019/09/12: Initiallty this description was intentionnaly done > to somehow hide a security issue (CVE-2019-0189) while allowing to fix the > bug.{color} -- This message was sent by Atlassian Jira (v8.3.2#803003)