[ https://issues.apache.org/jira/browse/FINERACT-470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shaik Nazeer Hussain resolved FINERACT-470. ------------------------------------------- Resolution: Fixed Assignee: Santosh Math (was: Markus Geiss) Fix Version/s: 1.1.0 > Fix security vulnerabilities related to using public mutable and nonconstant > fields > ----------------------------------------------------------------------------------- > > Key: FINERACT-470 > URL: https://issues.apache.org/jira/browse/FINERACT-470 > Project: Apache Fineract > Issue Type: Bug > Components: System > Reporter: Thisura > Assignee: Santosh Math > Labels: p1 > Fix For: 1.1.0 > > > There are multiple security vulnerabilities found in fineract-provider as > described in this report [1] > There are four types of vulnerabilities related to using public mutable and > nonconstant fields. > 1. Mutable fields should not be "public static" > * MITRE, CWE-582 - Array Declared Public, Final, and Static > * MITRE, CWE-607 - Public Static Final Field References Mutable Object > 2. "static final" arrays should be "private" > * MITRE, CWE-582 - Array Declared Public, Final, and Static > * MITRE, CWE-607 - Public Static Final Field References Mutable Object > 3. "public static" fields should be constant > * MITRE, CWE-500 - Public Static Field Not Marked Final > * CERT OBJ10-J - Do not use public static nonfinal variable > 4. "enum" fields should not be publicly mutable > The reported incident of type 2 is considered to be false positive. 1,3,4 > types are present as described in the report[1] > The proposed solutions[2] are as follows.(Solutions are respective to each > vulnerability type above) > 1. Mutable fields should not be "public static" => Make the respective > members protected. If they are in a class move them to a separate class and > lower the visibility. > 2. "static final" arrays should be "private" => Make the arrays private > 3. "public static" fields should be constant => Make the respective field > final > 4. "enum" fields should not be publicly mutable => Lower the visibility of > the setter. Remove it altogether. > Some of the issues were fixed in [FINERACT-436 > \[3\]|https://github.com/apache/fineract/pull/343]. The rest should be > covered in this ticket. > [1] > https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4 > [2] > https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U > [3] https://github.com/apache/fineract/pull/343 -- This message was sent by Atlassian JIRA (v6.4.14#64029)