You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/08 12:49:53 UTC
svn commit: r1807747 - /tomcat/trunk/res/findbugs/filter-false-positives.xml
Author: markt
Date: Fri Sep 8 12:49:53 2017
New Revision: 1807747
URL: http://svn.apache.org/viewvc?rev=1807747&view=rev
Log:
Fix a handful of SQL related false positives
Modified:
tomcat/trunk/res/findbugs/filter-false-positives.xml
Modified: tomcat/trunk/res/findbugs/filter-false-positives.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/res/findbugs/filter-false-positives.xml?rev=1807747&r1=1807746&r2=1807747&view=diff
==============================================================================
--- tomcat/trunk/res/findbugs/filter-false-positives.xml (original)
+++ tomcat/trunk/res/findbugs/filter-false-positives.xml Fri Sep 8 12:49:53 2017
@@ -205,6 +205,18 @@
<Bug code="REC" />
</Match>
<Match>
+ <!-- SQL construction is safe since it is from trusted config -->
+ <Or>
+ <Class name="org.apache.catalina.realm.DataSourceRealm" />
+ <Class name="org.apache.catalina.realm.JDBCRealm" />
+ </Or>
+ <Or>
+ <Method name="credentials" />
+ <Method name="roles" />
+ </Or>
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
+ </Match>
+ <Match>
<Class name="org.apache.catalina.realm.JDBCRealm" />
<Field name="containerLog" />
<Bug code="IS" />
@@ -262,10 +274,14 @@
supplied -->
<Class name="org.apache.catalina.session.JDBCStore" />
<Or>
+ <Method name="clear" />
+ <Method name="getSize" />
+ <Method name="keys" />
<Method name="load" />
+ <Method name="remove" />
<Method name="save" />
</Or>
- <Bug code="SQL" />
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
</Match>
<Match>
<!-- We can live with the threading issue. See code comment for details. -->
@@ -633,6 +649,39 @@
<Bug pattern="NP_NONNULL_RETURN_VIOLATION" />
</Match>
<Match>
+ <!-- SQL is from config so is considered safe -->
+ <Class name="org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory" />
+ <Method name="initializeConnection" />
+ <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" />
+ </Match>
+ <Match>
+ <!-- SQL construction is safe for validation query -->
+ <Class name="org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory" />
+ <Method name="validateConnection" />
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
+ </Match>
+ <Match>
+ <!-- SQL construction is necessary for pooled statements -->
+ <Class name="org.apache.tomcat.dbcp.dbcp2.PoolingConnection" />
+ <Method name="makeObject" />
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
+ </Match>
+ <Match>
+ <!-- SQL construction is necessary for pooled statements -->
+ <Class name="org.apache.tomcat.dbcp.dbcp2.cpdsadapter.PooledConnectionImpl" />
+ <Method name="makeObject" />
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
+ </Match>
+ <Match>
+ <!-- SQL construction is safe for validation query -->
+ <Or>
+ <Class name="org.apache.tomcat.dbcp.dbcp2.datasources.CPDSConnectionFactory" />
+ <Class name="org.apache.tomcat.dbcp.dbcp2.datasources.KeyedCPDSConnectionFactory" />
+ </Or>
+ <Method name="validateObject" />
+ <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" />
+ </Match>
+ <Match>
<!-- Pooled objects can't be null so this is OK -->
<Class name="org.apache.tomcat.dbcp.pool2.impl.BaseGenericObjectPool$IdentityWrapper" />
<Method name="equals" />
@@ -670,6 +719,12 @@
<Bug code="UL" />
</Match>
<Match>
+ <!-- SQL is from config so is considered safe -->
+ <Class name="org.apache.tomcat.jdbc.pool.PooledConnection" />
+ <Method name="validate" />
+ <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" />
+ </Match>
+ <Match>
<!-- Lack of thread-safety is accepted in return for better performance. -->
<Class name="org.apache.tomcat.jdbc.pool.interceptor.SlowQueryReport$QueryStats" />
<Or>
@@ -1104,12 +1159,24 @@
<Bug pattern="RV_RETURN_VALUE_IGNORED" />
</Match>
<Match>
+ <!-- SQL is from config so is considered safe -->
+ <Class name="org.apache.tomcat.jdbc.test.TestSlowQueryReport" />
+ <Method name="testFastSql" />
+ <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" />
+ </Match>
+ <Match>
<!-- Use of static is unavoidable -->
<Class name="org.apache.tomcat.jdbc.test.TestStatementCache" />
<Method name="tearDown" />
<Bug code="ST" />
</Match>
<Match>
+ <!-- SQL is from generated in test code so is considered safe -->
+ <Class name="org.apache.tomcat.jdbc.test.TestStatementCache" />
+ <Method name="testMaxCacheSize" />
+ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" />
+ </Match>
+ <Match>
<Class name="org.apache.tomcat.jdbc.test.TwoDataSources" />
<Method name="testTwoDataSources" />
<Or>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org