You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Dennis Balkir (JIRA)" <ji...@apache.org> on 2017/09/25 13:13:00 UTC

[jira] [Updated] (OFBIZ-9782) [FB] Package org.apache.ofbiz.entity.jdbc

     [ https://issues.apache.org/jira/browse/OFBIZ-9782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Balkir updated OFBIZ-9782:
---------------------------------
    Attachment: OFBIZ-9782_org.apache.ofbiz.entity.jdbc_bugfixes.patch

Diamond Operators fixed

class CursorResultSet:
- didn’t change anything, since this is all inside the entity-engine and there won’t be sql injections

class CursorStatement:
- didn’t change anything, since this is all inside the entity-engine and there won’t be sql injections

class DatabaseUtil:
- Line 116: removed the if phrase, because {{getDriver()}} cannot produce null as a result
- Line 261: removed the if phrase, because since the last time {{colInfo}} is checked nothing is done with it, furthermore, if it would have been null, the method would have already returned
- Line 686: added a default Locale to {{toUpperCase()}}
- Line 720: removed if phrase, because {{tableIndexList}} cannot be null at this point
- Line 942: added a local variable {{lstmt}} for further use
- Line 944 & 945: changed the code, so that {{lstmt}} is uses instead of a nameless new statement, which cannot be closed properly
- Line 987: removed the if phrase because {{tableSet}} cannot be null at this point, since {{getTables()}} cannot produce null as a result
- Line 1021: added a default Locale to {{toUpperCase()}}
- Line 1157: added a default Locale to {{toUpperCase()}}
- Line 1251: added a default Locale to {{toUpperCase()}}
- Line 1361: added a default Locale to {{toUpperCase()}}
- Line 1365: added a default Locale to {{toUpperCase()}}
- Line 1370: added a default Locale to {{toUpperCase()}}
- Line 1377: added a default Locale to {{toUpperCase()}}
- Line 1389: added a default Locale to {{toUpperCase()}}
- Line 1479: added a default Locale to {{toLowerCase()}}
- Line 1496: added a default Locale to {{toUpperCase()}}
- Line 1505: added a default Locale to {{toUpperCase()}}
- Line 1506: put the if phrase inside the previous if phrase, because otherwise a null variable will be dereferenced
- Line 1597 and following: removed all unread fields and changed all calls of the constructor
- Line 1647: changed the use of the variable {{type}} to {{null}} since this variable is always null when this is executed
- Line 1748: removed the if phrase, because {{connection}} cannot be null at this time
- Line 1790: removed the if phrase, because {{connection}} cannot be null at this time
- Line 1821: changed the use of the variable {{type}} to {{null}} since this variable is always null when this is executed
- Line 1882: removed the if phrase, because {{connection}} cannot be null at this time
- Line 1914: changed the use of the variable {{type}} to {{null}} since this variable is always null when this is executed
- Line 1932: removed the if phrase, because {{connection}} cannot be null at this time
- Line 1985: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2015: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2045: added a default Locale to {{toUpperCase()}}
- Line 2066: added a default Locale to {{toUpperCase()}}
- Line 2179: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2345: removed the if phrase, because {{connection}} cannot be null at this time

—— 
Line 2355-2361: this method effectively just adds something to an array-list, which is never even used. Is this method incomplete? what is it supposed to do? This doesn’t really makes sense -> this and every use of this could be removed
——

- Line 2414: removed the if phrase, because {{connection}} cannot be null at this time

——
Line 2427-2433: this method effectively just adds something to an array-list, which is never even used. Is this method incomplete? what is it supposed to do? This doesn’t really makes sense -> this and every use of this could be removed
——

- Line 2492: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2570: removed the if phrase, because {{connection}} cannot be null at this time

——
Line 2612-2618: this method effectively just adds something to an array-list, which is never even used. Is this method incomplete? what is it supposed to do? This doesn’t really makes sense -> this and every use of this could be removed
——

- Line 2685: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2766: removed the if phrase, because {{connection}} cannot be null at this time

——
Line 2805-2811: this method effectively just adds something to an array-list, which is never even used. Is this method incomplete? what is it supposed to do? This doesn’t really makes sense -> this and every use of this could be removed
——

- Line 2884: removed the if phrase, because {{connection}} cannot be null at this time
- Line 2996: added a default Locale to {{toLowerCase()}}
- Line 2998: added a default Locale to {{toUppercase()}}
- Line 2958: changed the use of the variable {{type}} to {{null}} since this variable is always null when this is executed
- Line 3014: it’s not necessary for the class to implement serialVerisonUID
- Line 3033: added a default Locale to {{toUpperCase()}}
- Line 3043: it’s not necessary for the class to implement serialVerisonUID

class JdbcValueHandler (this class produces more bugs in eclipse)
- removed unnecessary else
- Line 47: this was intended this way
- Line 185: added a default Locale to {{toUpperCase()}}
- Line 186: changed the String {{„(“}} to {{‚(‘}} because it is more efficient
- Line 290: this was intended this way
- Line 315: this was intended this way
- Line 342: this was intended this way
- Line 369: this was intended this way
- Line 395: this was intended this way
- Line 423: this was intended this way
- Line 509: this was intended this way
- Line 561: this was intended this way
- Line 587: this was intended this way
- Line 660: this was intended this way
- Line 685: this was intended this way
- Line 711: this was intended this way
- Line 736: this was intended this way

class SQLProcessor:
- Line 59, 60, 61: made the fields final
- Line 59: made the field private
didn’t change the rest, since this is all inside the entity-engine and there won’t be sql injections

class SqlJdbcUtil:
- Line 228: removed unnecessary if phrase, {{whereCondition}} cannot be null at this point
- Line 641: removed {{value instanceof String &&}} since {{value}} is declared as a String one line above

> [FB] Package org.apache.ofbiz.entity.jdbc
> -----------------------------------------
>
>                 Key: OFBIZ-9782
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9782
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Priority: Minor
>         Attachments: OFBIZ-9782_org.apache.ofbiz.entity.jdbc_bugfixes.patch
>
>
> --- CursorResultSet.java:38, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: new org.apache.ofbiz.entity.jdbc.CursorResultSet(Statement, String, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- CursorResultSet.java:54, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.next() passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- CursorResultSet.java:59, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorResultSet.close() passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- CursorStatement.java:62, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.CursorStatement.invoke(Object, Method, Object[]) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:117, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of java.sql.DriverManager.getDriver(String), which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getConnection(String, String, Properties, String, String)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:264, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of colInfo, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean, boolean, boolean, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:670, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean, boolean, boolean, boolean)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:704, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of tableIndexList, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(Map, List, List, boolean, boolean, boolean, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:920, REC_CATCH_EXCEPTION
> REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData, Connection)
> This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
>   
> --- DatabaseUtil.java:927, OBL_UNSATISFIED_OBLIGATION
> OBL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.printDbMiscData(DatabaseMetaData, Connection) may fail to clean up java.sql.Statement
> This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.
> In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.
> This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. To send feedback, either:
> send email to findbugs@cs.umd.edu
> file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
> In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.
> See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description of the analysis technique.
> --- DatabaseUtil.java:999, NP_NULL_ON_SOME_PATH
> NP: Possible null pointer dereference of tableSet in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)
> There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPointerException when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception can't ever be executed; deciding that is beyond the ability of FindBugs.
> --- DatabaseUtil.java:1008, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getTableNames(Collection)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1144, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getColumnInfo(Set, boolean, Collection, ExecutorService)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1238, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkPrimaryKeyInfo(ResultSet, String, boolean, Map, Collection)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1348, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getReferenceInfo(Set, Collection)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1466, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set, Collection, boolean[])
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:1494, NP_NULL_ON_SOME_PATH
> NP: Possible null pointer dereference of indexName in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getIndexInfo(Set, Collection, boolean[])
> There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPointerException when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception can't ever be executed; deciding that is beyond the ability of FindBugs.
> --- DatabaseUtil.java:1593, URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD
> UrF: Unread public/protected field: org.apache.ofbiz.entity.jdbc.DatabaseUtil$AbstractCountingCallable.modelEntities
> This field is never read.  The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.
> --- DatabaseUtil.java:1637, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map, boolean)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- DatabaseUtil.java:1732, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map, boolean) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:1737, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createTable(ModelEntity, Map, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:1774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity, List) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:1781, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteTable(ModelEntity, List)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:1814, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- DatabaseUtil.java:1841, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:1875, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.addColumn(ModelEntity, ModelField)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:1909, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity, ModelField, String)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- DatabaseUtil.java:1922, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity, ModelField, String) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:1927, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.renameColumn(ModelEntity, ModelField, String)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:1972, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity, ModelField, List) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:1982, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.repairColumnSize(ModelEntity, ModelField, List)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2046, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeTempFieldName(ModelField)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2067, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.makeFkConstraintName(ModelRelation, int)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2175, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity, ModelRelation, ModelEntity, int, String, boolean) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2180, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKey(ModelEntity, ModelRelation, ModelEntity, int, String, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2343, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity, ModelRelation, ModelEntity, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2348, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKey(ModelEntity, ModelRelation, ModelEntity, int)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2361, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
> This analysis rarely produces false-positives. Common false-positive cases include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2414, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity, boolean, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2419, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createPrimaryKey(ModelEntity, boolean, int)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2435, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
> This analysis rarely produces false-positives. Common false-positive cases include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2492, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity, boolean, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2499, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deletePrimaryKey(ModelEntity, boolean, int)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2574, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity, ModelIndex) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2579, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createDeclaredIndex(ModelEntity, ModelIndex)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2624, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
> This analysis rarely produces false-positives. Common false-positive cases include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2691, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity, ModelIndex) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2696, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteDeclaredIndex(ModelEntity, ModelIndex)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2774, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity, ModelRelation, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2779, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.createForeignKeyIndex(ModelEntity, ModelRelation, int)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2821, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
> This analysis rarely produces false-positives. Common false-positive cases include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> --- DatabaseUtil.java:2894, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity, ModelRelation, int) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2899, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of connection, which is known to be non-null in org.apache.ofbiz.entity.jdbc.DatabaseUtil.deleteForeignKeyIndex(ModelEntity, ModelRelation, int)
> This method contains a redundant check of a known non-null value against the constant null.
> --- DatabaseUtil.java:2913, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil.getSchemaName(DatabaseMetaData)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:2963, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity, List) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- DatabaseUtil.java:2975, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.entity.jdbc.DatabaseUtil.updateCharacterSetAndCollation(ModelEntity, List)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- DatabaseUtil.java:3031, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- DatabaseUtil.java:3050, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.DatabaseUtil$ColumnCheckInfo.fixupTableName(String, String, boolean)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- DatabaseUtil.java:3060, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.entity.jdbc.DatabaseUtil$ReferenceCheckInfo is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- JdbcValueHandler.java:184, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.jdbc.JdbcValueHandler.parseSqlType(String)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- JdbcValueHandler.java:470, DE_MIGHT_IGNORE
> DE: org.apache.ofbiz.entity.jdbc.JdbcValueHandler$ClobJdbcValueHandler.getValue(ResultSet, int) might ignore java.io.IOException
> This method might ignore an exception.  In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.
> --- SQLProcessor.java:59, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.CONNECTION_TEST_LIST isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> --- SQLProcessor.java:60, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.MAX_CONNECTIONS isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> --- SQLProcessor.java:61, MS_SHOULD_BE_FINAL
> MS: org.apache.ofbiz.entity.jdbc.SQLProcessor.ENABLE_TEST isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> --- SQLProcessor.java:337, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> --- SQLProcessor.java:350, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String, boolean, int, int)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> --- SQLProcessor.java:376, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.prepareStatement(String, boolean, int, int, int, int)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> --- SQLProcessor.java:416, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.executeQuery(String)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> --- SQLProcessor.java:449, SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
> SQL: org.apache.ofbiz.entity.jdbc.SQLProcessor.executeUpdate(String) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
> --- SQLProcessor.java:513, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.jdbc.SQLProcessor.execQuery(String, ExecQueryCallbackFunctionIF)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> --- SqlJdbcUtil.java:228, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of whereCondition, which is known to be non-null in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.makeFromClause(ModelEntity, ModelFieldTypeReader, Datasource)
> This method contains a redundant check of a known non-null value against the constant null.
> --- SqlJdbcUtil.java:612, SF_SWITCH_NO_DEFAULT
> SF: Switch statement found in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField, GenericEntity, ModelFieldTypeReader) where default case is missing
> This method contains a switch statement where default case is missing. Usually you need to provide a default case.
> Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.
> --- SqlJdbcUtil.java:643, SIO_SUPERFLUOUS_INSTANCEOF
> SIO: org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField, GenericEntity, ModelFieldTypeReader) does an unnecessary type check using instanceof operator when it can be determined statically
> Type check performed using the instanceof operator where it can be statically determined whether the object is of the type requested.
> --- SqlJdbcUtil.java:643, BC_VACUOUS_INSTANCEOF
> BC: instanceof will always return true for all nonnull values in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.getValue(ResultSet, int, ModelField, GenericEntity, ModelFieldTypeReader), since all String are instances of String
> This instanceof test will always return true (unless the value being tested is null). Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. If you really want to test the value for being null, perhaps it would be clearer to do better to do a null test rather than an instanceof test.
> --- SqlJdbcUtil.java:882, SF_SWITCH_NO_DEFAULT
> SF: Switch statement found in org.apache.ofbiz.entity.jdbc.SqlJdbcUtil.setValue(SQLProcessor, ModelField, String, Object, ModelFieldTypeReader) where default case is missing
> This method contains a switch statement where default case is missing. Usually you need to provide a default case.
> Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)