You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oozie.apache.org by "Janos Makai (Jira)" <ji...@apache.org> on 2022/11/11 11:09:00 UTC

[jira] [Created] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored

Janos Makai created OOZIE-3671:
----------------------------------

             Summary: Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
                 Key: OOZIE-3671
                 URL: https://issues.apache.org/jira/browse/OOZIE-3671
             Project: Oozie
          Issue Type: Task
          Components: core
            Reporter: Janos Makai
            Assignee: Janos Makai


Currently the SpotBugs tool indicates the following issues for every new patches:
{code:java}
{color:#FF0000}-1{color} There are [5] new bugs found below threshold in [core] that must be fixed.
. You can find the SpotBugs diff here (look for the red and orange ones): core/findbugs-new.html
. The most important SpotBugs errors are:
. At BulkJPAExecutor.java:[line 206]: This use of javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query; can be vulnerable to SQL/JPQL injection
. At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
. At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
. This use of javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query; can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
. At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
{code}

The goal of this Jira is to exclude the JPA injection pattern (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets refactored.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)