You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Dennis Balkir (JIRA)" <ji...@apache.org> on 2017/09/13 10:55:02 UTC

[jira] [Created] (OFBIZ-9713) [FB] Package org.apache.ofbiz.entity.condition

Dennis Balkir created OFBIZ-9713:
------------------------------------

             Summary: [FB] Package org.apache.ofbiz.entity.condition
                 Key: OFBIZ-9713
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9713
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Trunk
            Reporter: Dennis Balkir
            Priority: Minor


- EntityClause.java:142, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of org.apache.ofbiz.entity.condition.EntityOperator.getCode(), which is known to be non-null in org.apache.ofbiz.entity.condition.EntityClause.toString()

This method contains a redundant check of a known non-null value against the constant null.

- EntityClause.java:144, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of Object.toString(), which is known to be non-null in org.apache.ofbiz.entity.condition.EntityClause.toString()

This method contains a redundant check of a known non-null value against the constant null.

- EntityConditionBase.java:104, EQ_UNUSUAL
Eq: org.apache.ofbiz.entity.condition.EntityConditionBase.equals(Object) is unusual

This class doesn't do any of the patterns we recognize for checking that the type of the argument is compatible with the type of the this object. There might not be anything wrong with this code, but it is worth reviewing.

- EntityConditionBuilder.java:43, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionBuilder$ConditionHolder is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityConditionBuilder.java:90, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityConditionBuilder.createNode(Object)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityConditionBuilder.java:106, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityConditionBuilder.createNode(Object, Map)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityConditionFunction.java:40, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionFunction$NOT is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityConditionFunction.java:91, RC_REF_COMPARISON
RC: Suspicious comparison of Integer references in org.apache.ofbiz.entity.condition.EntityConditionFunction.equals(Object)

This method compares two reference values using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc.

- EntityConditionList.java:31, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionList is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityConditionParam.java:34, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionParam is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityConditionSubSelect.java:38, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionSubSelect is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityConditionValue.java:40, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityConditionValue$ConstantNumberValue is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityDateFilterCondition.java:-1, CI_CONFUSED_INHERITANCE
CI: Class org.apache.ofbiz.entity.condition.EntityDateFilterCondition is final but declares protected field org.apache.ofbiz.entity.condition.EntityDateFilterCondition.fromDateName

This class is declared to be final, but declares fields to be protected. Since the class is final, it can not be derived from, and the use of protected is confusing. The access modifier for the field should be changed to private or public to represent the true use for the field.

- EntityDateFilterCondition.java:-1, CI_CONFUSED_INHERITANCE
CI: Class org.apache.ofbiz.entity.condition.EntityDateFilterCondition is final but declares protected field org.apache.ofbiz.entity.condition.EntityDateFilterCondition.thruDateName

This class is declared to be final, but declares fields to be protected. Since the class is final, it can not be derived from, and the use of protected is confusing. The access modifier for the field should be changed to private or public to represent the true use for the field.

- EntityDateFilterCondition.java:42, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityDateFilterCondition is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityExpr.java:44, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityExpr is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityExpr.java:143, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityExpr.addValue(StringBuilder, ModelField, Object, List)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityExpr.java:220, NP_NULL_ON_SOME_PATH_EXCEPTION
NP: Possible null pointer dereference of valueType in org.apache.ofbiz.entity.condition.EntityExpr.checkRhsType(ModelEntity, Delegator) on exception path

A reference value which is null on some exception control path is dereferenced here.  This may lead to a NullPointerException when the code is executed.  Note that because FindBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that FindBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

- EntityExpr.java:244, NP_NULL_ON_SOME_PATH_EXCEPTION
NP: Possible null pointer dereference of rhsType in org.apache.ofbiz.entity.condition.EntityExpr.checkRhsType(ModelEntity, Delegator) on exception path

A reference value which is null on some exception control path is dereferenced here.  This may lead to a NullPointerException when the code is executed.  Note that because FindBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that FindBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

- EntityFieldMap.java:-1, CI_CONFUSED_INHERITANCE
CI: Class org.apache.ofbiz.entity.condition.EntityFieldMap is final but declares protected field org.apache.ofbiz.entity.condition.EntityFieldMap.fieldMap

This class is declared to be final, but declares fields to be protected. Since the class is final, it can not be derived from, and the use of protected is confusing. The access modifier for the field should be changed to private or public to represent the true use for the field.

- EntityFieldMap.java:40, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFieldMap is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFieldValue.java:42, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFieldValue is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFunction.java:66, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFunction$LENGTH is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFunction.java:67, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.condition.EntityFunction$LENGTH.FETCHER isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

- EntityFunction.java:80, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFunction$TRIM is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFunction.java:81, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.condition.EntityFunction$TRIM.FETCHER isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

- EntityFunction.java:94, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFunction$UPPER is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFunction.java:95, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.condition.EntityFunction$UPPER.FETCHER isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

- EntityFunction.java:96, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityFunction$UPPER$1.getValue(Object)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityFunction.java:108, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityFunction$LOWER is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityFunction.java:109, MS_SHOULD_BE_FINAL
MS: org.apache.ofbiz.entity.condition.EntityFunction$LOWER.FETCHER isn't final but should be

This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

- EntityFunction.java:110, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityFunction$LOWER$1.getValue(Object)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityFunction.java:158, SE_INNER_CLASS
Se: org.apache.ofbiz.entity.condition.EntityFunction$1 is serializable and an inner class

This Serializable class is an inner class. Any attempt to serialize it will also serialize the associated outer instance. The outer instance is serializable, so this won't fail, but it might serialize a lot more data than intended. If possible, making the inner class a static inner class (also known as a nested class) should solve the problem.

- EntityFunction.java:160, SE_INNER_CLASS
Se: org.apache.ofbiz.entity.condition.EntityFunction$2 is serializable and an inner class

This Serializable class is an inner class. Any attempt to serialize it will also serialize the associated outer instance. The outer instance is serializable, so this won't fail, but it might serialize a lot more data than intended. If possible, making the inner class a static inner class (also known as a nested class) should solve the problem.

- EntityJoinOperator.java:39, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityJoinOperator is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- EntityOperator.java:63, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.EntityOperator.registerCase(String, EntityOperator)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- EntityOperator.java:303, EQ_COMPARETO_USE_OBJECT_EQUALS
Eq: org.apache.ofbiz.entity.condition.EntityOperator$13 defines compareTo(Object) and uses Object.equals()

This class defines a compareTo(...) method but inherits its equals() method from java.lang.Object. Generally, the value of compareTo should return zero if and only if equals returns true. If this is violated, weird and unpredictable failures will occur in classes such as PriorityQueue. In Java 5 the PriorityQueue.remove method uses the compareTo method, while in Java 6 it uses the equals method.

From the JavaDoc for the compareTo method in the Comparable interface:

It is strongly recommended, but not strictly required that (x.compareTo(y)==0) == (x.equals(y)). Generally speaking, any class that implements the Comparable interface and violates this condition should clearly indicate this fact. The recommended language is "Note: this class has a natural ordering that is inconsistent with equals."

- EntityWhereString.java:-1, CI_CONFUSED_INHERITANCE
CI: Class org.apache.ofbiz.entity.condition.EntityWhereString is final but declares protected field org.apache.ofbiz.entity.condition.EntityWhereString.sqlString

This class is declared to be final, but declares fields to be protected. Since the class is final, it can not be derived from, and the use of protected is confusing. The access modifier for the field should be changed to private or public to represent the true use for the field.

- EntityWhereString.java:47, SE_NO_SERIALVERSIONID
SnVI: org.apache.ofbiz.entity.condition.EntityWhereString is Serializable; consider declaring a serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

- OrderByItem.java:30, SE_COMPARATOR_SHOULD_BE_SERIALIZABLE
Se: org.apache.ofbiz.entity.condition.OrderByItem implements Comparator but not Serializable

This class implements the Comparator interface. You should consider whether or not it should also implement the Serializable interface. If a comparator is used to construct an ordered collection such as a TreeMap, then the TreeMap will be serializable only if the comparator is also serializable. As most comparators have little or no state, making them serializable is generally easy and good defensive programming.

- OrderByItem.java:81, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.entity.condition.OrderByItem.parse(String)

A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- OrderByItem.java:135, DLS_DEAD_LOCAL_STORE
DLS: Dead store to endIndex in org.apache.ofbiz.entity.condition.OrderByItem.parse(String)

This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

- OrderByItem.java:138, SF_SWITCH_NO_DEFAULT
SF: Switch statement found in org.apache.ofbiz.entity.condition.OrderByItem.parse(String) where default case is missing

This method contains a switch statement where default case is missing. Usually you need to provide a default case.

Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.

- OrderByItem.java:196, HE_EQUALS_USE_HASHCODE
HE: org.apache.ofbiz.entity.condition.OrderByItem defines equals and uses Object.hashCode()

This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM).  Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.

If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended hashCode implementation to use is:

public int hashCode() {
  assert false : "hashCode not designed";
  return 42; // any arbitrary constant will do
  }

- OrderByList.java:32, SE_COMPARATOR_SHOULD_BE_SERIALIZABLE
Se: org.apache.ofbiz.entity.condition.OrderByList implements Comparator but not Serializable

This class implements the Comparator interface. You should consider whether or not it should also implement the Serializable interface. If a comparator is used to construct an ordered collection such as a TreeMap, then the TreeMap will be serializable only if the comparator is also serializable. As most comparators have little or no state, making them serializable is generally easy and good defensive programming.

- OrderByList.java:108, HE_EQUALS_USE_HASHCODE
HE: org.apache.ofbiz.entity.condition.OrderByList defines equals and uses Object.hashCode()

This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM).  Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.

If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended hashCode implementation to use is:

public int hashCode() {
  assert false : "hashCode not designed";
  return 42; // any arbitrary constant will do
  }



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)