You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2019/08/08 16:18:00 UTC

[jira] [Closed] (OFBIZ-9973) [FB] Find Security Bugs

     [ https://issues.apache.org/jira/browse/OFBIZ-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-9973.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 18.12.01
                   16.11.06
                   17.12.01

{noformat}
Gniark, lost my previsous complete comment due to my FF setting. Doing it again but not as good, tired :/
{noformat}

FindBugs is now deprecated and replaced by Spotbugs.

Last time I forgot to encode productId as reported offline by Man Yue Mo from Semmle.

This eventually fixes the "Relative path traversal" issue reported by Spotbugs by encoding the whole file name. It was also reported by OFBIZ-9777 but not fixed there.

Spotbugs continues to report the same issue in trunk but not in R16 nor in R17 and R18. I suppose it's a cache issue and close.

Fixed in 
Trunk r1864716
R18 r1864717
R17 r1864718
R16 r1864719

> [FB] Find Security Bugs
> -----------------------
>
>                 Key: OFBIZ-9973
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9973
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: marketing, product
>    Affects Versions: Trunk, Release Branch 16.11
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> I recently [found|https://www.ysofters.com/2015/08/31/taint-analysis-added-to-findbugs/] FindBugs embeds an option [to Find Security Bugs|https://find-sec-bugs.github.io/]:
> I have tried this option: https://github.com/find-sec-bugs/find-sec-bugs/wiki/Eclipse-Tutorial
> Also later we should remember of OFBIZ-7963 and if possible run this tool in [Builbot using Gradle|https://search.maven.org/#search|gav|1|g:%22com.h3xstream.findsecbugs%22%20AND%20a:%22findsecbugs-plugin%22] (did not check feasibility)



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)