You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Velmurugan Periasamy <ve...@apache.org> on 2018/03/19 14:11:32 UTC
FW: New Defects reported by Coverity Scan for Apache Ranger
Rangers could you please review and provide fixes for Coverity flagged
issues below? Thanks.
From: "scan-admin@coverity.com" <sc...@coverity.com>
Date: Monday, March 19, 2018 at 2:55 AM
To: Velmurugan Periasamy <vp...@hortonworks.com>
Subject: New Defects reported by Coverity Scan for Apache Ranger
Hi,
Please find the latest report on new defect(s) introduced to Apache Ranger
found with Coverity Scan.
33 new defect(s) introduced to Apache Ranger found with Coverity Scan.
13 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 33 defect(s)
** CID 174644: (FB.NP_UNWRITTEN_FIELD)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 588 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 598 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 605 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
____________________________________________________________________________
____________________________
*** CID 174644: (FB.NP_UNWRITTEN_FIELD)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 588 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
582 boolean isValid = true;
583 List<ValidationFailureDetails> validationFailures =
new ArrayList<>();
584 boolean isApplicable = false;
585
586 List<RangerValiditySchedule> validatedSchedules =
new ArrayList<>();
587
>>> CID 174644: (FB.NP_UNWRITTEN_FIELD)
>>> Read of unwritten field validitySchedules.
588 for (RangerValiditySchedule validitySchedule :
testCase.validitySchedules) {
589 RangerValidityScheduleValidator validator = new
RangerValidityScheduleValidator(validitySchedule);
590 RangerValiditySchedule validatedSchedule =
validator.validate(validationFailures);
591 isValid = isValid && validatedSchedule != null;
592 if (isValid) {
593 validatedSchedules.add(validatedSchedule);
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 598 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
592 if (isValid) {
593 validatedSchedules.add(validatedSchedule);
594 }
595 }
596 if (isValid) {
597 for (RangerValiditySchedule validSchedule :
validatedSchedules) {
>>> CID 174644: (FB.NP_UNWRITTEN_FIELD)
>>> Read of unwritten field accessTime.
598 isApplicable = new
RangerValidityScheduleEvaluator(validSchedule).isApplicable(testCase.accessT
ime.getTime());
599 if (isApplicable) {
600 break;
601 }
602 }
603 }
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 605 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
599 if (isApplicable) {
600 break;
601 }
602 }
603 }
604
>>> CID 174644: (FB.NP_UNWRITTEN_FIELD)
>>> Read of unwritten field result.
605 assertTrue(testCase.name, isValid ==
testCase.result.isValid);
606 assertTrue(testCase.name, isApplicable ==
testCase.result.isApplicable);
607 assertTrue(testCase.name + ", [" +
validationFailures +"]", validationFailures.size() ==
testCase.result.validationFailureCount);
608 }
609 }
610 TimeZone.setDefault(defaultTZ);
** CID 174643: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer
/RangerAtlasAuthorizer.java: 299 in ()
____________________________________________________________________________
____________________________
*** CID 174643: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer
/RangerAtlasAuthorizer.java: 299 in ()
293 class RangerAtlasPlugin extends RangerBasePlugin {
294 RangerAtlasPlugin() {
295 super("atlas", "atlas");
296 }
297 }
298
>>> CID 174643: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
>>> Should
>>> org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer$Range
>>> rAtlasAuditHandler be a _static_ inner class?
299 class RangerAtlasAuditHandler extends RangerDefaultAuditHandler
{
300 private final Map<Long, AuthzAuditEvent> auditEvents;
301 private final String resourcePath;
302 private boolean denyExists = false;
303
304
** CID 174642: FindBugs: Performance (FB.BX_UNBOXING_IMMEDIATELY_REBOXED)
/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.jav
a: 200 in
org.apache.ranger.plugin.model.RangerPolicy.setPolicyPriority(java.lang.Inte
ger)()
____________________________________________________________________________
____________________________
*** CID 174642: FindBugs: Performance (FB.BX_UNBOXING_IMMEDIATELY_REBOXED)
/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.jav
a: 200 in
org.apache.ranger.plugin.model.RangerPolicy.setPolicyPriority(java.lang.Inte
ger)()
194 }
195
196 /**
197 * @param policyPriority the policyPriority to set
198 */
199 public void setPolicyPriority(Integer policyPriority) {
>>> CID 174642: FindBugs: Performance
>>> (FB.BX_UNBOXING_IMMEDIATELY_REBOXED)
>>> Boxed value is unboxed and then immediately reboxed.
200 this.policyPriority = policyPriority == null ?
RangerPolicy.POLICY_PRIORITY_NORMAL : policyPriority;
201 }
202
203 /**
204 * @return the description
205 */
** CID 174641: FindBugs: Bad practice (FB.SE_BAD_FIELD)
/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.jav
a: 83 in ()
____________________________________________________________________________
____________________________
*** CID 174641: FindBugs: Bad practice (FB.SE_BAD_FIELD)
/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.jav
a: 83 in ()
77 private List<RangerPolicyItem> allowExceptions;
78 private List<RangerPolicyItem> denyExceptions;
79 private List<RangerDataMaskPolicyItem> dataMaskPolicyItems;
80 private List<RangerRowFilterPolicyItem> rowFilterPolicyItems;
81 private String serviceType;
82 private Map<String, Object> options;
>>> CID 174641: FindBugs: Bad practice (FB.SE_BAD_FIELD)
>>> Class org.apache.ranger.plugin.model.RangerPolicy defines non-transient
>>> non-serializable instance field validitySchedules.
83 private List<RangerValiditySchedule> validitySchedules;
84 private List<String> policyLabels;
85
86 public RangerPolicy() {
87 this(null, null, null, null, null, null, null, null, null, null,
null);
88 }
** CID 174640: (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3907 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3916 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3917 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
____________________________________________________________________________
____________________________
*** CID 174640: (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3907 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
3901 String isExcludesValue = "";
3902 Cell cell = row.createCell(0);
3903 cell.setCellValue(policy.getId());
3904 List<RangerPolicyItemAccess> accesses = new
ArrayList<RangerPolicyItemAccess>();
3905 List<RangerPolicyItemCondition> conditionsList =
new ArrayList<RangerPolicyItemCondition>();
3906 String conditionKeyValue = "";
>>> CID 174640: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to policyLabels.
3907 List<String> policyLabels = new
ArrayList<String>();
3908 String resValue = "";
3909 String resourceKeyVal = "";
3910 String isRecursiveValue = "";
3911 String resKey = "";
3912 StringBuffer sb = new StringBuffer();
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3916 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
3910 String isRecursiveValue = "";
3911 String resKey = "";
3912 StringBuffer sb = new StringBuffer();
3913 StringBuffer sbIsRecursive = new StringBuffer();
3914 StringBuffer sbIsExcludes = new StringBuffer();
3915 Map<String, RangerPolicyResource> resources =
policy.getResources();
>>> CID 174640: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to dataMaskInfo.
3916 RangerPolicyItemDataMaskInfo dataMaskInfo = new
RangerPolicyItemDataMaskInfo();
3917 RangerPolicyItemRowFilterInfo filterInfo = new
RangerPolicyItemRowFilterInfo();
3918 cell = row.createCell(1);
3919 cell.setCellValue(policy.getName());
3920 cell = row.createCell(2);
3921 if (resources != null) {
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3917 in
org.apache.ranger.biz.ServiceDBStore.writeBookForPolicyItems(org.apache.rang
er.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
org.apache.poi.ss.usermodel.Row, java.lang.String)()
3911 String resKey = "";
3912 StringBuffer sb = new StringBuffer();
3913 StringBuffer sbIsRecursive = new StringBuffer();
3914 StringBuffer sbIsExcludes = new StringBuffer();
3915 Map<String, RangerPolicyResource> resources =
policy.getResources();
3916 RangerPolicyItemDataMaskInfo dataMaskInfo = new
RangerPolicyItemDataMaskInfo();
>>> CID 174640: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to filterInfo.
3917 RangerPolicyItemRowFilterInfo filterInfo = new
RangerPolicyItemRowFilterInfo();
3918 cell = row.createCell(1);
3919 cell.setCellValue(policy.getName());
3920 cell = row.createCell(2);
3921 if (resources != null) {
3922 for (Entry<String, RangerPolicyResource> resource :
resources.entrySet()) {
** CID 174639: (FB.SE_BAD_FIELD)
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/Ranger
TagForEval.java: 63 in ()
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/Ranger
TagForEval.java: 65 in ()
____________________________________________________________________________
____________________________
*** CID 174639: (FB.SE_BAD_FIELD)
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/Ranger
TagForEval.java: 63 in ()
57
58 private String type;
59 private Map<String, String> attributes;
60 private Map<String, Object> options;
61 private RangerPolicyResourceMatcher.MatchType matchType =
RangerPolicyResourceMatcher.MatchType.SELF;
62 @JsonIgnore
>>> CID 174639: (FB.SE_BAD_FIELD)
>>> Class org.apache.ranger.plugin.contextenricher.RangerTagForEval defines
>>> non-transient non-serializable instance field validityPeriods.
63 private List<RangerValiditySchedule> validityPeriods;
64 @JsonIgnore
65 private List<RangerValidityScheduleEvaluator>
validityPeriodEvaluators;
66
67
68 private RangerTagForEval() {}
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/Ranger
TagForEval.java: 65 in ()
59 private Map<String, String> attributes;
60 private Map<String, Object> options;
61 private RangerPolicyResourceMatcher.MatchType matchType =
RangerPolicyResourceMatcher.MatchType.SELF;
62 @JsonIgnore
63 private List<RangerValiditySchedule> validityPeriods;
64 @JsonIgnore
>>> CID 174639: (FB.SE_BAD_FIELD)
>>> Class org.apache.ranger.plugin.contextenricher.RangerTagForEval defines
>>> non-transient non-serializable instance field validityPeriodEvaluators.
65 private List<RangerValidityScheduleEvaluator>
validityPeriodEvaluators;
66
67
68 private RangerTagForEval() {}
69
70 public RangerTagForEval(RangerTag tag,
RangerPolicyResourceMatcher.MatchType matchType) {
** CID 174638: (FB.UWF_UNWRITTEN_FIELD)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 588 in ()
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 598 in ()
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 605 in ()
____________________________________________________________________________
____________________________
*** CID 174638: (FB.UWF_UNWRITTEN_FIELD)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 588 in ()
582 boolean isValid = true;
583 List<ValidationFailureDetails> validationFailures =
new ArrayList<>();
584 boolean isApplicable = false;
585
586 List<RangerValiditySchedule> validatedSchedules =
new ArrayList<>();
587
>>> CID 174638: (FB.UWF_UNWRITTEN_FIELD)
>>> Unwritten field:
>>> org.apache.ranger.plugin.policyengine.TestPolicyEngine$ValiditySchedulerTest
>>> Case.validitySchedules.
588 for (RangerValiditySchedule validitySchedule :
testCase.validitySchedules) {
589 RangerValidityScheduleValidator validator = new
RangerValidityScheduleValidator(validitySchedule);
590 RangerValiditySchedule validatedSchedule =
validator.validate(validationFailures);
591 isValid = isValid && validatedSchedule != null;
592 if (isValid) {
593 validatedSchedules.add(validatedSchedule);
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 598 in ()
592 if (isValid) {
593 validatedSchedules.add(validatedSchedule);
594 }
595 }
596 if (isValid) {
597 for (RangerValiditySchedule validSchedule :
validatedSchedules) {
>>> CID 174638: (FB.UWF_UNWRITTEN_FIELD)
>>> Unwritten field:
>>> org.apache.ranger.plugin.policyengine.TestPolicyEngine$ValiditySchedulerTest
>>> Case.accessTime.
598 isApplicable = new
RangerValidityScheduleEvaluator(validSchedule).isApplicable(testCase.accessT
ime.getTime());
599 if (isApplicable) {
600 break;
601 }
602 }
603 }
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 605 in ()
599 if (isApplicable) {
600 break;
601 }
602 }
603 }
604
>>> CID 174638: (FB.UWF_UNWRITTEN_FIELD)
>>> Unwritten field:
>>> org.apache.ranger.plugin.policyengine.TestPolicyEngine$ValiditySchedulerTest
>>> Case.result.
605 assertTrue(testCase.name, isValid ==
testCase.result.isValid);
606 assertTrue(testCase.name, isApplicable ==
testCase.result.isApplicable);
607 assertTrue(testCase.name + ", [" +
validationFailures +"]", validationFailures.size() ==
testCase.result.validationFailureCount);
608 }
609 }
610 TimeZone.setDefault(defaultTZ);
** CID 174637: FindBugs: Dodgy code (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java:
1293 in org.apache.ranger.biz.TestServiceDBStore.test21deleteService()()
____________________________________________________________________________
____________________________
*** CID 174637: FindBugs: Dodgy code (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java:
1293 in org.apache.ranger.biz.TestServiceDBStore.test21deleteService()()
1287 policyResourceMap.setResourceId(Id);
1288 policyResourceMap.setUpdatedByUserId(Id);
1289 policyResourceMap.setUpdateTime(new Date());
1290 policyResourceMap.setValue("1L");
1291 policyResourceMapList.add(policyResourceMap);
1292
>>> CID 174637: FindBugs: Dodgy code (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to xxPolicyLabelMapList.
1293 List<XXPolicyLabelMap> xxPolicyLabelMapList = new
ArrayList<>();
1294 List<XXServiceConfigDef> xServiceConfigDefList = new
ArrayList<XXServiceConfigDef>();
1295 XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
1296 serviceConfigDefObj.setId(Id);
1297 xServiceConfigDefList.add(serviceConfigDefObj);
1298
** CID 174636: Null pointer dereferences (FORWARD_NULL)
____________________________________________________________________________
____________________________
*** CID 174636: Null pointer dereferences (FORWARD_NULL)
/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 2510
in org.apache.ranger.rest.ServiceREST.getServicePolicies(java.lang.Long,
javax.servlet.http.HttpServletRequest)()
2504 filter.setStartIndex(savedStartIndex);
2505 filter.setMaxRows(savedMaxRows);
2506 }
2507
2508 servicePolicies = applyAdminAccessFilter(servicePolicies);
2509
>>> CID 174636: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "filter" to "toRangerPolicyList", which
>>> dereferences it.
2510 ret = toRangerPolicyList(servicePolicies, filter);
2511 }
2512 } catch(WebApplicationException excp) {
2513 throw excp;
2514 } catch (Throwable excp) {
2515 LOG.error("getServicePolicies(" + serviceId + ") failed", excp);
** CID 174635: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 1326
in org.apache.ranger.rest.ServiceREST.secureRevokeAccess(java.lang.String,
org.apache.ranger.plugin.util.GrantRevokeRequest,
javax.servlet.http.HttpServletRequest)()
____________________________________________________________________________
____________________________
*** CID 174635: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 1326
in org.apache.ranger.rest.ServiceREST.secureRevokeAccess(java.lang.String,
org.apache.ranger.plugin.util.GrantRevokeRequest,
javax.servlet.http.HttpServletRequest)()
1320 return ret;
1321 }
1322
1323 @POST
1324 @Path("/secure/services/revoke/{serviceName}")
1325 @Produces({ "application/json", "application/xml" })
>>> CID 174635: High impact security (CSRF)
>>> "org.apache.ranger.rest.ServiceREST.secureRevokeAccess" is a web-app
>>> entry point that requires protection from cross-site request forgery (CSRF).
1326 public RESTResponse secureRevokeAccess(@PathParam("serviceName")
String serviceName, GrantRevokeRequest revokeRequest, @Context
HttpServletRequest request) throws Exception {
1327 if(LOG.isDebugEnabled()) {
1328 LOG.debug("==> ServiceREST.secureRevokeAccess(" + serviceName + ",
" + revokeRequest + ")");
1329 }
1330 RESTResponse ret = new RESTResponse();
1331 RangerPerfTracer perf = null;
** CID 174634: Null pointer dereferences (REVERSE_INULL)
/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java: 378 in
org.apache.ranger.biz.XUserMgr.updateXUser(org.apache.ranger.view.VXUser)()
____________________________________________________________________________
____________________________
*** CID 174634: Null pointer dereferences (REVERSE_INULL)
/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java: 378 in
org.apache.ranger.biz.XUserMgr.updateXUser(org.apache.ranger.view.VXUser)()
372 vXPortalUser.setPublicScreenName(vXUser.getName());
373 }
374 vXPortalUser.setUserSource(oldUserProfile.getUserSource());
375
376 String hiddenPasswordString =
PropertiesUtil.getProperty("ranger.password.hidden", "*****");
377 String password = vXUser.getPassword();
>>> CID 174634: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "oldUserProfile" suggests that it may be null, but it has
>>> already been dereferenced on all paths leading to the check.
378 if (oldUserProfile != null && password != null
379 && password.equals(hiddenPasswordString)) {
380 vXPortalUser.setPassword(oldUserProfile.getPassword());
381 }
382 else if(oldUserProfile != null &&
oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL &&
password != null){
383
vXPortalUser.setPassword(oldUserProfile.getPassword());
** CID 174633: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 370
in
org.apache.ranger.rest.PublicAPIsv2.updatePolicy(org.apache.ranger.plugin.mo
del.RangerPolicy, java.lang.Long)()
____________________________________________________________________________
____________________________
*** CID 174633: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 370
in
org.apache.ranger.rest.PublicAPIsv2.updatePolicy(org.apache.ranger.plugin.mo
del.RangerPolicy, java.lang.Long)()
364 return serviceREST.applyPolicy(policy, request);
365 }
366
367 @PUT
368 @Path("/api/policy/{id}")
369 @Produces({ "application/json", "application/xml" })
>>> CID 174633: High impact security (CSRF)
>>> "org.apache.ranger.rest.PublicAPIsv2.updatePolicy" is a web-app entry
>>> point that requires protection from cross-site request forgery (CSRF).
370 public RangerPolicy updatePolicy(RangerPolicy policy,
@PathParam("id") Long id) {
371 // if policy.id is specified, it should be same as the param 'id'
372 if(policy.getId() == null) {
373 policy.setId(id);
374 } else if(!policy.getId().equals(id)) {
375 throw
restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST ,
"policyID mismatch", true);
** CID 174632: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyLabelMap.java
: 135 in
org.apache.ranger.entity.XXPolicyLabelMap.equals(java.lang.Object)()
____________________________________________________________________________
____________________________
*** CID 174632: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyLabelMap.java
: 135 in
org.apache.ranger.entity.XXPolicyLabelMap.equals(java.lang.Object)()
129 */
130 public void setPolicyLabelId(Long policyLabelId) {
131 this.policyLabelId = policyLabelId;
132 }
133
134 @Override
>>> CID 174632: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
>>> org.apache.ranger.entity.XXPolicyLabelMap defines equals and uses
>>> Object.hashCode().
135 public boolean equals(Object obj) {
136 if (this == obj)
137 return true;
138 if (!super.equals(obj))
139 return false;
140 if (getClass() != obj.getClass())
** CID 174631: Concurrent data access violations (ATOMICITY)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3607 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
____________________________________________________________________________
____________________________
*** CID 174631: Concurrent data access violations (ATOMICITY)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3607 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
3601 resKey = resource.getKey();
3602 RangerPolicyResource policyResource
= resource.getValue();
3603 List<String> resvalueList =
policyResource.getValues();
3604 isExcludes =
policyResource.getIsExcludes().toString();
3605 isRecursive =
policyResource.getIsRecursive().toString();
3606 resValue = resvalueList.toString();
>>> CID 174631: Concurrent data access violations (ATOMICITY)
>>> Using "sb", an unreliable value, inside a synchronous method
>>> ("sb.append(resourceKeyVal).append(" ")"). This code might not be thread
>>> safe or might indicate a source of unnecessary synchronization.
3607 sb =
sb.append(resourceKeyVal).append(" ").append(resKey)
3608
.append("=").append(resValue);
3609 sbIsExcludes =
sbIsExcludes.append(resourceKeyVal).append(" ")
3610
.append(resKey).append("=[").append(isExcludes)
3611 .append("]");
3612 sbIsRecursive =
sbIsRecursive.append(resourceKeyVal)
** CID 174630: FindBugs: Internationalization (FB.DM_DEFAULT_ENCODING)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 569 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
____________________________________________________________________________
____________________________
*** CID 174630: FindBugs: Internationalization (FB.DM_DEFAULT_ENCODING)
/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolic
yEngine.java: 569 in
org.apache.ranger.plugin.policyengine.TestPolicyEngine.runValiditySchedulerT
ests(java.lang.String)()
563 TimeZone defaultTZ = TimeZone.getDefault();
564 TimeZone.setDefault(TimeZone.getTimeZone("PST"));
565
566 List<ValiditySchedulerTestCase> testCases = null;
567
568 InputStream inStream =
this.getClass().getResourceAsStream(resourceName);
>>> CID 174630: FindBugs: Internationalization (FB.DM_DEFAULT_ENCODING)
>>> Found reliance on default encoding: new
>>> java.io.InputStreamReader(InputStream).
569 InputStreamReader reader = new
InputStreamReader(inStream);
570 try {
571 Type listType = new
TypeToken<List<ValiditySchedulerTestCase>>() {}.getType();
572 testCases = gsonBuilder.fromJson(reader, listType);
573 } catch (Exception e) {
574 assertFalse("Exception in reading validity-scheduler
test cases.", true);
** CID 174629: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/Ranger
ValidityScheduleEvaluator.java: 301 in ()
____________________________________________________________________________
____________________________
*** CID 174629: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/Ranger
ValidityScheduleEvaluator.java: 301 in ()
295 - Start with minutes, and then hours.
296 - Must make sure that the later of the two
Calendars - one computed with dayOfMonth, another computed with
297 dayOfWeek - is picked
298 - For dayOfMonth calculation, consider that
months have different number of days
299 */
300
>>> CID 174629: FindBugs: Performance (FB.SIC_INNER_SHOULD_BE_STATIC)
>>> Should
>>> org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator$Ran
>>> gerRecurrenceEvaluator$ValueWithBorrow be a _static_ inner class?
301 private class ValueWithBorrow {
302 int value;
303 boolean borrow;
304
305 ValueWithBorrow() {
306 }
** CID 174628: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
/security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.jav
a: 165 in
org.apache.ranger.entity.XXUgsyncAuditInfo.equals(java.lang.Object)()
____________________________________________________________________________
____________________________
*** CID 174628: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
/security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.jav
a: 165 in
org.apache.ranger.entity.XXUgsyncAuditInfo.equals(java.lang.Object)()
159
160 /**
161 * Checks for all attributes except referenced db objects
162 * @return true if all attributes match
163 */
164 @Override
>>> CID 174628: FindBugs: Bad practice (FB.HE_EQUALS_USE_HASHCODE)
>>> org.apache.ranger.entity.XXUgsyncAuditInfo defines equals and uses
>>> Object.hashCode().
165 public boolean equals( Object obj) {
166 if (obj == null)
167 return false;
168 if (this == obj)
169 return true;
170 if (getClass() != obj.getClass())
** CID 174627: (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3584 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3594 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3595 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
____________________________________________________________________________
____________________________
*** CID 174627: (FB.DLS_DEAD_LOCAL_STORE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3584 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
3578 String resourceKeyVal = "";
3579 String isRecursiveValue = "";
3580 String resKey = "";
3581 String ServiceType = "";
3582 String filterExpr = "";
3583 String policyName = "";
>>> CID 174627: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to policyLabels.
3584 List<String> policyLabels = new
ArrayList<String>();
3585 String policyConditionTypeValue = "";
3586 serviceName = policy.getService();
3587 description = policy.getDescription();
3588 isAuditEnabled = policy.getIsAuditEnabled();
3589 policyLabels = policy.getPolicyLabels();
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3594 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
3588 isAuditEnabled = policy.getIsAuditEnabled();
3589 policyLabels = policy.getPolicyLabels();
3590 StringBuffer sb = new StringBuffer();
3591 StringBuffer sbIsRecursive = new StringBuffer();
3592 StringBuffer sbIsExcludes = new StringBuffer();
3593 Map<String, RangerPolicyResource> resources =
policy.getResources();
>>> CID 174627: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to dataMaskInfo.
3594 RangerPolicyItemDataMaskInfo dataMaskInfo = new
RangerPolicyItemDataMaskInfo();
3595 RangerPolicyItemRowFilterInfo filterInfo = new
RangerPolicyItemRowFilterInfo();
3596 policyName = policy.getName();
3597 policyName = policyName.replace("|", "");
3598 if (resources != null) {
3599 for (Entry<String, RangerPolicyResource>
resource : resources
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
3595 in
org.apache.ranger.biz.ServiceDBStore.writeCSVForPolicyItems(org.apache.range
r.plugin.model.RangerPolicy,
org.apache.ranger.plugin.model.RangerPolicy$RangerPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerDataMaskPolicyItem,
org.apache.ranger.plugin.model.RangerPolicy$RangerRowFilterPolicyItem,
java.lang.StringBuilder, java.lang.String)()
3589 policyLabels = policy.getPolicyLabels();
3590 StringBuffer sb = new StringBuffer();
3591 StringBuffer sbIsRecursive = new StringBuffer();
3592 StringBuffer sbIsExcludes = new StringBuffer();
3593 Map<String, RangerPolicyResource> resources =
policy.getResources();
3594 RangerPolicyItemDataMaskInfo dataMaskInfo = new
RangerPolicyItemDataMaskInfo();
>>> CID 174627: (FB.DLS_DEAD_LOCAL_STORE)
>>> Dead store to filterInfo.
3595 RangerPolicyItemRowFilterInfo filterInfo = new
RangerPolicyItemRowFilterInfo();
3596 policyName = policy.getName();
3597 policyName = policyName.replace("|", "");
3598 if (resources != null) {
3599 for (Entry<String, RangerPolicyResource>
resource : resources
3600 .entrySet()) {
** CID 174626: FindBugs: Bad practice (FB.SE_BAD_FIELD_INNER_CLASS)
/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/Range
rValidityScheduleValidator.java: 319 in ()
____________________________________________________________________________
____________________________
*** CID 174626: FindBugs: Bad practice (FB.SE_BAD_FIELD_INNER_CLASS)
/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/Range
rValidityScheduleValidator.java: 319 in ()
313 private int upper;
314 private Range(int lower, int upper) {
315 this.lower = lower;
316 this.upper = upper;
317 }
318 }
>>> CID 174626: FindBugs: Bad practice (FB.SE_BAD_FIELD_INNER_CLASS)
>>>
>>> org.apache.ranger.plugin.model.validation.RangerValidityScheduleValidator$1R
>>> angeComparator is serializable but also an inner class of a non-serializable
>>> class.
319 class RangeComparator implements Comparator<Range>,
Serializable {
320 @Override
321 public int compare(Range me, Range other) {
322 int result;
323 result = Integer.compare(me.lower, other.lower);
324 if (result == 0) {
** CID 174625: Low impact security
(CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER)
/security-admin/target/security-admin-web-1.1.0-SNAPSHOT.war/WEB-INF/web.xml
: 1 in ()
____________________________________________________________________________
____________________________
*** CID 174625: Low impact security
(CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER)
/security-admin/target/security-admin-web-1.1.0-SNAPSHOT.war/WEB-INF/web.xml
: 1 in ()
>>> CID 174625: Low impact security
>>> (CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER)
>>> The global exception handler "<error-page>" does not exist, or the
>>> "<exception-type>" is not specified.
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!--
3 Licensed to the Apache Software Foundation (ASF) under one or more
4 contributor license agreements. See the NOTICE file distributed
with
5 this work for additional information regarding copyright ownership.
6 The ASF licenses this file to You under the Apache License, Version
2.0
____________________________________________________________________________
____________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05
UPxvVjWch-2Bd2MGckcRZSbhom32dlDl11LWEm9nX11zsOWMf5dv3Q9Mogo-2FGua3FsLRTFft2V
-2FOFC9o0P2e0-3D_CO1oOaGer-2FrymbKQzbDTvXPpxkDPFmL9Eblzl4HMyVLtpu0nyUfExAbcA
c2ERf0-2F8kGNo4UC5MEVpszCoax3EY-2BPkJQOTvIjaAi6Bp-2B6lbBkP3z-2FbzRpTWQXlkS8B
0y-2B1LPI8g6yr36bgvpKTC-2BnBUuuniIMxTODt93lYU37nigxD6S73XhfeyIU2ewQGg2Q03qba
a9AOw-2BHNgrOsf0Ohb8S0-2F-2BR3B3fy-2FS6oyDXhiM-3D
To manage Coverity Scan email notifications for
"vperiasamy@hortonworks.com", click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05
UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4T6-2B6Ndk2x-2BSfdvZeCy5h5YUvw8bA
2PXMJRElVuf74Tt4MEqGsTWTahB1RxR-2BebwlUm-2Fncdtq8YW8CcyjdGNZ6EFRGijO9BHNLclF
uFkWmyU-3D_CO1oOaGer-2FrymbKQzbDTvXPpxkDPFmL9Eblzl4HMyVLtpu0nyUfExAbcAc2ERf0
-2F8kGNo4UC5MEVpszCoax3EX9xeOmTSSqcwA-2FxrL5-2BpYAy8A2GJeohc1BNAOFifZpRv-2B1
zJ55d0Bu9csnXPXDrMEcWJ9YCHJM6SUClLoW7YFx-2F2XhCyFpBSzOljchUHY5Ts9H4z-2BTz0C4
4cb4HhVYjUJHEir-2BS6iX8-2F-2BxUJiZOKOA-3D