02 2009 档案
摘要:先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->private String getInsertSql(Map parameterValues) { StringBuffer insertSql = new StringB...
阅读全文
摘要:这个和Fortify中Warning的[Data Flow]Denial of Service描述的问题是一样的,只是严重程度不高,所以问题等级为Info。
阅读全文
摘要:请参考FindBugs里面的[H B BC] Random object created and used only once,二者都是描述同个问题。
阅读全文
摘要:类里的私有函数,如果在本类中没有使用,Fortify建议你把它删除或注释掉。
阅读全文
摘要:一些Debug用的函数,如:main(),是一些潜在入口,如果这类调试代码无意中被保留在应用程序中,则会导致应用程序向计划外的交互模式开放。这些后门入口点很容易产生安全隐患,因为它们不在当初的设计或者测试的考虑之内,并且不会出现在应用程序设计中的操作环境里。 遗忘调试代码中最常见例子出现在web应用程序中的main()方法。尽管这在产品的开发过程中是完全可以接受的,但是属于J2EE(WEB)应用程...
阅读全文
摘要:先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->public void doExchange() throws Exception { } 当一个函数定义为Exception/Throwable时,调用这个函数的人很难判断到底这个...
阅读全文
摘要:这个问题和[M D REC] Exception is caught when Exception is not thrown里面说的第二种情况相同,示例代码如下 Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->try{ //IOoperati...
阅读全文
摘要:这个问题和FindBugs的[M D REC] Exception is caught when Exception is not thrown里面的第一种情况一样,是程序捕获了异常却不处理,示例代码如下: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com...
阅读全文
摘要:除非是调试,否则,Log信息不应该用System.out.println();输出,应该把它记录到Log文件里面,这里就不举例了。
阅读全文
摘要:这个和Findbugs的[M C NP] Method call passes null for unconditionally dereferenced parameter比较类似,可以参考一下。 虽然都是同一类的问题,但Fortify和Findbugs对问题的侧重点不一样,可能是规则不一样。先看看下面代码: Code highlighting produced by Actipro C...
阅读全文
摘要:这个问题和FindBugs里面的[M X OBL] Method may fail to clean up stream or resource比较类似,可以参考一下:> 但是如果仔细看,Fortify和FindBugs在这个问题上还是有所不同的,Fortify会更严谨一些,先看看下面一段代码: Code highlighting produced by Actipro CodeHighlig...
阅读全文
摘要:看Fortify说明的示例代码: 例1: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->int usrSleepTime = Integer.parseInt(usrInput);Thread.sleep(usrSleepTime); 例2: Cod...
阅读全文
摘要:会触发这个警报的代码有下面几种: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->//Demo1try{ //}catch(Exception e){ log.error(ex.getLocalizedMessage(),ex); /...
阅读全文
摘要:这也是一个关于信息泄露的问题,报这个问题的原因是:你的某个.JSP/网页文件里面有HTML注释,这样做有一个很大的风险是:你可能把一些内部的信息泄露给用户。 Fortify这样建议是很有道理的,HTML注释肯定是为了说明一些问题,或者记录了一些东西,很多网站渗透的人都会从这些小地方去获取网站信息,记得以前看过一段网站入侵的视频,入侵者就是通过网页文件里面的注释找了数据库的账号密码。 虽...
阅读全文
摘要:这个可以参考FindBugs的[M C NP] Possible null pointer dereference,原理是一样的。
阅读全文
摘要:先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->try{ //}catch (Exception e) { e.printStackTrace();} 当运行出现异常时,程序捕获异常并输出堆栈信息,问题就是出现在这里。 这里...
阅读全文
摘要:这里它的意思是对比两个String值的时候,我们应该用equals(),而不使用==或者!=,至于为什么,大家可以看看下面这篇文章: 全面理解Java中的String数据类型 原文出处:http://www.soidc.net/articles/1213781061058/20060220/1214037411661_1.html 1. 首先String不属于8种基本数据类型,String是...
阅读全文
摘要:[H C FS] Format string references missing argument [VA_FORMAT_STRING_MISSING_ARGUMENT] Not enough arguments are passed to satisfy a placeholder in the format string. A runtime exception will occur w...
阅读全文
摘要:[M B Nm] Class names should start with an upper case letter [NM_CLASS_NAMING_CONVENTION] Class names should be nouns, in mixed case with the first letter of each internal word capitalized. Try to ke...
阅读全文
摘要:[H B BC] Random object created and used only once [DMI_RANDOM_USED_ONLY_ONCE] This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object....
阅读全文
摘要:[M D REC] Exception is caught when Exception is not thrown [REC_CATCH_EXCEPTION] This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, ...
阅读全文
摘要:[M D DLS] Dead store to local variable [DLS_DEAD_LOCAL_STORE] This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indica...
阅读全文
摘要:[M P UuF] Unused field [UUF_UNUSED_FIELD] This field is never used. Consider removing it from the class. 说明某个类里的某个变量没有被使用。FindBugs建议你把无用东西去除掉。
阅读全文
摘要:[M B ODR] Method may fail to close database resource [ODR_OPEN_DATABASE_RESOURCE] The method creates a database resource (such as a database connection or row set), does not assign it to any fields,...
阅读全文
摘要:[M X OBL] Method may fail to clean up stream or resource [OBL_UNSATISFIED_OBLIGATION] This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an e...
阅读全文
摘要:[M M NP] Synchronize and null check on the same field. [NP_SYNC_AND_NULL_CHECK_FIELD] Since the field is synchronized on, it seems not likely to be null. If it is null and then synchronized on a Nul...
阅读全文
摘要:[M V MS] Public static method may expose internal representation by returning array [MS_EXPOSE_REP] A public static method returns a reference to an array that is part of the static state of the cla...
阅读全文
摘要:[M C NP] Possible null pointer dereference [NP_NULL_ON_SOME_PATH] There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPoin...
阅读全文
摘要:[M B Nm] Method names should start with a lower case letter [NM_METHOD_NAMING_CONVENTION] Methods should be verbs, in mixed case with the first letter lowercase, with the first letter of each intern...
阅读全文
摘要:[M P Dm] Method invokes toString() method on a String [DM_STRING_TOSTRING] Calling String.toString() is just a redundant operation. Just use the String. 对一个String对象使用了toString()方法,这种操作是多余的,完全可以去掉。...
阅读全文
摘要:[M P Bx] Method invokes inefficient Number constructor; use static valueOf instead [DM_NUMBER_CTOR] Using new Integer(int) is guaranteed to always result in a new object whereas Integer.valueOf(int)...
阅读全文
摘要:[M C NP] Method call passes null for unconditionally dereferenced parameter [NP_NULL_PARAM_DEREF] This method call passes a null value to a method which might dereference it unconditionally. 这里Fin...
阅读全文
摘要:[M V EI] May expose internal representation by returning reference to mutable object [EI_EXPOSE_REP] Returning a reference to a mutable object value stored in one of the object's fields exposes the ...
阅读全文
摘要:[M V EI2] May expose internal representation by incorporating reference to mutable object [EI_EXPOSE_REP2] This code stores a reference to an externally mutable object into the internal representati...
阅读全文
摘要:[M M IS] Inconsistent synchronization [IS2_INCONSISTENT_SYNC] The fields of this class appear to be accessed inconsistently with respect to synchronization. This bug report indicates that the bug pa...
阅读全文
摘要:[M D RCN] Redundant nullcheck of value known to be non-null [RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE] This method contains a redundant check of a known non-null value against the constant null. 参...
阅读全文
摘要:[M C RpC] Repeated conditional tests [RpC_REPEATED_CONDITIONAL_TEST] The code contains a conditional test is performed twice, one right after the other (e.g., x == 0 || x == 0). Perhaps the second oc...
阅读全文
摘要:[M C RCN] Nullcheck of value previously dereferenced [RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE] A value is checked here to see whether it is null, but this value can't be null because it was pr...
阅读全文
摘要:[H C FS] More arguments are passed that are actually used in the format string [VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED] A format-string method with a variable number of arguments is called, but mor...
阅读全文
摘要:英文版注册码: Subscriber:MaYong Subscription Code:ZLR8ZO-655444-54678656985359684 中文版注册码:(中文版的没有试过) Subscriber: www.1cn.biz Subscription Code: jLR8ZC-655444-65526656052107345
阅读全文
摘要:MenuBar-->Windows-->Preferences-->Java-->Installed JREs. 要增加JDK直接Add就可以,选择JDK目录路径,如:C:\Program Files\Java\jre1.5.0_12.
阅读全文
摘要:我的Myeclipse安装后编码默认是GB18030,外面的人一般推荐用UTF-8。如果在导入项目后发现乱码现象,那是编码设置设置不对。 全局编码设置:编码设置的方法:ToolBar-->Window-->Preferences-->General-->Workspace-->Text file encoding,设置合适的编码。 局部编码设置:在源码按右键-->General-->E...
阅读全文
浙公网安备 33010602011771号