摘要:
Bug: Call to method of static java.text.DateFormatPattern id: STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE, type: STCAL, category: MT_CORRECTNESS As the JavaDoc states, DateFormats are inherently unsa... 阅读全文
文章分类 - Java
[hyddd的FindBugs分析记录][M S XSS]Class defines clone() but doesn't implement Cloneable
2009-04-22 17:11 by hyddd, 2071 阅读, 收藏, 编辑
摘要:
[H B CN] Class defines clone() but doesn't implement Cloneable [CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE] This class defines a clone() method but the class doesn't implement Cloneable. There are some s... 阅读全文
[hyddd的FindBugs分析记录][M S XSS] Servlet reflected cross site scripting vulnerability
2009-04-01 21:18 by hyddd, 1978 阅读, 收藏, 编辑
摘要:
[M S XSS] Servlet reflected cross site scripting vulnerability [XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER] This code directly writes an HTTP parameter to Servlet output, which allows for a reflected c... 阅读全文
[hyddd的FindBugs分析记录]M D ICAST] Result of integer multiplication cast to long
2009-04-01 21:10 by hyddd, 3953 阅读, 收藏, 编辑
摘要:
[M D ICAST] Result of integer multiplication cast to long [ICAST_INTEGER_MULTIPLY_CAST_TO_LONG] This code performs integer multiply and then converts the result to a long, as in: long convertDays... 阅读全文
[hyddd的FindBugs分析记录][M B DE] Method might ignore exception
2009-04-01 20:54 by hyddd, 1815 阅读, 收藏, 编辑
摘要:
[M B DE] Method might ignore exception [DE_MIGHT_IGNORE] This method might ignore an exception. In general, exceptions should be handled or reported in some way, or they should be thrown out of the ... 阅读全文
[hyddd的FindBugs分析记录][M M IS] Inconsistent synchronization追加说明
2009-04-01 20:44 by hyddd, 3686 阅读, 收藏, 编辑
摘要:
前面已经写了一篇文档说明Inconsistent synchronization,但最近做代码安全时候又发现了一些关于Inconsistent synchronization的新问题,所以追加说明一下。 我们先看一段较长的代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeH... 阅读全文
[hyddd的FindBugs分析记录][M B Eq] Class defines compareTo(...) and uses Object.equals()
2009-04-01 20:17 by hyddd, 3407 阅读, 收藏, 编辑
摘要:
[M B Eq] Class defines compareTo(...) and uses Object.equals() [EQ_COMPARETO_USE_OBJECT_EQUALS] This class defines a compareTo(...) method but inherits its equals() method from java.lang.Object. Gen... 阅读全文
[hyddd的FindBugs分析记录][H C EC] equals() used to compare array and nonarray
2009-04-01 20:11 by hyddd, 779 阅读, 收藏, 编辑
摘要:
[H C EC] equals() used to compare array and nonarray [EC_ARRAY_AND_NONARRAY] This method invokes the .equals(Object o) to compare an array and a reference that doesn't seem to be an array. If things b... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Semantic]SQL Injection
2009-02-26 18:50 by hyddd, 1680 阅读, 收藏, 编辑
摘要:
先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->private String getInsertSql(Map parameterValues) { StringBuffer insertSql = new StringB... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Semantic]Denial of Service
2009-02-26 13:48 by hyddd, 1366 阅读, 收藏, 编辑
摘要:
这个和Fortify中Warning的[Data Flow]Denial of Service描述的问题是一样的,只是严重程度不高,所以问题等级为Info。 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Semantic]Insecure Randomness
2009-02-26 13:47 by hyddd, 2302 阅读, 收藏, 编辑
摘要:
请参考FindBugs里面的[H B BC] Random object created and used only once,二者都是描述同个问题。 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Dead Code:Unused Method
2009-02-26 13:37 by hyddd, 1416 阅读, 收藏, 编辑
摘要:
类里的私有函数,如果在本类中没有使用,Fortify建议你把它删除或注释掉。 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]J2EE Bad Practices:Leftover Debug Code
2009-02-26 11:58 by hyddd, 3797 阅读, 收藏, 编辑
摘要:
一些Debug用的函数,如:main(),是一些潜在入口,如果这类调试代码无意中被保留在应用程序中,则会导致应用程序向计划外的交互模式开放。这些后门入口点很容易产生安全隐患,因为它们不在当初的设计或者测试的考虑之内,并且不会出现在应用程序设计中的操作环境里。 遗忘调试代码中最常见例子出现在web应用程序中的main()方法。尽管这在产品的开发过程中是完全可以接受的,但是属于J2EE(WEB)应用程... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Poor Error Handing:Overly Broad Throws
2009-02-26 11:57 by hyddd, 3058 阅读, 收藏, 编辑
摘要:
先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->public void doExchange() throws Exception { } 当一个函数定义为Exception/Throwable时,调用这个函数的人很难判断到底这个... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Poor Error Handing:Overly Broad Catch
2009-02-26 11:53 by hyddd, 3775 阅读, 收藏, 编辑
摘要:
这个问题和[M D REC] Exception is caught when Exception is not thrown里面说的第二种情况相同,示例代码如下 Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->try{ //IOoperati... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Poor Error Handing:Empty Catch Block
2009-02-26 11:50 by hyddd, 1800 阅读, 收藏, 编辑
摘要:
这个问题和FindBugs的[M D REC] Exception is caught when Exception is not thrown里面的第一种情况一样,是程序捕获了异常却不处理,示例代码如下: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Poor Logging Practice:User of a System Output Stream
2009-02-26 11:44 by hyddd, 1384 阅读, 收藏, 编辑
摘要:
除非是调试,否则,Log信息不应该用System.out.println();输出,应该把它记录到Log文件里面,这里就不举例了。 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Control Flow]Missing Check for Null Parmater
2009-02-25 14:39 by hyddd, 1357 阅读, 收藏, 编辑
摘要:
这个和Findbugs的[M C NP] Method call passes null for unconditionally dereferenced parameter比较类似,可以参考一下。 虽然都是同一类的问题,但Fortify和Findbugs对问题的侧重点不一样,可能是规则不一样。先看看下面代码: Code highlighting produced by Actipro C... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Control Flow]Unreleased Resource
2009-02-25 14:09 by hyddd, 2576 阅读, 收藏, 编辑
摘要:
这个问题和FindBugs里面的[M X OBL] Method may fail to clean up stream or resource比较类似,可以参考一下:> 但是如果仔细看,Fortify和FindBugs在这个问题上还是有所不同的,Fortify会更严谨一些,先看看下面一段代码: Code highlighting produced by Actipro CodeHighlig... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Data Flow]Denial of Servie
2009-02-25 13:44 by hyddd, 3292 阅读, 收藏, 编辑
摘要:
看Fortify说明的示例代码: 例1: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->int usrSleepTime = Integer.parseInt(usrInput);Thread.sleep(usrSleepTime); 例2: Cod... 阅读全文