摘要:
会触发这个警报的代码有下面几种: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->//Demo1try{ //}catch(Exception e){ log.error(ex.getLocalizedMessage(),ex); /... 阅读全文
文章分类 - Java
[hyddd的Fortify SCA分析Java代码记录][Structural]System Information Leak:HTML Comment in JSP
2009-02-24 14:38 by hyddd, 2105 阅读, 收藏, 编辑
摘要:
这也是一个关于信息泄露的问题,报这个问题的原因是:你的某个.JSP/网页文件里面有HTML注释,这样做有一个很大的风险是:你可能把一些内部的信息泄露给用户。 Fortify这样建议是很有道理的,HTML注释肯定是为了说明一些问题,或者记录了一些东西,很多网站渗透的人都会从这些小地方去获取网站信息,记得以前看过一段网站入侵的视频,入侵者就是通过网页文件里面的注释找了数据库的账号密码。 虽... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Control Flow]Null Dereference
2009-02-24 14:15 by hyddd, 3103 阅读, 收藏, 编辑
摘要:
这个可以参考FindBugs的[M C NP] Possible null pointer dereference,原理是一样的。 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Semantic]System Information Leak
2009-02-24 14:04 by hyddd, 4996 阅读, 收藏, 编辑
摘要:
先看一段代码: Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/-->try{ //}catch (Exception e) { e.printStackTrace();} 当运行出现异常时,程序捕获异常并输出堆栈信息,问题就是出现在这里。 这里... 阅读全文
[hyddd的Fortify SCA分析Java代码记录][Structural]Erroneous String Compare
2009-02-24 09:49 by hyddd, 1664 阅读, 收藏, 编辑
摘要:
这里它的意思是对比两个String值的时候,我们应该用equals(),而不使用==或者!=,至于为什么,大家可以看看下面这篇文章: 全面理解Java中的String数据类型 原文出处:http://www.soidc.net/articles/1213781061058/20060220/1214037411661_1.html 1. 首先String不属于8种基本数据类型,String是... 阅读全文
[hyddd的FindBugs分析记录][H C FS] Format string references missing argument
2009-02-16 21:00 by hyddd, 972 阅读, 收藏, 编辑
摘要:
[H C FS] Format string references missing argument [VA_FORMAT_STRING_MISSING_ARGUMENT] Not enough arguments are passed to satisfy a placeholder in the format string. A runtime exception will occur w... 阅读全文
[hyddd的FindBugs分析记录][M B Nm] Class names should start with an upper case letter
2009-02-16 17:57 by hyddd, 1731 阅读, 收藏, 编辑
摘要:
[M B Nm] Class names should start with an upper case letter [NM_CLASS_NAMING_CONVENTION] Class names should be nouns, in mixed case with the first letter of each internal word capitalized. Try to ke... 阅读全文
[hyddd的FindBugs分析记录][H B BC] Random object created and used only once
2009-02-16 16:45 by hyddd, 9904 阅读, 收藏, 编辑
摘要:
[H B BC] Random object created and used only once [DMI_RANDOM_USED_ONLY_ONCE] This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object.... 阅读全文
[hyddd的FindBugs分析记录][M D REC] Exception is caught when Exception is not thrown
2009-02-16 15:52 by hyddd, 11724 阅读, 收藏, 编辑
摘要:
[M D REC] Exception is caught when Exception is not thrown [REC_CATCH_EXCEPTION] This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, ... 阅读全文
[hyddd的FindBugs分析记录][M D DLS] Dead store to local variable
2009-02-16 15:44 by hyddd, 7724 阅读, 收藏, 编辑
摘要:
[M D DLS] Dead store to local variable [DLS_DEAD_LOCAL_STORE] This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indica... 阅读全文
[hyddd的FindBugs分析记录][M P UuF] Unused field
2009-02-16 15:07 by hyddd, 2118 阅读, 收藏, 编辑
摘要:
[M P UuF] Unused field [UUF_UNUSED_FIELD] This field is never used. Consider removing it from the class. 说明某个类里的某个变量没有被使用。FindBugs建议你把无用东西去除掉。 阅读全文
[hyddd的FindBugs分析记录][M B ODR] Method may fail to close database resource
2009-02-16 15:01 by hyddd, 2147 阅读, 收藏, 编辑
摘要:
[M B ODR] Method may fail to close database resource [ODR_OPEN_DATABASE_RESOURCE] The method creates a database resource (such as a database connection or row set), does not assign it to any fields,... 阅读全文
[hyddd的FindBugs分析记录][M X OBL] Method may fail to clean up stream or resource
2009-02-16 14:55 by hyddd, 6778 阅读, 收藏, 编辑
摘要:
[M X OBL] Method may fail to clean up stream or resource [OBL_UNSATISFIED_OBLIGATION] This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an e... 阅读全文
[hyddd的FindBugs分析记录][M M NP] Synchronize and null check on the same field
2009-02-16 14:39 by hyddd, 906 阅读, 收藏, 编辑
摘要:
[M M NP] Synchronize and null check on the same field. [NP_SYNC_AND_NULL_CHECK_FIELD] Since the field is synchronized on, it seems not likely to be null. If it is null and then synchronized on a Nul... 阅读全文
[hyddd的FindBugs分析记录][M V MS] Public static method may expose internal representation by returning array
2009-02-16 14:08 by hyddd, 3317 阅读, 收藏, 编辑
摘要:
[M V MS] Public static method may expose internal representation by returning array [MS_EXPOSE_REP] A public static method returns a reference to an array that is part of the static state of the cla... 阅读全文
[hyddd的FindBugs分析记录][M C NP] Possible null pointer dereference
2009-02-16 11:37 by hyddd, 12350 阅读, 收藏, 编辑
摘要:
[M C NP] Possible null pointer dereference [NP_NULL_ON_SOME_PATH] There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPoin... 阅读全文
[hyddd的FindBugs分析记录][M B Nm] Method names should start with a lower case letter
2009-02-16 11:15 by hyddd, 6582 阅读, 收藏, 编辑
摘要:
[M B Nm] Method names should start with a lower case letter [NM_METHOD_NAMING_CONVENTION] Methods should be verbs, in mixed case with the first letter lowercase, with the first letter of each intern... 阅读全文
[hyddd的FindBugs分析记录][M P Dm] Method invokes toString() method on a String
2009-02-16 11:09 by hyddd, 1373 阅读, 收藏, 编辑
摘要:
[M P Dm] Method invokes toString() method on a String [DM_STRING_TOSTRING] Calling String.toString() is just a redundant operation. Just use the String. 对一个String对象使用了toString()方法,这种操作是多余的,完全可以去掉。... 阅读全文
[hyddd的FindBugs分析记录][M P Bx] Method invokes inefficient Number constructor; use static valueOf instead
2009-02-16 11:01 by hyddd, 3126 阅读, 收藏, 编辑
摘要:
[M P Bx] Method invokes inefficient Number constructor; use static valueOf instead [DM_NUMBER_CTOR] Using new Integer(int) is guaranteed to always result in a new object whereas Integer.valueOf(int)... 阅读全文
[hyddd的FindBugs分析记录][M C NP] Method call passes null for unconditionally dereferenced parameter
2009-02-16 09:44 by hyddd, 1881 阅读, 收藏, 编辑
摘要:
[M C NP] Method call passes null for unconditionally dereferenced parameter [NP_NULL_PARAM_DEREF] This method call passes a null value to a method which might dereference it unconditionally. 这里Fin... 阅读全文