[jira] [Updated] (OFBIZ-9859) [FB] Package org.apache.ofbiz.content.content

> [FB] Package org.apache.ofbiz.content.content
> ---------------------------------------------
>
>                 Key: OFBIZ-9859
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9859
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: content
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Priority: Minor
>         Attachments: OFBIZ-9859_org.apache.ofbiz.content.content_bugfixes.patch
>
>
> --- ContentKeywordIndex.java:59, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of delegator, which is known to be non-null in org.apache.ofbiz.content.content.ContentKeywordIndex.indexKeywords(GenericValue, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentKeywordIndex.java:73, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.ContentKeywordIndex.indexKeywords(GenericValue, boolean)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- ContentMapFacade.java:54, MS_MUTABLE_COLLECTION_PKGPROTECT
> Field is a mutable collection which should be package protected
> A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. The field could be made package protected to avoid this vulnerability. Alternatively you may wrap this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.
> --- ContentMapFacade.java:418, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.ContentMapFacade$Content.get(Object)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- ContentMapFacade.java:451, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.ContentMapFacade$SubContent.get(Object)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- ContentPermissionServices.java:181, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of entityAction, which is known to be non-null in org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext, Map)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentPermissionServices.java:238, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of auxGetter, which is known to be non-null in org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext, Map)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentPermissionServices.java:243, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of roleGetter, which is known to be non-null in org.apache.ofbiz.content.content.ContentPermissionServices.checkContentPermission(DispatchContext, Map)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentSearch.java:451, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentSearch.java:564, HE_EQUALS_USE_HASHCODE
> HE: org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint defines equals and uses Object.hashCode()
> This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM).  Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.
> If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended hashCode implementation to use is:
> public int hashCode() {
>   assert false : "hashCode not designed";
>   return 42; // any arbitrary constant will do
>   }
> --- ContentSearch.java:564, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
> BC: Equals method for org.apache.ofbiz.content.content.ContentSearch$ContentAssocConstraint assumes the argument is of type ContentSearch$ContentAssocConstraint
> The equals(Object o) method shouldn't make any assumptions about the type of o. It should simply return false if o is not the same type as this.
> --- ContentSearch.java:604, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentSearch.java:685, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
> BC: Equals method for org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint assumes the argument is of type ContentSearch$KeywordConstraint
> The equals(Object o) method shouldn't make any assumptions about the type of o. It should simply return false if o is not the same type as this.
> --- ContentSearch.java:685, HE_EQUALS_USE_HASHCODE
> HE: org.apache.ofbiz.content.content.ContentSearch$KeywordConstraint defines equals and uses Object.hashCode()
> This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM).  Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.
> If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended hashCode implementation to use is:
> public int hashCode() {
>   assert false : "hashCode not designed";
>   return 42; // any arbitrary constant will do
>   }
> --- ContentSearch.java:722, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentSearch.java:723, EI_EXPOSE_REP2
> EI2: new org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint(Timestamp, Timestamp) may expose internal representation by storing an externally mutable object into ContentSearch$LastUpdatedRangeConstraint.fromDate
> This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
> --- ContentSearch.java:724, EI_EXPOSE_REP2
> EI2: new org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint(Timestamp, Timestamp) may expose internal representation by storing an externally mutable object into ContentSearch$LastUpdatedRangeConstraint.thruDate
> This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
> --- ContentSearch.java:773, HE_EQUALS_USE_HASHCODE
> HE: org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint defines equals and uses Object.hashCode()
> This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM).  Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.
> If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended hashCode implementation to use is:
> public int hashCode() {
>   assert false : "hashCode not designed";
>   return 42; // any arbitrary constant will do
>   }
> --- ContentSearch.java:773, BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS
> BC: Equals method for org.apache.ofbiz.content.content.ContentSearch$LastUpdatedRangeConstraint assumes the argument is of type ContentSearch$LastUpdatedRangeConstraint
> The equals(Object o) method shouldn't make any assumptions about the type of o. It should simply return false if o is not the same type as this.
> --- ContentSearch.java:818, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearch$SortKeywordRelevancy is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentSearch.java:858, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearch$SortContentField is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentSearchSession.java:46, SE_NO_SERIALVERSIONID
> SnVI: org.apache.ofbiz.content.content.ContentSearchSession$ContentSearchOptions is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> --- ContentServices.java:78, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.ContentServices.findRelatedContent(DispatchContext, Map)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- ContentServices.java:837, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to subContentDataResourceView in org.apache.ofbiz.content.content.ContentServices.renderSubContentAsText(DispatchContext, Map)
> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
> --- ContentServicesComplex.java:232, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to fromDate in org.apache.ofbiz.content.content.ContentServicesComplex.getAssocAndContentAndDataResourceCacheMethod(Delegator, String, String, String, Timestamp, String, List, List, Boolean, String, String)
> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
> --- ContentUrlFilter.java:55, BC_UNCONFIRMED_CAST
> BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.content.content.ContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> --- ContentUrlFilter.java:56, BC_UNCONFIRMED_CAST
> BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.content.content.ContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> --- ContentWorker.java:155, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of targetLocaleString, which is known to be non-null in org.apache.ofbiz.content.content.ContentWorker.findContentForRendering(Delegator, String, Locale, String, String, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentWorker.java:191, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> RCN: Nullcheck of dispatcher at line 198 of value previously dereferenced in org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher, GenericValue, Appendable, Map, Locale, String, boolean, List)
> A value is checked here to see whether it is null, but this value can't be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.
> --- ContentWorker.java:201, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of service, which is known to be non-null in org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher, GenericValue, Appendable, Map, Locale, String, boolean, List)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentWorker.java:292, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of textData, which is known to be non-null in org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher, GenericValue, Appendable, Map, Locale, String, boolean, List)
> This method contains a redundant check of a known non-null value against the constant null.
> --- ContentWorker.java:305, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.ContentWorker.renderContentAsText(LocalDispatcher, GenericValue, Appendable, Map, Locale, String, boolean, List)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- ContentWorker.java:718, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.content.content.ContentWorker.selectKids(Map, Map)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- ContentWorker.java:1119, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.content.content.ContentWorker.getSubContentCache(Delegator, String, String, GenericValue, List, Timestamp, Boolean, String)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- ContentWorker.java:1176, NP_LOAD_OF_KNOWN_NULL_VALUE
> NP: Load of known null value in org.apache.ofbiz.content.content.ContentWorker.getCurrentContent(Delegator, List, GenericValue, Map, Boolean, String)
> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
> --- ContentWorker.java:1253, NP_NULL_PARAM_DEREF
> NP: Null passed for nonnull parameter of getPurposes(GenericValue) in org.apache.ofbiz.content.content.ContentWorker.checkConditions(Delegator, Map, Map, Map)
> This method call passes a null value for a non-null method parameter. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced.
> --- ContentWorker.java:1578, WMI_WRONG_MAP_ITERATOR
> WMI: org.apache.ofbiz.content.content.ContentWorker.logMap(StringBuilder, String, Map, StringBuilder) makes inefficient use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.
> --- PermissionRecorder.java:53, MS_PKGPROTECT
> MS: org.apache.ofbiz.content.content.PermissionRecorder.opFields should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> --- PermissionRecorder.java:54, MS_PKGPROTECT
> MS: org.apache.ofbiz.content.content.PermissionRecorder.fieldTitles should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> --- PermissionRecorder.java:93, EI_EXPOSE_REP
> EI: org.apache.ofbiz.content.content.PermissionRecorder.getContentPurposeOperations() may expose internal representation by returning PermissionRecorder.contentPurposeOperations
> Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
> --- PermissionRecorder.java:109, EI_EXPOSE_REP
> EI: org.apache.ofbiz.content.content.PermissionRecorder.getStatusTargets() may expose internal representation by returning PermissionRecorder.statusTargets
> Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
> --- PermissionRecorder.java:117, EI_EXPOSE_REP
> EI: org.apache.ofbiz.content.content.PermissionRecorder.getTargetOperations() may expose internal representation by returning PermissionRecorder.targetOperations
> Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
> --- PermissionRecorder.java:287, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.content.content.PermissionRecorder.renderResultRowHtml(Map, Map)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> --- UploadContentAndImage.java:315, REC_CATCH_EXCEPTION
> REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentAndImage(HttpServletRequest, HttpServletResponse)
> This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> --- UploadContentAndImage.java:353, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to imageBytes in org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentStuff(HttpServletRequest, HttpServletResponse)
> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
> --- UploadContentAndImage.java:401, REC_CATCH_EXCEPTION
> REC: Exception is caught when Exception is not thrown in org.apache.ofbiz.content.content.UploadContentAndImage.uploadContentStuff(HttpServletRequest, HttpServletResponse)
> This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> --- UploadContentAndImage.java:531, DLS_DEAD_LOCAL_STORE
> DLS: Dead store to ftlResults in org.apache.ofbiz.content.content.UploadContentAndImage.processContentUpload(Map, String, HttpServletRequest)
> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.