<description>FindBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods.</description>
<properties>
- <findbugs.version>2.0.0</findbugs.version>
+ <findbugs.version>2.0.1</findbugs.version>
</properties>
<dependencies>
<Match>
<Bug pattern="VO_VOLATILE_INCREMENT"/>
</Match>
-</FindBugsFilter>
\ No newline at end of file
+ <Match>
+ <Bug pattern="PT_ABSOLUTE_PATH_TRAVERSAL"/>
+ </Match>
+ <Match>
+ <Bug pattern="PT_RELATIVE_PATH_TRAVERSAL"/>
+ </Match>
+ <Match>
+ <Bug pattern="NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"/>
+ </Match>
+ <Match>
+ <Bug pattern="MS_SHOULD_BE_REFACTORED_TO_BE_FINAL"/>
+ </Match>
+ <Match>
+ <Bug pattern="BC_UNCONFIRMED_CAST_OF_RETURN_VALUE"/>
+ </Match>
+ <Match>
+ <Bug pattern="TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS"/>
+ </Match>
+</FindBugsFilter>
<configKey><![CDATA[VO_VOLATILE_INCREMENT]]></configKey>
</rule>
+
+ <rule key="PT_ABSOLUTE_PATH_TRAVERSAL">
+ <priority>MAJOR</priority>
+ <name><![CDATA[Absolute path traversal in servlet]]></name>
+ <configKey><![CDATA[PT_ABSOLUTE_PATH_TRAVERSAL]]></configKey>
+
+ </rule>
+
+ <rule key="PT_RELATIVE_PATH_TRAVERSAL">
+ <priority>MAJOR</priority>
+ <name><![CDATA[Relative path traversal in servlet]]></name>
+ <configKey><![CDATA[PT_RELATIVE_PATH_TRAVERSAL]]></configKey>
+
+ </rule>
+
+ <rule key="NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">
+ <priority>CRITICAL</priority>
+ <name><![CDATA[Nonnull field is not initialized]]></name>
+ <configKey><![CDATA[NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR]]></configKey>
+
+ </rule>
+
+ <rule key="MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">
+ <priority>MAJOR</priority>
+ <name><![CDATA[Field isn't final but should be refactored to be so]]></name>
+ <configKey><![CDATA[MS_SHOULD_BE_REFACTORED_TO_BE_FINAL]]></configKey>
+
+ </rule>
+
+ <rule key="BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">
+ <priority>CRITICAL</priority>
+ <name><![CDATA[Unchecked/unconfirmed cast of return value from method]]></name>
+ <configKey><![CDATA[BC_UNCONFIRMED_CAST_OF_RETURN_VALUE]]></configKey>
+
+ </rule>
+
+ <rule key="TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">
+ <priority>MAJOR</priority>
+ <name><![CDATA[Comparing values with incompatible type qualifiers]]></name>
+ <configKey><![CDATA[TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS]]></configKey>
+
+ </rule>
+
</rules>
RulesProfile profile = importer.importProfile(new InputStreamReader(input), ValidationMessages.create());
List<ActiveRule> results = profile.getActiveRules();
- assertThat(results).hasSize(18);
+ assertThat(results).hasSize(19);
assertThat(profile.getActiveRule(FindbugsConstants.REPOSITORY_KEY, "EC_INCOMPATIBLE_ARRAY_COMPARE")).isNotNull();
assertThat(profile.getActiveRule(FindbugsConstants.REPOSITORY_KEY, "BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY")).isNotNull();
}
RulesProfile profile = importer.importProfile(new StringReader(uncorrectFindbugsXml), messages);
List<ActiveRule> results = profile.getActiveRules();
- assertThat(results).hasSize(9);
+ assertThat(results).hasSize(10);
assertThat(messages.getWarnings()).hasSize(1);
}
}
SonarWayWithFindbugsProfile sonarWayWithFindbugs = new SonarWayWithFindbugsProfile(importer);
ValidationMessages validation = ValidationMessages.create();
RulesProfile profile = sonarWayWithFindbugs.createProfile(validation);
- assertThat(profile.getActiveRulesByRepository(FindbugsConstants.REPOSITORY_KEY)).hasSize(399);
+ assertThat(profile.getActiveRulesByRepository(FindbugsConstants.REPOSITORY_KEY)).hasSize(405);
assertThat(validation.hasErrors()).isFalse();
}
rule.findbugs.UWF_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD.name=Unwritten public or protected field
rule.findbugs.VA_FORMAT_STRING_USES_NEWLINE.name=Format string should use %n rather than \\n
rule.findbugs.VO_VOLATILE_INCREMENT.name=An increment to a volatile field isn't atomic
+rule.findbugs.PT_ABSOLUTE_PATH_TRAVERSAL.name=Absolute path traversal in servlet
+rule.findbugs.PT_RELATIVE_PATH_TRAVERSAL.name=Relative path traversal in servlet
+rule.findbugs.NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.name=Nonnull field is not initialized
+rule.findbugs.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.name=Field isn't final but should be refactored to be so
+rule.findbugs.BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.name=Unchecked/unconfirmed cast of return value from method
+rule.findbugs.TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.name=Comparing values with incompatible type qualifiers
--- /dev/null
+<p>
+This code performs an unchecked cast of the return value of a method.
+The code might be calling the method in such a way that the cast is guaranteed to be
+safe, but FindBugs is unable to verify that the cast is safe. Check that your program logic ensures that this
+cast will not fail.
+</p>
--- /dev/null
+<p>
+This static field public but not final, and
+could be changed by malicious code or
+by accident from another package.
+The field could be made final to avoid
+this vulnerability. However, the static initializer contains more than one write
+to the field, so doing so will require some refactoring.
+</p>
--- /dev/null
+<p>
+The field is marked as nonnull, but isn't written to by the constructor.
+The field might be initialized elsewhere during constructor, or might always
+be initialized before use.
+</p>
--- /dev/null
+<p>
+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory,
+but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
+
+See <a href="http://cwe.mitre.org/data/definitions/36.html">http://cwe.mitre.org/data/definitions/36.html</a> for more information.
+</p>
+
+<p>
+FindBugs looks only for the most blatant, obvious cases of absolute path traversal.
+If FindBugs found <em>any</em>, you <em>almost certainly</em> have more
+vulnerabilities that FindBugs doesn't report. If you are concerned about absolute path traversal, you should seriously
+consider using a commercial static analysis or pen-testing tool.
+</p>
--- /dev/null
+<p>
+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory,
+but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
+
+See <a href="http://cwe.mitre.org/data/definitions/23.html">http://cwe.mitre.org/data/definitions/23.html</a> for more information.</p>
+
+<p>
+FindBugs looks only for the most blatant, obvious cases of relative path traversal.
+If FindBugs found <em>any</em>, you <em>almost certainly</em> have more
+vulnerabilities that FindBugs doesn't report. If you are concerned about relative path traversal, you should seriously
+consider using a commercial static analysis or pen-testing tool.
+</p>
--- /dev/null
+<p>
+A value specified as carrying a type qualifier annotation is
+compared with a value that doesn't ever carry that qualifier.
+</p>
+
+<p>
+More precisely, a value annotated with a type qualifier specifying when=ALWAYS
+is compared with a value that where the same type qualifier specifies when=NEVER.
+</p>
+
+<p>
+For example, say that @NonNegative is a nickname for
+the type qualifier annotation @Negative(when=When.NEVER).
+The following code will generate this warning because
+the return statement requires a @NonNegative value,
+but receives one that is marked as @Negative.
+</p>
+<pre>
+public boolean example(@Negative Integer value1, @NonNegative Integer value2) {
+ return value1.equals(value2);
+}
+</pre>
projects / sonarqube.git / commitdiff