[FINERACT-437] Fix security vulnerabilities of using generic exceptions and catching throwable and errors - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.1.0
Component/s: Accounting, Organization
Labels:
- gsoc2017

Description

There are two types of vulnerabilities related to exceptions reported by sonar

1. Generic exceptions should never be thrown
MITRE, CWE-397 - Declaration of Throws for Generic Exception

2. Throwable and Error should not be caught
MITRE, CWE-396 - Declaration of Catch for Generic Exception
CERT, ERR07-J - Do not throw RuntimeException, Exception, or Throwable

The rationale behind these vulnerabilities are explained in above links. The proposed solutions are as follows.

1. Generic exceptions should never be thrown => Define and throw a dedicated exception instead of using a generic one.

2. Throwable and Error should not be caught => Catch Exception instead of Throwable.

Attachments

Issue Links

links to

GitHub Pull Request #375

Activity

People

Assignee:

Santosh Math

Reporter:

Thisura

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

23/Apr/17 12:20

Updated:

11/Jan/19 07:35

Resolved:

15/Dec/17 10:09