Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-9450 Fixing defects reported by code analysis tools
  3. OFBIZ-9714

[FB] Package org.apache.ofbiz.service.rmi.socket.ssl

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Minor
    • Resolution: Implemented
    • Trunk
    • 17.12.01
    • framework
    • None

    Description

      • SSLClientSocketFactory.java:37, SE_NO_SERIALVERSIONID
        SnVI: org.apache.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      • SSLServerSocketFactory.java:43, SE_NO_SERIALVERSIONID
        SnVI: org.apache.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      • SSLServerSocketFactory.java:76, OS_OPEN_STREAM
        OS: org.apache.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory.createServerSocket(int) may fail to close stream

      The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method. This may result in a file descriptor leak. It is generally a good idea to use a finally block to ensure that streams are closed.

      • SSLServerSocketFactory.java:76, OBL_UNSATISFIED_OBLIGATION
        OBL: org.apache.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory.createServerSocket(int) may fail to clean up java.io.InputStream

      This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

      In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

      This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. To send feedback, either:

      send email to findbugs@cs.umd.edu
      file a bug report: http://findbugs.sourceforge.net/reportingBugs.html
      In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

      See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description of the analysis technique.

      • SSLServerSocketFactory.java:111, BC_UNCONFIRMED_CAST_OF_RETURN_VALUE
        BC: Unchecked/unconfirmed cast from java.net.ServerSocket to javax.net.ssl.SSLServerSocket of return value in org.apache.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory.createServerSocket(int)

      This code performs an unchecked cast of the return value of a method. The code might be calling the method in such a way that the cast is guaranteed to be safe, but FindBugs is unable to verify that the cast is safe. Check that your program logic ensures that this cast will not fail.

      Attachments

        Activity

          People

            mbrohl Michael Brohl
            Dennis Balkir Dennis Balkir
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: