Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-9450 Fixing defects reported by code analysis tools
  3. OFBIZ-9772

[FB] Package org.apache.ofbiz.product.category

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Minor
    • Resolution: Implemented
    • Trunk
    • 17.12.01
    • product
    • None

    Description

      CatalogUrlFilter.java:57, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      CatalogUrlFilter.java:58, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      CatalogUrlSeoFilter.java:40, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      CatalogUrlSeoFilter.java:41, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID

      • SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE

      • RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 of value previously dereferenced in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue, String, Locale, String, Delegator, LocalDispatcher, String)

      A value is checked here to see whether it is null, but this value can't be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.

      CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE

      • RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String, GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer, boolean)

      This method contains a redundant check of a known non-null value against the constant null.

      CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING

      • Bx: Boxing/unboxing to parse a primitive org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)

      A boxed primitive is created from a String, just to extract the unboxed primitive value. It is more efficient to just call the static parseXXX method.

      CategoryServices.java:245, DLS_DEAD_LOCAL_STORE

      • DLS: Dead store to viewSize in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)

      This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.

      Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

      CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE

      • RCN: Redundant nullcheck of productCategoryMembers, which is known to be non-null in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)

      This method contains a redundant check of a known non-null value against the constant null.

      CategoryWorker.java:61, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest, String)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CategoryWorker.java:106, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest, String, boolean)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD

      • UPM: Private method org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String, String) is never called

      This private method is never called. Although it is possible that the method will be invoked through reflection, it is more likely that the method is never used, and should be removed.

      CategoryWorker.java:243, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, String)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CategoryWorker.java:315, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CategoryWorker.java:321, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, List)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE

      • RCN: Redundant nullcheck of subCat, which is known to be non-null in org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map, List, HttpServletRequest)

      This method contains a redundant check of a known non-null value against the constant null.

      ControlServlet.java:33, SE_NO_SERIALVERSIONID

      • SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS

      • Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows the simple name of the superclass org.apache.ofbiz.webapp.control.ControlServlet

      This class has a simple name that is identical to that of its superclass, except that its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses.

      ControlServlet.java:35, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      ControlServlet.java:36, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      ControlServlet.java:37, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.defaultPage from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.pageNotFound from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.controlServlet from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID

      • SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      SeoConfigUtil.java:510, DM_CONVERT_CASE

      • Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )

      versions instead.

      SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL

      • MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString isn't final but should be

      This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

      SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL

      • MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't final but should be

      This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

      SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION

      • Nm: The field name org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't start with a lower case letter

      Names of fields that are not final should be in mixed case with a lowercase first letter and the first letters of subsequent words capitalized.

      SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR

      • WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig) makes inefficient use of keySet iterator instead of entrySet iterator

      This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.

      SeoContextFilter.java:94, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      SeoContextFilter.java:95, BC_UNCONFIRMED_CAST

      • BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

      SeoContextFilter.java:181, DM_CONVERT_CASE

      • Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )

      versions instead.

      SeoControlServlet.java:41, SE_NO_SERIALVERSIONID

      • SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable; consider declaring a serialVersionUID

      This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

      SeoControlServlet.java:43, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      SeoControlServlet.java:44, MS_PKGPROTECT

      • MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.defaultPage from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD

      • ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.controlServlet from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)

      This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

      SeoControlServlet.java:77, DM_CONVERT_CASE

      • Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest, HttpServletResponse)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )

      versions instead.

      Attachments

        Activity

          People

            mbrohl Michael Brohl
            jleichert Julian Leichert
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: