edu.umd.cs.findbugs.Priorities Java Examples
The following examples show how to use
edu.umd.cs.findbugs.Priorities.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source Project: Android_Code_Arbiter Author: blackarbiter File: TrustBoundaryViolationValueDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
/**=
* All or nothing :
* <ul>
* <li>If the taint to sink path is found, it is mark as high</li>
* <li>If the source is not confirm, it is mark as low. This is will be the most common case.</li>
* </ul>
* @param taint Taint state
* @return High or low confidence
*/
@Override
protected int getPriority(Taint taint) {
//**Low risk**
//It is very common that variable are not sanetize and store in session.
//By it self it pose little risk. The thinking is the injection or the critical operation
//will be catch.
//After all storing value in the session is not so different to storing value in local variables or any indirection.
//**False positive**
//The usual and most common configuration is to hide LOW priority (confidence).
//This way this FP producer will not polute day to day review by developers.
if (taint.isTainted() || !taint.isSafe()) {
return Priorities.LOW_PRIORITY;
}
else {
return Priorities.IGNORE_PRIORITY;
}
}
Example #2
| Source Project: raml-tester Author: nidi3 File: CodeAnalysisTest.java License: Apache License 2.0 | 6 votes |
|
@Override
protected FindBugsResult analyzeFindBugs() {
final BugCollector collector = new BugCollector().minPriority(Priorities.NORMAL_PRIORITY)
.because("I don't agree",
In.everywhere().ignore("SBSC_USE_STRINGBUFFER_CONCATENATION"))
.because("it's in test",
In.loc("*Test$*")
.ignore("SIC_INNER_SHOULD_BE_STATIC_ANON", "SE_NO_SERIALVERSIONID", "DM_DEFAULT_ENCODING", "BC_UNCONFIRMED_CAST"),
In.loc("*Test")
.ignore("ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD", "DM_DEFAULT_ENCODING", "UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"))
.because("TODO", //TODO
In.locs("RestAssuredRamlRequest", "ServletRamlRequest", "ServletRamlResponse").ignore("DM_DEFAULT_ENCODING"))
.because("arrays are only used internally",
In.locs("*Response", "*Request").ignore("EI_EXPOSE_REP", "EI_EXPOSE_REP2"))
.because("They are snippets",
In.loc("guru.nidi.ramltester.snippets*").ignoreAll())
.because("it's class private and only used in 1 occasion",
In.loc("CheckerHelper$ResourceMatch").ignore("EQ_COMPARETO_USE_OBJECT_EQUALS"));
return new FindBugsAnalyzer(AnalyzerConfig.maven().mainAndTest(), collector).analyze();
}
Example #3
| Source Project: spotbugs Author: spotbugs File: ProjectFilterSettings.java License: GNU Lesser General Public License v2.1 | 6 votes |
|
/**
* Convert an integer warning priority threshold value to a String.
*/
public static String getIntPriorityAsString(int prio) {
String minPriority;
switch (prio) {
case Priorities.EXP_PRIORITY:
minPriority = ProjectFilterSettings.EXPERIMENTAL_PRIORITY;
break;
case Priorities.LOW_PRIORITY:
minPriority = ProjectFilterSettings.LOW_PRIORITY;
break;
case Priorities.NORMAL_PRIORITY:
minPriority = ProjectFilterSettings.MEDIUM_PRIORITY;
break;
case Priorities.HIGH_PRIORITY:
minPriority = ProjectFilterSettings.HIGH_PRIORITY;
break;
default:
minPriority = ProjectFilterSettings.DEFAULT_PRIORITY;
break;
}
return minPriority;
}
Example #4
| Source Project: Android_Code_Arbiter Author: blackarbiter File: JspSpringEvalDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
public void sawOpcode(int seen) {
//printOpCode(seen);
// JspSpringEvalDetector: [0039] ldc "${expression}"
// JspSpringEvalDetector: [0041] ldc java/lang/String
// JspSpringEvalDetector: [0043] aload_2
// JspSpringEvalDetector: [0044] aconst_null
// JspSpringEvalDetector: [0045] invokestatic org/apache/jasper/runtime/PageContextImpl.evaluateExpression (Ljava/lang/String;Ljava/lang/Class;Ljavax/servlet/jsp/PageContext;Lorg/apache/jasper/runtime/ProtectedFunctionMapper;)Ljava/lang/Object;
// JspSpringEvalDetector: [0048] checkcast
// JspSpringEvalDetector: [0051] invokevirtual org/springframework/web/servlet/tags/EvalTag.setExpression (Ljava/lang/String;)V
if (seen == Constants.INVOKEVIRTUAL && getClassConstantOperand().equals("org/springframework/web/servlet/tags/EvalTag")
&& getNameConstantOperand().equals("setExpression") && getSigConstantOperand().equals("(Ljava/lang/String;)V")) {
if (StackUtils.isVariableString(stack.getStackItem(0))) {
bugReporter.reportBug(new BugInstance(this, JSP_SPRING_EVAL, Priorities.HIGH_PRIORITY) //
.addClass(this).addMethod(this).addSourceLine(this));
}
}
}
Example #5
| Source Project: Android_Code_Arbiter Author: blackarbiter File: ConstantPasswordDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
private void reportBadSink() {
if (!sinkMethods.containsKey(calledMethod)) {
return;
}
Collection<Integer> offsets = sinkMethods.get(calledMethod);
Collection<Integer> offsetsToReport = new ArrayList<Integer>();
for (Integer offset : offsets) {
if (hasHardCodedStackItem(offset) && !stack.getStackItem(offset).isNull()) {
offsetsToReport.add(offset);
String sourceField = getStackFieldName(offset);
if (sourceField != null) {
reportedFields.add(sourceField);
}
}
}
if (!offsetsToReport.isEmpty()) {
reportBugSink(Priorities.HIGH_PRIORITY, offsets);
}
}
Example #6
| Source Project: Android_Code_Arbiter Author: blackarbiter File: XssTwirlDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.XSS_SAFE)) {
if(FindSecBugsGlobalConfig.getInstance().isReportPotentialXssWrongContext()) {
return Priorities.LOW_PRIORITY;
}
else {
return Priorities.IGNORE_PRIORITY;
}
} else if (!taint.isSafe()
&& (taint.hasTag(Taint.Tag.QUOTE_ENCODED) || taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED))
&& taint.hasTag(Taint.Tag.LT_ENCODED)) {
return Priorities.LOW_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #7
| Source Project: Android_Code_Arbiter Author: blackarbiter File: XssMvcApiDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
protected int getPriorityFromTaintFrame(TaintFrame fact, int offset)
throws DataflowAnalysisException {
Taint mvcResultTaint = fact.getStackValue(offset);
// The MVC Result object was tainted - This could still be safe if the content-type is a safe one
if (!mvcResultTaint.isSafe()) {
// Get the value of the content-type parameter
Taint parameterTaint = fact.getStackValue(0);
if ( !parameterTaint.isSafe()
|| VULNERABLE_CONTENT_TYPE.equalsIgnoreCase(parameterTaint.getConstantValue())) {
return getPriority(mvcResultTaint);
}
}
return Priorities.IGNORE_PRIORITY;
}
Example #8
| Source Project: Android_Code_Arbiter Author: blackarbiter File: XssMvcApiDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.XSS_SAFE)) {
if (FindSecBugsGlobalConfig.getInstance().isReportPotentialXssWrongContext()) {
return Priorities.LOW_PRIORITY;
} else {
return Priorities.IGNORE_PRIORITY;
}
} else if (!taint.isSafe()
&& (taint.hasTag(Taint.Tag.QUOTE_ENCODED) || taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED))
&& taint.hasTag(Taint.Tag.LT_ENCODED)) {
return Priorities.LOW_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #9
| Source Project: spotbugs Author: spotbugs File: CheckTypeQualifiers.java License: GNU Lesser General Public License v2.1 | 6 votes |
|
private void emitSourceWarning(String bugType, XMethod xMethod, TypeQualifierValue<?> typeQualifierValue,
FlowValue backwardsFlowValue, TypeQualifierValueSet backwardsFact, SourceSinkInfo source, ValueNumber vn,
Location location) {
BugInstance warning = new BugInstance(this, bugType, Priorities.NORMAL_PRIORITY).addClassAndMethod(xMethod);
annotateWarningWithTypeQualifier(warning, typeQualifierValue);
annotateWarningWithSourceSinkInfo(warning, xMethod, vn, source);
Set<? extends SourceSinkInfo> sinkSet = (backwardsFlowValue == FlowValue.NEVER) ? backwardsFact.getWhereNever(vn)
: backwardsFact
.getWhereAlways(vn);
for (SourceSinkInfo sink : sinkSet) {
annotateWarningWithSourceSinkInfo(warning, xMethod, vn, sink);
}
bugReporter.reportBug(warning);
}
Example #10
| Source Project: spotbugs Author: spotbugs File: Noise.java License: GNU Lesser General Public License v2.1 | 6 votes |
|
public int getPriority() {
int hash = getHash();
if ((hash & 0x1ff0) == 0) {
hash = hash & 0xf;
if (hash < 1) {
return Priorities.HIGH_PRIORITY;
} else if (hash < 1 + 2) {
return Priorities.NORMAL_PRIORITY;
} else if (hash < 1 + 2 + 4) {
return Priorities.LOW_PRIORITY;
} else {
return Priorities.IGNORE_PRIORITY;
}
} else {
return Priorities.IGNORE_PRIORITY + 1;
}
}
Example #11
| Source Project: Android_Code_Arbiter Author: blackarbiter File: RsaNoPaddingDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
public void sawOpcode(int seen) {
if (seen == Constants.INVOKESTATIC
&& getClassConstantOperand().equals("javax/crypto/Cipher")
&& getNameConstantOperand().equals("getInstance")) {
OpcodeStack.Item item = stack.getStackItem(getSigConstantOperand().contains(";L") ? 1 : 0);
if (StackUtils.isConstantString(item)) {
String cipherValue = (String) item.getConstant();
// default padding for "RSA" only is PKCS1 so it is not reported
if (cipherValue.startsWith("RSA/") && cipherValue.endsWith("/NoPadding")) {
bugReporter.reportBug(new BugInstance(this, RSA_NO_PADDING_TYPE, Priorities.NORMAL_PRIORITY) //
.addClass(this).addMethod(this).addSourceLine(this));
}
}
}
}
Example #12
| Source Project: spotbugs Author: spotbugs File: StartInConstructor.java License: GNU Lesser General Public License v2.1 | 6 votes |
|
@Override
public void sawOpcode(int seen) {
if (seen == Const.INVOKEVIRTUAL && "start".equals(getNameConstantOperand()) && "()V".equals(getSigConstantOperand())) {
try {
if (Hierarchy.isSubtype(getDottedClassConstantOperand(), "java.lang.Thread")) {
int priority = Priorities.NORMAL_PRIORITY;
if (getPC() + 4 >= getCode().getCode().length) {
priority = Priorities.LOW_PRIORITY;
}
BugInstance bug = new BugInstance(this, "SC_START_IN_CTOR", priority).addClassAndMethod(this)
.addCalledMethod(this);
Subtypes2 subtypes2 = AnalysisContext.currentAnalysisContext().getSubtypes2();
Set<ClassDescriptor> directSubtypes = subtypes2.getDirectSubtypes(getClassDescriptor());
if (!directSubtypes.isEmpty()) {
for (ClassDescriptor sub : directSubtypes) {
bug.addClass(sub).describe(ClassAnnotation.SUBCLASS_ROLE);
}
bug.setPriority(Priorities.HIGH_PRIORITY);
}
bugAccumulator.accumulateBug(bug, this);
}
} catch (ClassNotFoundException e) {
bugReporter.reportMissingClass(e);
}
}
}
Example #13
| Source Project: Android_Code_Arbiter Author: blackarbiter File: GeolocationDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
public void visitClassContext(ClassContext classContext) {
JavaClass javaClass = classContext.getJavaClass();
//The class extends WebChromeClient
boolean isWebChromeClient = InterfaceUtils.isSubtype(javaClass, "android.webkit.WebChromeClient");
//Not the target of this detector
if (!isWebChromeClient) {
return;
}
Method[] methodList = javaClass.getMethods();
for (Method m : methodList) {
if (DEBUG) {
System.out.println(">>> Method: " + m.getName());
}
//The presence of onGeolocationPermissionsShowPrompt is not enforce for the moment
if (!m.getName().equals("onGeolocationPermissionsShowPrompt")) {
continue;
}
//Since the logic implemented need to be analyze by a human, all implementation will be flagged.
bugReporter.reportBug(new BugInstance(this, ANDROID_GEOLOCATION_TYPE, Priorities.NORMAL_PRIORITY) //
.addClassAndMethod(javaClass, m));
}
}
Example #14
| Source Project: Android_Code_Arbiter Author: blackarbiter File: WebViewJavascriptEnabledDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
public void sawOpcode(int seen) {
//printOpCode(seen);
if (seen == Constants.INVOKEVIRTUAL && getClassConstantOperand().equals("android/webkit/WebSettings") &&
(getNameConstantOperand().equals("setJavaScriptEnabled") ||
getNameConstantOperand().equals("setAllowFileAccess") ||
getNameConstantOperand().equals("setAllowFileAccessFromFileURLs") ||
getNameConstantOperand().equals("setAllowUniversalAccessFromFileURLs"))) {
OpcodeStack.Item item = stack.getStackItem(0); //First item on the stack is the last
if(StackUtils.isConstantInteger(item)) {
Integer value = (Integer) item.getConstant();
if(value == null || value == 1) {
bugReporter.reportBug(new BugInstance(this, ANDROID_WEB_VIEW_JAVASCRIPT_TYPE, Priorities.NORMAL_PRIORITY) //
.addClass(this).addMethod(this).addSourceLine(this));
}
}
}
}
Example #15
| Source Project: Android_Code_Arbiter Author: blackarbiter File: XssServletDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.XSS_SAFE)) {
if(FindSecBugsGlobalConfig.getInstance().isReportPotentialXssWrongContext()) {
return Priorities.LOW_PRIORITY;
} else {
return Priorities.IGNORE_PRIORITY;
}
} else if (!taint.isSafe()
&& (taint.hasTag(Taint.Tag.QUOTE_ENCODED) || taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED))
&& taint.hasTag(Taint.Tag.LT_ENCODED)) {
return Priorities.LOW_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #16
| Source Project: Android_Code_Arbiter Author: blackarbiter File: XssJspDetector.java License: GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.XSS_SAFE)) {
if(FindSecBugsGlobalConfig.getInstance().isReportPotentialXssWrongContext()) {
return Priorities.LOW_PRIORITY;
}
else {
return Priorities.IGNORE_PRIORITY;
}
} else if (!taint.isSafe()
&& (taint.hasTag(Taint.Tag.QUOTE_ENCODED) || taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED))
&& taint.hasTag(Taint.Tag.LT_ENCODED)) {
return Priorities.LOW_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #17
| Source Project: graphviz-java Author: nidi3 File: CodeAnalysisTest.java License: Apache License 2.0 | 6 votes |
|
@Override
protected FindBugsResult analyzeFindBugs() {
final BugCollector collector = new BugCollector().minPriority(Priorities.NORMAL_PRIORITY)
.apply(FindBugsConfigs.dependencyTestIgnore(CodeAnalysisTest.class))
.because("It's examples", In.loc("ReadmeTest").ignore("DLS_DEAD_LOCAL_STORE"))
.because("GraphvizServer is on localhost",
In.locs("GraphvizServer", "GraphvizServerEngine")
.ignore("UNENCRYPTED_SERVER_SOCKET", "UNENCRYPTED_SOCKET"))
.because("It's ok",
In.loc("Datatype").ignore("NP_BOOLEAN_RETURN_NULL"),
In.loc("TempFiles").ignore("PATH_TRAVERSAL_IN", "RV_RETURN_VALUE_IGNORED_BAD_PRACTICE"),
In.loc("Options").ignore("URLCONNECTION_SSRF_FD"),
In.locs("BuiltInRasterizer#rasterize", "NopRasterizer", "PortSource").ignore("NP_NONNULL_RETURN_VIOLATION"),
In.loc("CommandLineExecutor").ignore("DM_DEFAULT_ENCODING"),
In.loc("GraphvizServer").ignore("COMMAND_INJECTION", "CRLF_INJECTION_LOGS"),
In.locs("AbstractGraphvizEngine", "Options", "GraphvizCmdLineEngine", "EngineTest", "SystemUtils", "Renderer").ignore("PATH_TRAVERSAL_IN"),
In.locs("EngineTest", "RendererTest", "EngineResult").ignore("RV_RETURN_VALUE_IGNORED_BAD_PRACTICE"),
In.loc("OptionsTest").ignore("DMI_HARDCODED_ABSOLUTE_FILENAME"),
In.loc("SimpleLabel").ignore("IM_BAD_CHECK_FOR_ODD"),
In.loc("JavascriptEngineTest").ignore("PREDICTABLE_RANDOM"),
In.loc("DatatypeTest").ignore("SIC_INNER_SHOULD_BE_STATIC"),
In.loc("Communicator").ignore("RR_NOT_CHECKED"));
return new FindBugsAnalyzer(AnalyzerConfig.maven().mainAndTest(), collector).analyze();
}
Example #18
| Source Project: spotbugs Author: spotbugs File: DumbMethods.java License: GNU Lesser General Public License v2.1 | 6 votes |
|
private void checkForCompatibleLongComparison(OpcodeStack.Item left, OpcodeStack.Item right) {
if (left.getSpecialKind() == Item.RESULT_OF_I2L && right.getConstant() != null) {
long value = ((Number) right.getConstant()).longValue();
if ((value > Integer.MAX_VALUE || value < Integer.MIN_VALUE)) {
int priority = Priorities.HIGH_PRIORITY;
if (value == Integer.MAX_VALUE + 1L || value == Integer.MIN_VALUE - 1L) {
priority = Priorities.NORMAL_PRIORITY;
}
String stringValue = IntAnnotation.getShortInteger(value) + "L";
if (value == 0xffffffffL) {
stringValue = "0xffffffffL";
} else if (value == 0x80000000L) {
stringValue = "0x80000000L";
}
accumulator.accumulateBug(new BugInstance(this, "INT_BAD_COMPARISON_WITH_INT_VALUE", priority).addClassAndMethod(this)
.addString(stringValue).describe(StringAnnotation.STRING_NONSTRING_CONSTANT_ROLE)
.addValueSource(left, this), this);
}
}
}
Example #19
| Source Project: spotbugs Author: spotbugs File: FindNonShortCircuitTest.java License: GNU Lesser General Public License v2.1 | 5 votes |
|
@Test
public void testBugTypeAndPriorityNullTestOld() {
check.sawDangerOld = true;
check.sawNullTestVeryOld = true;
BugInstance bug = check.createBugInstance();
assertEquals(FindNonShortCircuit.NS_NON_SHORT_CIRCUIT, bug.getType());
assertEquals(Priorities.HIGH_PRIORITY, bug.getPriority());
}
Example #20
| Source Project: Android_Code_Arbiter Author: blackarbiter File: SpringUnvalidatedRedirectDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{
JavaClass clazz = classContext.getJavaClass();
ConstantPoolGen cpg = classContext.getConstantPoolGen();
CFG cfg = classContext.getCFG(m);
for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) {
Location loc = i.next();
Instruction inst = loc.getHandle().getInstruction();
if (inst instanceof INVOKEVIRTUAL) {
INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst;
if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) {
Instruction prev = loc.getHandle().getPrev().getInstruction();
if (prev instanceof LDC) {
LDC ldc = (LDC)prev;
Object value = ldc.getValue(cpg);
if (value instanceof String) {
String v = (String)value;
if ("redirect:".equals(v)) {
BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY);
bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc);
reporter.reportBug(bug);
}
}
}
}
}
}
}
Example #21
| Source Project: Android_Code_Arbiter Author: blackarbiter File: HttpResponseSplittingDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
boolean newLineSafe = taint.hasTag(Taint.Tag.CR_ENCODED) && taint.hasTag(Taint.Tag.LF_ENCODED);
if (!taint.isSafe() && newLineSafe || taint.hasTag(Taint.Tag.URL_ENCODED)) {
return Priorities.IGNORE_PRIORITY;
} else if (taint.isTainted()) {
return Priorities.NORMAL_PRIORITY;
} else if (!taint.isSafe()) {
return Priorities.LOW_PRIORITY;
} else {
return Priorities.IGNORE_PRIORITY;
}
}
Example #22
| Source Project: Android_Code_Arbiter Author: blackarbiter File: FormatStringManipulationDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (taint.isTainted()) {
return Priorities.NORMAL_PRIORITY;
}
else if (!taint.isSafe()) {
return Priorities.LOW_PRIORITY;
}
else {
return Priorities.IGNORE_PRIORITY;
}
}
Example #23
| Source Project: sputnik Author: TouK File: CollectorBugReporter.java License: Apache License 2.0 | 5 votes |
|
@NotNull
private Severity convert(int priority) {
switch (priority) {
case Priorities.IGNORE_PRIORITY:
return Severity.IGNORE;
case Priorities.EXP_PRIORITY:
case Priorities.LOW_PRIORITY:
case Priorities.NORMAL_PRIORITY:
return Severity.INFO;
case Priorities.HIGH_PRIORITY:
return Severity.WARNING;
default:
throw new IllegalArgumentException("Priority " + priority + " is not supported");
}
}
Example #24
| Source Project: Android_Code_Arbiter Author: blackarbiter File: HttpParameterPollutionDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && (taint.hasTag(Taint.Tag.HTTP_POLLUTION_SAFE) || taint.hasTag(Taint.Tag.URL_ENCODED))) {
return Priorities.IGNORE_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #25
| Source Project: Android_Code_Arbiter Author: blackarbiter File: CustomInjectionDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.CUSTOM_INJECTION_SAFE)) {
return Priorities.IGNORE_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #26
| Source Project: Android_Code_Arbiter Author: blackarbiter File: SqlInjectionDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.SQL_INJECTION_SAFE)) {
return Priorities.IGNORE_PRIORITY;
} else if (!taint.isSafe() && taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED)) {
return Priorities.LOW_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #27
| Source Project: Android_Code_Arbiter Author: blackarbiter File: AndroidSqlInjectionDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.SQL_INJECTION_SAFE)) {
return Priorities.IGNORE_PRIORITY;
} else if (!taint.isSafe() && taint.hasTag(Taint.Tag.APOSTROPHE_ENCODED)) {
return Priorities.LOW_PRIORITY;
}
else {
return super.getPriority(taint);
}
}
Example #28
| Source Project: spotbugs Author: spotbugs File: InitializeNonnullFieldsInConstructor.java License: GNU Lesser General Public License v2.1 | 5 votes |
|
@Override
public void visit(Code code) {
boolean interesting = Const.CONSTRUCTOR_NAME.equals(getMethodName()) || Const.STATIC_INITIALIZER_NAME.equals(getMethodName());
if (!interesting) {
return;
}
secondaryConstructor = false;
HashSet<XField> needToInitialize = getMethod().isStatic() ? nonnullStaticFields : nonnullFields;
if (needToInitialize.isEmpty()) {
return;
}
// initialize any variables we want to initialize for the method
super.visit(code); // make callbacks to sawOpcode for all opcodes
if (!secondaryConstructor && !initializedFields.containsAll(needToInitialize)) {
int priority = Priorities.NORMAL_PRIORITY;
if (needToInitialize.size() - initializedFields.size() == 1 && needToInitialize.size() > 1) {
priority = Priorities.HIGH_PRIORITY;
}
for (XField f : needToInitialize) {
if (initializedFields.contains(f)) {
continue;
}
BugInstance b = new BugInstance(this, "NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR", priority)
.addClassAndMethod(this).addField(f);
bugReporter.reportBug(b);
}
}
initializedFields.clear();
}
Example #29
| Source Project: Android_Code_Arbiter Author: blackarbiter File: CommandInjectionDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
protected int getPriority(Taint taint) {
if (!taint.isSafe() && taint.hasTag(Taint.Tag.COMMAND_INJECTION_SAFE)) {
return Priorities.IGNORE_PRIORITY;
} else {
return super.getPriority(taint);
}
}
Example #30
| Source Project: Android_Code_Arbiter Author: blackarbiter File: StrutsValidatorFormDetector.java License: GNU Lesser General Public License v3.0 | 5 votes |
|
@Override
public void visitClassContext(ClassContext classContext) {
JavaClass javaClass = classContext.getJavaClass();
boolean isActionForm = InterfaceUtils.isSubtype(javaClass, "org.apache.struts.action.ActionForm");
boolean isValidatorForm = InterfaceUtils.isSubtype(javaClass, "org.apache.struts.validator.ValidatorForm");
boolean isDynaValidatorForm = InterfaceUtils.isSubtype(javaClass, "org.apache.struts.validator.DynaValidatorForm");
if (isActionForm && !(isValidatorForm || isDynaValidatorForm)) {
bugReporter.reportBug(new BugInstance(this, STRUTS_FORM_VALIDATION_TYPE, Priorities.NORMAL_PRIORITY) //
.addClass(javaClass) //
.addString("ActionForm"));
return;
}
if (!isValidatorForm && !isDynaValidatorForm) return; //Not form implementation
final String expectedSig = "(Lorg/apache/struts/action/ActionMapping;Ljavax/servlet/http/HttpServletRequest;)Lorg/apache/struts/action/ActionErrors;";
boolean validateMethodFound = false;
for (Method m : javaClass.getMethods()) {
if ("validate".equals(m.getName()) && expectedSig.equals(m.getSignature())) {
validateMethodFound = true;
}
}
//ValidatorForm without a validate method is just like a regular ActionForm
if (!validateMethodFound) {
bugReporter.reportBug(new BugInstance(this, STRUTS_FORM_VALIDATION_TYPE, Priorities.LOW_PRIORITY) //
.addClass(javaClass) //
.addString("ValidatorForm"));
}
}
