The following document contains the results of SpotBugs
SpotBugs Version is 4.7.1
Threshold is medium
Effort is default
| Classes | Bugs | Errors | Missing Classes |
|---|---|---|---|
| 57 | 25 | 0 | 11 |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.restheart.Bootstrapper.loadConfiguration(): new java.io.FileReader(File) | I18N | DM_DEFAULT_ENCODING | 346 | High |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 760 | Medium |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 1085 | Medium |
| This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 1087 | Medium |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 1092 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Unread field: org.restheart.Bootstrapper$Args.help | PERFORMANCE | URF_UNREAD_FIELD | 1131 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.restheart.handlers.ContentStreamSinkConduit(StreamSinkConduit, HttpServerExchange) may expose internal representation by storing an externally mutable object into ContentStreamSinkConduit._next | MALICIOUS_CODE | EI_EXPOSE_REP2 | 58 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.restheart.handlers.ModifiableContentSinkConduit(StreamSinkConduit, HttpServerExchange) may expose internal representation by storing an externally mutable object into ModifiableContentSinkConduit.exchange | MALICIOUS_CODE | EI_EXPOSE_REP2 | 68 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Useless condition: it's known that logLevel >= 2 at this point | STYLE | UC_USELESS_CONDITION | 124 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.restheart.plugins.PluginsRegistryImpl.getGlobalSecurityPredicates() may expose internal representation by returning PluginsRegistryImpl.globalSecurityPredicates | MALICIOUS_CODE | EI_EXPOSE_REP | 360 | Medium |
| org.restheart.plugins.PluginsRegistryImpl.getPermissionTransformers() may expose internal representation by returning PluginsRegistryImpl.permissionTransformers | MALICIOUS_CODE | EI_EXPOSE_REP | 192 | Medium |
| Public static org.restheart.plugins.PluginsRegistryImpl.getInstance() may expose internal representation by returning PluginsRegistryImpl.HOLDER | MALICIOUS_CODE | MS_EXPOSE_REP | 91 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.restheart.plugins.PluginsScanner$RuntimeClassGraph() creates a java.net.URLClassLoader classloader, which should be performed within a doPrivileged block | MALICIOUS_CODE | DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED | 205 | Medium |
| This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 228 | Medium |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 234 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.restheart.security.handlers.AuthorizersHandler(Set, PipelinedHandler) may expose internal representation by storing an externally mutable object into AuthorizersHandler.authorizers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 52 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.restheart.security.handlers.SecurityHandler(Set, Set, PluginRecord) may expose internal representation by storing an externally mutable object into SecurityHandler.authorizers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 86 | Medium |
| new org.restheart.security.handlers.SecurityHandler(Set, Set, PluginRecord) may expose internal representation by storing an externally mutable object into SecurityHandler.mechanisms | MALICIOUS_CODE | EI_EXPOSE_REP2 | 85 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.restheart.services.PingService.handle(ByteArrayRequest, ByteArrayResponse): String.getBytes() | I18N | DM_DEFAULT_ENCODING | 60 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Hard coded reference to an absolute pathname in org.restheart.utils.FileUtils.<static initializer for FileUtils>() | STYLE | DMI_HARDCODED_ABSOLUTE_FILENAME | 65 | Medium |
| Found reliance on default encoding in org.restheart.utils.FileUtils.createPidFile(Path): new java.io.FileWriter(File) | I18N | DM_DEFAULT_ENCODING | 182 | High |
| Found reliance on default encoding in org.restheart.utils.FileUtils.getConfiguration(Path, Path, boolean): new java.io.FileReader(File) | I18N | DM_DEFAULT_ENCODING | 113 | High |
| Found reliance on default encoding in org.restheart.utils.FileUtils.getPidFromFile(Path): new java.io.FileReader(File) | I18N | DM_DEFAULT_ENCODING | 191 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This usage of java/lang/ProcessBuilder.command([Ljava/lang/String;)Ljava/lang/ProcessBuilder; can be vulnerable to Command Injection | SECURITY | COMMAND_INJECTION | 76 | Medium |
| org.restheart.utils.RESTHeartDaemon.daemonize() invokes System.exit(...), which shuts down the entire virtual machine | BAD_PRACTICE | DM_EXIT | 81 | Medium |
