Permissions super #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
June 2, 2021 13:56
SEI CERT rule SEC07-J requires that the superclass's getPermissions() is called when writing a custom class loader. This method is defined in class java.net.URLClassLoader. Thus any class inheriting directly or indirectly form URLClassLoader and overriding its getPermissions() method must call the superclass's getPermissions() method in this method. It is not enoguh to just call it but the the return value (an instance of java.security.PermissionCollection) must be initialized by calling the superclass's method instead of creating a new instance from scratch. This patch adds a new detector to check this rule.
baloghadamsoftware
force-pushed
the
PermissionsSuper
branch
from
9fda2df to
6ef3761
Compare
Bumps [mockito-core](https://github.com/mockito/mockito) from 3.10.0 to 3.11.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v3.10.0...v3.11.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [gson](https://github.com/google/gson) from 2.8.6 to 2.8.7. - [Release notes](https://github.com/google/gson/releases) - [Changelog](https://github.com/google/gson/blob/master/CHANGELOG.md) - [Commits](google/gson@gson-parent-2.8.6...gson-parent-2.8.7) Signed-off-by: dependabot[bot] <[email protected]>
Bumps [spring-core](https://github.com/spring-projects/spring-framework) from 5.3.7 to 5.3.8. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.7...v5.3.8) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.diffplug.spotless from 5.12.5 to 5.13.0. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps org.sonarqube from 3.2.0 to 3.3. --- updated-dependencies: - dependency-name: org.sonarqube dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Kengo TODA <[email protected]>
Bumps [mockito-core](https://github.com/mockito/mockito) from 3.11.0 to 3.11.1. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v3.11.0...v3.11.1) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Currently, the detector `FindReturnRef` which is responisble for bugs `EI_EXPOSE_REP`, `EI_EXPOSE_REP2`, `MS_EXPOSE_REP` and `EI_EXPOSE_STATIC_REP2` tracks the data on the top of the stack. However, this is not necessary in the current version of SpotBugs because the infrastructure already does this job more accurately. This patch removes the redundant tracking the the top of the stack and relies on the already existing infrastructure instead. This way the detector is able to find more true positives where returning of the private mutable attribute happens indirectly, e.g. by first assigning it to a local variable and then returning that local.
SEI CERT rule FIO05-J requires that buffers or their backing arrays should not be exposed by methods to untrusted code. This patch implements the check for such behavior in the already existing detector FindReturnRef. To make the error easier to understand for the user we did not reuse the existing messages but instead added new ones: EI_EXPOSE_BUF, MS_EXPOSE_BUF, EI_EXPOSE_BUF2 and EI_EXPOSE_STATIC_BUF.
…or message description.
Bumps [checker-qual](https://github.com/typetools/checker-framework) from 3.14.0 to 3.15.0. - [Release notes](https://github.com/typetools/checker-framework/releases) - [Changelog](https://github.com/typetools/checker-framework/blob/master/docs/CHANGELOG.md) - [Commits](typetools/checker-framework@checker-framework-3.14.0...checker-framework-3.15.0) --- updated-dependencies: - dependency-name: org.checkerframework:checker-qual dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.diffplug.spotless from 5.13.0 to 5.14.0. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [mockito-core](https://github.com/mockito/mockito) from 3.11.1 to 3.11.2. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v3.11.1...v3.11.2) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
* Improve FindReturnRef to also warn in case of shallow copied arrays Some programmers try to avoid returning mutable private members by returning thir clones. However, in case of array the clone() method does a shallow-copy instead of a deep one. If the array members are of a mutable type, then we still return mutable private data. Similarly, when passing an array to a method, the method should clone its members one-by-one, if they are of a mutable type, instead of cloning (thus shallowly copying) the array itself. This patch improves the `FindReturnRef` detector to also issue `EI`, `EI2` and `MS` warnings in these cases. * Priority changed to low for the new error and debug printouts removed * Commit message removed and minor syntax simplification
Bumps `asmVersion` from 9.1 to 9.2. Updates `asm` from 9.1 to 9.2 Updates `asm-analysis` from 9.1 to 9.2 Updates `asm-commons` from 9.1 to 9.2 Updates `asm-tree` from 9.1 to 9.2 Updates `asm-util` from 9.1 to 9.2 --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.ow2.asm:asm-analysis dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.ow2.asm:asm-commons dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.ow2.asm:asm-tree dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.ow2.asm:asm-util dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
This version contains several new features, so it should be minor release
According to https://issues.sonatype.org/browse/NEXUS-21802 Sonatype Nexus can handle sha256/sha512 checksum. oss.sonatype.org uses Sonatype Nexus version 2.14.20-02 and contains the fix.
java.io.FileInputStream.read() and java.io.FileReader.read() both return an integer. The value of this integer is -1 if the end of the stream is reached. Since FileInputStream reads bytes and FileReader reads characters their return value must be casted to these types. However, if the casting happens before the check for -1 then -1 becomes indistinguishible from 0xFF in case of FileInputStream and becomes Character.MAX_VALUE (the highest positive value of a character) in case of FileReader. SEI CERT rule FIO08-J describes these bugs in detail. This patch adds a new error message EOS_BAD_END_OF_STREAM_CHECK and a new detector (FindBadEndOfStreamCheck) which checks for this kind of error.
Bumps com.diffplug.spotless from 5.14.0 to 5.14.1. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
…LL_VALUE… (spotbugs#1575) * spotbugs#600: Fix false positves for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in Java 11 This should fix issue spotbugs#600 and spotbugs#1338. I also fixed the broken tests for spotbugs#259. * spotbugs#600: Factor out method
Bumps ant from 1.10.10 to 1.10.11. --- updated-dependencies: - dependency-name: org.apache.ant:ant dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [spring-core](https://github.com/spring-projects/spring-framework) from 5.3.8 to 5.3.9. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.8...v5.3.9) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
this version introduces better checks for Log4j2 vulnerabilities https://docs.gradle.org/7.3.3/release-notes.html
…s#1892) * build(deps): bump com.diffplug.spotless from 5.17.1 to 6.1.0 Bumps com.diffplug.spotless from 5.17.1 to 6.1.0. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * build: fix the version of Eclipse JDT to avoid IllegalArgumentException refs spotbugs#1892 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Kengo TODA <[email protected]>
The method ends with \u200b unicode character and Eclipse compiler assumes that this method can't override the visitBootstrapMethods defined in the org.apache.bcel.classfile.Visitor.visitBootstrapMethods(BootstrapMethods) Since this character is invisible, it was added by mistake and should be removed to allow SpotBugs compilation in Eclipse. This fixes issue spotbugs#1903.
Bumps com.github.spotbugs from 5.0.3 to 5.0.4. --- updated-dependencies: - dependency-name: com.github.spotbugs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.diffplug.spotless from 6.1.0 to 6.1.2. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [testng](https://github.com/cbeust/testng) from 7.4.0 to 7.5. - [Release notes](https://github.com/cbeust/testng/releases) - [Changelog](https://github.com/cbeust/testng/blob/master/CHANGES.txt) - [Commits](testng-team/testng@7.4.0...7.5) --- updated-dependencies: - dependency-name: org.testng:testng dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [checker-qual](https://github.com/typetools/checker-framework) from 3.21.0 to 3.21.1. - [Release notes](https://github.com/typetools/checker-framework/releases) - [Changelog](https://github.com/typetools/checker-framework/blob/master/docs/CHANGELOG.md) - [Commits](typetools/checker-framework@checker-framework-3.21.0...checker-framework-3.21.1) --- updated-dependencies: - dependency-name: org.checkerframework:checker-qual dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
This is related to issue spotbugs#1906
The only change except moving sources is to configure two unstable tests run before all other tests - this avoids the failure that can't be observed if running tests one by one. Fixes spotbugs#1914
Second part needed to fully fix spotbugs#1914 THis project does not have tests anymore, so jacoco is not needed.
Bumps [junit](https://github.com/junit-team/junit4) from 4.13.1 to 4.13.2. - [Release notes](https://github.com/junit-team/junit4/releases) - [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.13.1.md) - [Commits](junit-team/junit4@r4.13.1...r4.13.2) --- updated-dependencies: - dependency-name: junit:junit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.diffplug.spotless from 6.1.2 to 6.2.0. --- updated-dependencies: - dependency-name: com.diffplug.spotless dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [spring-core](https://github.com/spring-projects/spring-framework) from 5.3.14 to 5.3.15. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.14...v5.3.15) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.gradle.enterprise from 3.8 to 3.8.1. --- updated-dependencies: - dependency-name: com.gradle.enterprise dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps com.github.spotbugs from 5.0.4 to 5.0.5. --- updated-dependencies: - dependency-name: com.github.spotbugs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close spotbugs#1868
- removed duplicated .classpath entries coming from various gradle compile configs in same project - force spotbugs core & Eclipse build to use Java 1.8 (fixes spotbugs#1906) - bumped Eclipse version to 4.12 (2019-06) - changed spotbugs-annotations to force compilation on Java 1.5 to make sure clients using it in older projects still can consume it later after bumping global Java version in spotbugs - fixed debugging spotbugs Eclipse plugin from Eclipse (spotbugs core classpath was broken at runtime)
Bumps [error_prone_annotations](https://github.com/google/error-prone) from 2.10.0 to 2.11.0. - [Release notes](https://github.com/google/error-prone/releases) - [Commits](google/error-prone@v2.10.0...v2.11.0) --- updated-dependencies: - dependency-name: com.google.errorprone:error_prone_annotations dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
baloghadamsoftware
force-pushed
the
PermissionsSuper
branch
from
34fa022 to
254a636
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make sure these boxes are checked before submitting your PR -- thank you!
CHANGELOG.mdif you have changed SpotBugs code