Project: ActiveMQ :: HTTP Protocol Support
SpotBugs version: 4.8.3
Code analyzed:
2163 lines of code analyzed, in 50 classes, in 9 packages.
Metric | Total | Density* |
---|---|---|
High Priority Warnings | 0.00 | |
Medium Priority Warnings | 50 | 23.12 |
Total Warnings | 50 | 23.12 |
(* Defects per Thousand lines of non-commenting source statements)
Warning Type | Number |
---|---|
Bad practice Warnings | 8 |
Malicious code vulnerability Warnings | 30 |
Multithreaded correctness Warnings | 4 |
Performance Warnings | 5 |
Security Warnings | 1 |
Dodgy code Warnings | 2 |
Total | 50 |
Click on a warning row to see full context information.
Code | Warning |
---|---|
Se | Class org.apache.activemq.transport.http.HttpEmbeddedTunnelServlet defines non-transient non-serializable instance field broker |
Se | Class org.apache.activemq.transport.http.HttpEmbeddedTunnelServlet defines non-transient non-serializable instance field transportConnector |
Se | Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field clients |
Se | Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field listener |
Se | Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field transportFactory |
Se | Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field wireFormat |
Se | Class org.apache.activemq.transport.ws.jetty9.WSServlet defines non-transient non-serializable instance field brokerService |
Se | Class org.apache.activemq.transport.ws.jetty9.WSServlet defines non-transient non-serializable instance field listener |
Code | Warning |
---|---|
EI | org.apache.activemq.transport.SocketConnectorFactory.getTransportOptions() may expose internal representation by returning SocketConnectorFactory.transportOptions |
EI | org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.getAgent() may expose internal representation by returning EmbeddedJettyServer.agent |
EI | org.apache.activemq.transport.http.BlockingQueueTransport.getQueue() may expose internal representation by returning BlockingQueueTransport.queue |
EI | org.apache.activemq.transport.ws.AbstractMQTTSocket.getInactivityMonitor() may expose internal representation by returning AbstractMQTTSocket.mqttInactivityMonitor |
EI | org.apache.activemq.transport.ws.AbstractMQTTSocket.getPeerCertificates() may expose internal representation by returning AbstractMQTTSocket.peerCertificates |
EI | org.apache.activemq.transport.ws.AbstractMQTTSocket.getWireFormat() may expose internal representation by returning AbstractMQTTSocket.wireFormat |
EI | org.apache.activemq.transport.ws.AbstractStompSocket.getInactivityMonitor() may expose internal representation by returning AbstractStompSocket.stompInactivityMonitor |
EI | org.apache.activemq.transport.ws.AbstractStompSocket.getPeerCertificates() may expose internal representation by returning AbstractStompSocket.certificates |
EI | org.apache.activemq.transport.ws.AbstractStompSocket.getWireFormat() may expose internal representation by returning AbstractStompSocket.wireFormat |
EI | org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream() may expose internal representation by returning XStreamWireFormat.xStream |
EI2 | new org.apache.activemq.transport.SecureSocketConnectorFactory(SslContext) may expose internal representation by storing an externally mutable object into SecureSocketConnectorFactory.context |
EI2 | new org.apache.activemq.transport.SecureSocketConnectorFactory(SslContextFactory) may expose internal representation by storing an externally mutable object into SecureSocketConnectorFactory.contextFactory |
EI2 | org.apache.activemq.transport.SocketConnectorFactory.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into SocketConnectorFactory.transportOptions |
EI2 | org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.setAgent(HTTPDiscoveryAgent) may expose internal representation by storing an externally mutable object into EmbeddedJettyServer.agent |
EI2 | new org.apache.activemq.transport.http.BlockingQueueTransport(BlockingQueue) may expose internal representation by storing an externally mutable object into BlockingQueueTransport.queue |
EI2 | org.apache.activemq.transport.ws.AbstractMQTTSocket.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.brokerService |
EI2 | org.apache.activemq.transport.ws.AbstractMQTTSocket.setPeerCertificates(X509Certificate[]) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.peerCertificates |
EI2 | org.apache.activemq.transport.ws.AbstractMQTTSocket.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.transportOptions |
EI2 | org.apache.activemq.transport.ws.AbstractStompSocket.setPeerCertificates(X509Certificate[]) may expose internal representation by storing an externally mutable object into AbstractStompSocket.certificates |
EI2 | org.apache.activemq.transport.ws.StompWSConnection.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into StompWSConnection.connection |
EI2 | org.apache.activemq.transport.ws.WSTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSTransportFactory.brokerService |
EI2 | new org.apache.activemq.transport.ws.WSTransportProxy(String, Transport) may expose internal representation by storing an externally mutable object into WSTransportProxy.transport |
EI2 | org.apache.activemq.transport.ws.WSTransportProxy.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into WSTransportProxy.session |
EI2 | org.apache.activemq.transport.ws.WSTransportServer.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSTransportServer.brokerService |
EI2 | org.apache.activemq.transport.ws.jetty9.MQTTSocket.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into MQTTSocket.session |
EI2 | org.apache.activemq.transport.ws.jetty9.StompSocket.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into StompSocket.session |
EI2 | org.apache.activemq.transport.ws.jetty9.WSServlet.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSServlet.brokerService |
EI2 | org.apache.activemq.transport.ws.jetty9.WSServlet.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into WSServlet.transportOptions |
EI2 | org.apache.activemq.transport.wss.WSSTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSSTransportFactory.brokerService |
EI2 | org.apache.activemq.transport.xstream.XStreamWireFormat.setXStream(XStream) may expose internal representation by storing an externally mutable object into XStreamWireFormat.xStream |
Code | Warning |
---|---|
IS | Inconsistent synchronization of org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent.registryURL; locked 60% of time |
IS | Inconsistent synchronization of org.apache.activemq.transport.ws.AbstractMQTTSocket.brokerService; locked 50% of time |
IS | Inconsistent synchronization of org.apache.activemq.transport.ws.AbstractMQTTSocket.transportOptions; locked 50% of time |
VO | Increment of volatile field org.apache.activemq.transport.http.HttpClientTransport.receiveCounter in org.apache.activemq.transport.http.HttpClientTransport.run() |
Code | Warning |
---|---|
SIC | Should org.apache.activemq.transport.ws.jetty9.WSServlet$SubProtocol be a _static_ inner class? |
SS | Unread field: org.apache.activemq.transport.http.HttpTunnelServlet.requestTimeout; should this field be static? |
SS | Unread field: org.apache.activemq.transport.ws.WSTransportProxy.ORDERLY_CLOSE_TIMEOUT; should this field be static? |
SS | Unread field: org.apache.activemq.transport.ws.jetty9.MQTTSocket.ORDERLY_CLOSE_TIMEOUT; should this field be static? |
SS | Unread field: org.apache.activemq.transport.ws.jetty9.StompSocket.ORDERLY_CLOSE_TIMEOUT; should this field be static? |
Code | Warning |
---|---|
XSS | HTTP parameter written to Servlet error page in org.apache.activemq.transport.http.HttpTunnelServlet.createTransportChannel(HttpServletRequest, HttpServletResponse) |
Code | Warning |
---|---|
BC | Unchecked/unconfirmed cast from org.apache.activemq.command.DiscoveryEvent to org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent$SimpleDiscoveryEvent in org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent.serviceFailed(DiscoveryEvent) |
RCN | Redundant nullcheck of command, which is known to be non-null in org.apache.activemq.transport.xstream.XStreamWireFormat.marshalText(Object) |
This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
The fields of this class appear to be accessed inconsistently with respect to synchronization. This bug report indicates that the bug pattern detector judged that
A typical bug matching this bug pattern is forgetting to synchronize one of the methods in a class that is intended to be thread-safe.
You can select the nodes labeled "Unsynchronized access" to show the code locations where the detector believed that a field was accessed without synchronization.
Note that there are various sources of inaccuracy in this detector; for example, the detector cannot statically detect all situations in which a lock is held. Also, even when the detector is accurate in distinguishing locked vs. unlocked accesses, the code in question may still be correct.
This method contains a redundant check of a known non-null value against the constant null.
This class is an inner class, but does not use its embedded reference to the object which created it. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary. If possible, the class should be made static.
This class contains an instance final field that is initialized to a compile-time static value. Consider making the field static.
This Serializable class defines a non-primitive instance field which is neither transient,
Serializable, or java.lang.Object
, and does not appear to implement
the Externalizable
interface or the
readObject()
and writeObject()
methods.
Objects of this class will not be deserialized correctly if a non-Serializable
object is stored in this field.
This code increments/decrements a volatile field. Increments/Decrements of volatile fields aren't atomic. If more than one thread is incrementing/decrementing the field at the same time, increments/decrements could be lost.
This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found any, you almost certainly have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.