SpotBugs Report

Project Information

Project: ActiveMQ :: HTTP Protocol Support

SpotBugs version: 4.8.3

Code analyzed:



Metrics

2163 lines of code analyzed, in 50 classes, in 9 packages.

Metric Total Density*
High Priority Warnings 0.00
Medium Priority Warnings 50 23.12
Total Warnings 50 23.12

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 8
Malicious code vulnerability Warnings 30
Multithreaded correctness Warnings 4
Performance Warnings 5
Security Warnings 1
Dodgy code Warnings 2
Total 50

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
Se Class org.apache.activemq.transport.http.HttpEmbeddedTunnelServlet defines non-transient non-serializable instance field broker
Se Class org.apache.activemq.transport.http.HttpEmbeddedTunnelServlet defines non-transient non-serializable instance field transportConnector
Se Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field clients
Se Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field listener
Se Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field transportFactory
Se Class org.apache.activemq.transport.http.HttpTunnelServlet defines non-transient non-serializable instance field wireFormat
Se Class org.apache.activemq.transport.ws.jetty9.WSServlet defines non-transient non-serializable instance field brokerService
Se Class org.apache.activemq.transport.ws.jetty9.WSServlet defines non-transient non-serializable instance field listener

Malicious code vulnerability Warnings

Code Warning
EI org.apache.activemq.transport.SocketConnectorFactory.getTransportOptions() may expose internal representation by returning SocketConnectorFactory.transportOptions
EI org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.getAgent() may expose internal representation by returning EmbeddedJettyServer.agent
EI org.apache.activemq.transport.http.BlockingQueueTransport.getQueue() may expose internal representation by returning BlockingQueueTransport.queue
EI org.apache.activemq.transport.ws.AbstractMQTTSocket.getInactivityMonitor() may expose internal representation by returning AbstractMQTTSocket.mqttInactivityMonitor
EI org.apache.activemq.transport.ws.AbstractMQTTSocket.getPeerCertificates() may expose internal representation by returning AbstractMQTTSocket.peerCertificates
EI org.apache.activemq.transport.ws.AbstractMQTTSocket.getWireFormat() may expose internal representation by returning AbstractMQTTSocket.wireFormat
EI org.apache.activemq.transport.ws.AbstractStompSocket.getInactivityMonitor() may expose internal representation by returning AbstractStompSocket.stompInactivityMonitor
EI org.apache.activemq.transport.ws.AbstractStompSocket.getPeerCertificates() may expose internal representation by returning AbstractStompSocket.certificates
EI org.apache.activemq.transport.ws.AbstractStompSocket.getWireFormat() may expose internal representation by returning AbstractStompSocket.wireFormat
EI org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream() may expose internal representation by returning XStreamWireFormat.xStream
EI2 new org.apache.activemq.transport.SecureSocketConnectorFactory(SslContext) may expose internal representation by storing an externally mutable object into SecureSocketConnectorFactory.context
EI2 new org.apache.activemq.transport.SecureSocketConnectorFactory(SslContextFactory) may expose internal representation by storing an externally mutable object into SecureSocketConnectorFactory.contextFactory
EI2 org.apache.activemq.transport.SocketConnectorFactory.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into SocketConnectorFactory.transportOptions
EI2 org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.setAgent(HTTPDiscoveryAgent) may expose internal representation by storing an externally mutable object into EmbeddedJettyServer.agent
EI2 new org.apache.activemq.transport.http.BlockingQueueTransport(BlockingQueue) may expose internal representation by storing an externally mutable object into BlockingQueueTransport.queue
EI2 org.apache.activemq.transport.ws.AbstractMQTTSocket.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.brokerService
EI2 org.apache.activemq.transport.ws.AbstractMQTTSocket.setPeerCertificates(X509Certificate[]) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.peerCertificates
EI2 org.apache.activemq.transport.ws.AbstractMQTTSocket.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into AbstractMQTTSocket.transportOptions
EI2 org.apache.activemq.transport.ws.AbstractStompSocket.setPeerCertificates(X509Certificate[]) may expose internal representation by storing an externally mutable object into AbstractStompSocket.certificates
EI2 org.apache.activemq.transport.ws.StompWSConnection.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into StompWSConnection.connection
EI2 org.apache.activemq.transport.ws.WSTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSTransportFactory.brokerService
EI2 new org.apache.activemq.transport.ws.WSTransportProxy(String, Transport) may expose internal representation by storing an externally mutable object into WSTransportProxy.transport
EI2 org.apache.activemq.transport.ws.WSTransportProxy.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into WSTransportProxy.session
EI2 org.apache.activemq.transport.ws.WSTransportServer.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSTransportServer.brokerService
EI2 org.apache.activemq.transport.ws.jetty9.MQTTSocket.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into MQTTSocket.session
EI2 org.apache.activemq.transport.ws.jetty9.StompSocket.onWebSocketConnect(Session) may expose internal representation by storing an externally mutable object into StompSocket.session
EI2 org.apache.activemq.transport.ws.jetty9.WSServlet.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSServlet.brokerService
EI2 org.apache.activemq.transport.ws.jetty9.WSServlet.setTransportOptions(Map) may expose internal representation by storing an externally mutable object into WSServlet.transportOptions
EI2 org.apache.activemq.transport.wss.WSSTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into WSSTransportFactory.brokerService
EI2 org.apache.activemq.transport.xstream.XStreamWireFormat.setXStream(XStream) may expose internal representation by storing an externally mutable object into XStreamWireFormat.xStream

Multithreaded correctness Warnings

Code Warning
IS Inconsistent synchronization of org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent.registryURL; locked 60% of time
IS Inconsistent synchronization of org.apache.activemq.transport.ws.AbstractMQTTSocket.brokerService; locked 50% of time
IS Inconsistent synchronization of org.apache.activemq.transport.ws.AbstractMQTTSocket.transportOptions; locked 50% of time
VO Increment of volatile field org.apache.activemq.transport.http.HttpClientTransport.receiveCounter in org.apache.activemq.transport.http.HttpClientTransport.run()

Performance Warnings

Code Warning
SIC Should org.apache.activemq.transport.ws.jetty9.WSServlet$SubProtocol be a _static_ inner class?
SS Unread field: org.apache.activemq.transport.http.HttpTunnelServlet.requestTimeout; should this field be static?
SS Unread field: org.apache.activemq.transport.ws.WSTransportProxy.ORDERLY_CLOSE_TIMEOUT; should this field be static?
SS Unread field: org.apache.activemq.transport.ws.jetty9.MQTTSocket.ORDERLY_CLOSE_TIMEOUT; should this field be static?
SS Unread field: org.apache.activemq.transport.ws.jetty9.StompSocket.ORDERLY_CLOSE_TIMEOUT; should this field be static?

Security Warnings

Code Warning
XSS HTTP parameter written to Servlet error page in org.apache.activemq.transport.http.HttpTunnelServlet.createTransportChannel(HttpServletRequest, HttpServletResponse)

Dodgy code Warnings

Code Warning
BC Unchecked/unconfirmed cast from org.apache.activemq.command.DiscoveryEvent to org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent$SimpleDiscoveryEvent in org.apache.activemq.transport.discovery.http.HTTPDiscoveryAgent.serviceFailed(DiscoveryEvent)
RCN Redundant nullcheck of command, which is known to be non-null in org.apache.activemq.transport.xstream.XStreamWireFormat.marshalText(Object)

Details

BC_UNCONFIRMED_CAST: Unchecked/unconfirmed cast

This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

EI_EXPOSE_REP: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

EI_EXPOSE_REP2: May expose internal representation by incorporating reference to mutable object

This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

IS2_INCONSISTENT_SYNC: Inconsistent synchronization

The fields of this class appear to be accessed inconsistently with respect to synchronization.  This bug report indicates that the bug pattern detector judged that

A typical bug matching this bug pattern is forgetting to synchronize one of the methods in a class that is intended to be thread-safe.

You can select the nodes labeled "Unsynchronized access" to show the code locations where the detector believed that a field was accessed without synchronization.

Note that there are various sources of inaccuracy in this detector; for example, the detector cannot statically detect all situations in which a lock is held.  Also, even when the detector is accurate in distinguishing locked vs. unlocked accesses, the code in question may still be correct.

RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE: Redundant nullcheck of value known to be non-null

This method contains a redundant check of a known non-null value against the constant null.

SIC_INNER_SHOULD_BE_STATIC: Should be a static inner class

This class is an inner class, but does not use its embedded reference to the object which created it.  This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary.  If possible, the class should be made static.

SS_SHOULD_BE_STATIC: Unread field: should this field be static?

This class contains an instance final field that is initialized to a compile-time static value. Consider making the field static.

SE_BAD_FIELD: Non-transient non-serializable instance field in serializable class

This Serializable class defines a non-primitive instance field which is neither transient, Serializable, or java.lang.Object, and does not appear to implement the Externalizable interface or the readObject() and writeObject() methods.  Objects of this class will not be deserialized correctly if a non-Serializable object is stored in this field.

VO_VOLATILE_INCREMENT: An increment to a volatile field isn't atomic

This code increments/decrements a volatile field. Increments/Decrements of volatile fields aren't atomic. If more than one thread is incrementing/decrementing the field at the same time, increments/decrements could be lost.

XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected cross site scripting vulnerability in error page

This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found any, you almost certainly have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.