SpotBugs Report

Project Information

Project: ActiveMQ :: Shiro

SpotBugs version: 4.8.3

Code analyzed:



Metrics

855 lines of code analyzed, in 30 classes, in 7 packages.

Metric Total Density*
High Priority Warnings 0.00
Medium Priority Warnings 25 29.24
Total Warnings 25 29.24

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 7
Malicious code vulnerability Warnings 17
Dodgy code Warnings 1
Total 25

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
CT Exception thrown in class org.apache.activemq.shiro.ConnectionReference at new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.authz.DestinationAction at new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.env.IniEnvironment at new org.apache.activemq.shiro.env.IniEnvironment(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.env.IniEnvironment at new org.apache.activemq.shiro.env.IniEnvironment(Ini) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.subject.ConnectionSubjectResolver at new org.apache.activemq.shiro.subject.ConnectionSubjectResolver(ConnectionContext) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.subject.ConnectionSubjectResolver at new org.apache.activemq.shiro.subject.ConnectionSubjectResolver(ConnectionReference) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.shiro.subject.SubjectConnectionReference at new org.apache.activemq.shiro.subject.SubjectConnectionReference(ConnectionContext, ConnectionInfo, Environment, Subject) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Malicious code vulnerability Warnings

Code Warning
EI org.apache.activemq.shiro.ConnectionReference.getConnectionContext() may expose internal representation by returning ConnectionReference.connectionContext
EI org.apache.activemq.shiro.ConnectionReference.getConnectionInfo() may expose internal representation by returning ConnectionReference.connectionInfo
EI org.apache.activemq.shiro.ShiroPlugin.getAuthenticationFilter() may expose internal representation by returning ShiroPlugin.authenticationFilter
EI org.apache.activemq.shiro.ShiroPlugin.getAuthorizationFilter() may expose internal representation by returning ShiroPlugin.authorizationFilter
EI org.apache.activemq.shiro.ShiroPlugin.getSubjectFilter() may expose internal representation by returning ShiroPlugin.subjectFilter
EI org.apache.activemq.shiro.authz.DestinationAction.getConnectionContext() may expose internal representation by returning DestinationAction.connectionContext
EI org.apache.activemq.shiro.authz.DestinationAction.getDestination() may expose internal representation by returning DestinationAction.destination
EI2 new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) may expose internal representation by storing an externally mutable object into ConnectionReference.connectionContext
EI2 new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) may expose internal representation by storing an externally mutable object into ConnectionReference.connectionInfo
EI2 org.apache.activemq.shiro.ShiroPlugin.installPlugin(Broker) may expose internal representation by storing an externally mutable object into ShiroPlugin.broker
EI2 org.apache.activemq.shiro.ShiroPlugin.setAuthenticationFilter(AuthenticationFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.authenticationFilter
EI2 org.apache.activemq.shiro.ShiroPlugin.setAuthorizationFilter(AuthorizationFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.authorizationFilter
EI2 org.apache.activemq.shiro.ShiroPlugin.setSubjectFilter(SubjectFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.subjectFilter
EI2 new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) may expose internal representation by storing an externally mutable object into DestinationAction.connectionContext
EI2 new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) may expose internal representation by storing an externally mutable object into DestinationAction.destination
EI2 new org.apache.activemq.shiro.env.IniEnvironment(Ini) may expose internal representation by storing an externally mutable object into IniEnvironment.ini
EI2 org.apache.activemq.shiro.env.IniEnvironment.setIni(Ini) may expose internal representation by storing an externally mutable object into IniEnvironment.ini

Dodgy code Warnings

Code Warning
Eq org.apache.activemq.shiro.authz.ActiveMQWildcardPermission doesn't override org.apache.shiro.authz.permission.WildcardPermission.equals(Object)

Details

CT_CONSTRUCTOR_THROW: Be wary of letting constructors throw exceptions.

Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks

A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.

See SEI CERT Rule OBJ-11 for more information.

EI_EXPOSE_REP: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

EI_EXPOSE_REP2: May expose internal representation by incorporating reference to mutable object

This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

EQ_DOESNT_OVERRIDE_EQUALS: Class doesn't override equals in superclass

This class extends a class that defines an equals method and adds fields, but doesn't define an equals method itself. Thus, equality on instances of this class will ignore the identity of the subclass and the added fields. Be sure this is what is intended, and that you don't need to override the equals method. Even if you don't need to override the equals method, consider overriding it anyway to document the fact that the equals method for the subclass just return the result of invoking super.equals(o).