SpotBugs Report

Project Information

Project: ActiveMQ :: AMQP

SpotBugs version: 4.8.3

Code analyzed:



Metrics

3866 lines of code analyzed, in 90 classes, in 4 packages.

Metric Total Density*
High Priority Warnings 3 0.78
Medium Priority Warnings 54 13.97
Total Warnings 57 14.74

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 4
Internationalization Warnings 1
Malicious code vulnerability Warnings 37
Performance Warnings 2
Dodgy code Warnings 13
Total 57

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
CT Exception thrown in class org.apache.activemq.transport.amqp.AmqpHeader at new org.apache.activemq.transport.amqp.AmqpHeader(Buffer) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class org.apache.activemq.transport.amqp.AmqpHeader at new org.apache.activemq.transport.amqp.AmqpHeader(Buffer, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
DE org.apache.activemq.transport.amqp.protocol.AmqpConnection.onAMQPException(IOException) might ignore java.lang.Exception
OS org.apache.activemq.transport.amqp.protocol.AmqpConnection.<static initializer for AmqpConnection>() may fail to close stream

Internationalization Warnings

Code Warning
Dm Found reliance on default encoding in org.apache.activemq.transport.amqp.protocol.AmqpConnection.<static initializer for AmqpConnection>(): new java.io.InputStreamReader(InputStream)

Malicious code vulnerability Warnings

Code Warning
EI org.apache.activemq.transport.amqp.AmqpFrameParser.getWireFormat() may expose internal representation by returning AmqpFrameParser.wireFormat
EI org.apache.activemq.transport.amqp.AmqpHeader.getBuffer() may expose internal representation by returning AmqpHeader.buffer
EI org.apache.activemq.transport.amqp.AmqpInactivityMonitor.getAmqpTransport() may expose internal representation by returning AmqpInactivityMonitor.amqpTransport
EI org.apache.activemq.transport.amqp.AmqpTransportFilter.getInactivityMonitor() may expose internal representation by returning AmqpTransportFilter.monitor
EI org.apache.activemq.transport.amqp.AmqpTransportFilter.getWireFormat() may expose internal representation by returning AmqpTransportFilter.wireFormat
EI org.apache.activemq.transport.amqp.AmqpWSTransport.getPeerCertificates() may expose internal representation by returning AmqpWSTransport.certificates
EI org.apache.activemq.transport.amqp.message.AmqpWritableBuffer.getArray() may expose internal representation by returning AmqpWritableBuffer.buffer
EI org.apache.activemq.transport.amqp.protocol.AmqpAbstractLink.getEndpoint() may expose internal representation by returning AmqpAbstractLink.endpoint
EI org.apache.activemq.transport.amqp.protocol.AmqpConnection.getConnectionId() may expose internal representation by returning AmqpConnection.connectionId
EI org.apache.activemq.transport.amqp.protocol.AmqpSession.getConnection() may expose internal representation by returning AmqpSession.connection
EI org.apache.activemq.transport.amqp.protocol.AmqpSession.getEndpoint() may expose internal representation by returning AmqpSession.protonSession
EI org.apache.activemq.transport.amqp.protocol.AmqpSession.getSessionId() may expose internal representation by returning AmqpSession.sessionId
EI org.apache.activemq.transport.amqp.sasl.AmqpAuthenticator.getSupportedMechanisms() may expose internal representation by returning AmqpAuthenticator.mechanisms
EI2 org.apache.activemq.transport.amqp.AmqpFrameParser.setWireFormat(AmqpWireFormat) may expose internal representation by storing an externally mutable object into AmqpFrameParser.wireFormat
EI2 org.apache.activemq.transport.amqp.AmqpInactivityMonitor.setAmqpTransport(AmqpTransport) may expose internal representation by storing an externally mutable object into AmqpInactivityMonitor.amqpTransport
EI2 org.apache.activemq.transport.amqp.AmqpNioTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AmqpNioTransportFactory.brokerService
EI2 new org.apache.activemq.transport.amqp.AmqpProtocolDiscriminator(AmqpTransport, BrokerService) may expose internal representation by storing an externally mutable object into AmqpProtocolDiscriminator.brokerService
EI2 new org.apache.activemq.transport.amqp.AmqpProtocolDiscriminator(AmqpTransport, BrokerService) may expose internal representation by storing an externally mutable object into AmqpProtocolDiscriminator.transport
EI2 org.apache.activemq.transport.amqp.AmqpSslTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AmqpSslTransportFactory.brokerService
EI2 org.apache.activemq.transport.amqp.AmqpTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AmqpTransportFactory.brokerService
EI2 new org.apache.activemq.transport.amqp.AmqpTransportFilter(Transport, WireFormat, BrokerService) may expose internal representation by storing an externally mutable object into AmqpTransportFilter.wireFormat
EI2 org.apache.activemq.transport.amqp.AmqpTransportFilter.setInactivityMonitor(AmqpInactivityMonitor) may expose internal representation by storing an externally mutable object into AmqpTransportFilter.monitor
EI2 org.apache.activemq.transport.amqp.AmqpWSTransport.setPeerCertificates(X509Certificate[]) may expose internal representation by storing an externally mutable object into AmqpWSTransport.certificates
EI2 org.apache.activemq.transport.amqp.AmqpWSTransportFactory.setBrokerService(BrokerService) may expose internal representation by storing an externally mutable object into AmqpWSTransportFactory.brokerService
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpAbstractLink(AmqpSession, Link) may expose internal representation by storing an externally mutable object into AmqpAbstractLink.endpoint
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpConnection(AmqpTransport, BrokerService) may expose internal representation by storing an externally mutable object into AmqpConnection.amqpTransport
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpConnection(AmqpTransport, BrokerService) may expose internal representation by storing an externally mutable object into AmqpConnection.brokerService
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpReceiver(AmqpSession, Receiver, ProducerInfo) may expose internal representation by storing an externally mutable object into AmqpReceiver.producerInfo
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpSender(AmqpSession, Sender, ConsumerInfo) may expose internal representation by storing an externally mutable object into AmqpSender.consumerInfo
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpSession(AmqpConnection, SessionId, Session) may expose internal representation by storing an externally mutable object into AmqpSession.connection
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpSession(AmqpConnection, SessionId, Session) may expose internal representation by storing an externally mutable object into AmqpSession.protonSession
EI2 new org.apache.activemq.transport.amqp.protocol.AmqpSession(AmqpConnection, SessionId, Session) may expose internal representation by storing an externally mutable object into AmqpSession.sessionId
EI2 new org.apache.activemq.transport.amqp.sasl.AmqpAuthenticator(AmqpTransport, Sasl, BrokerService) may expose internal representation by storing an externally mutable object into AmqpAuthenticator.brokerService
EI2 new org.apache.activemq.transport.amqp.sasl.AmqpAuthenticator(AmqpTransport, Sasl, BrokerService) may expose internal representation by storing an externally mutable object into AmqpAuthenticator.sasl
EI2 new org.apache.activemq.transport.amqp.sasl.AmqpAuthenticator(AmqpTransport, Sasl, BrokerService) may expose internal representation by storing an externally mutable object into AmqpAuthenticator.transport
MS org.apache.activemq.transport.amqp.AmqpSupport.JMS_SELECTOR_FILTER_IDS is a mutable array
MS org.apache.activemq.transport.amqp.AmqpSupport.NO_LOCAL_FILTER_IDS is a mutable array

Performance Warnings

Code Warning
Bx Boxed value is unboxed and then immediately reboxed in org.apache.activemq.transport.amqp.message.JMSMappingOutboundTransformer.transform(ActiveMQMessage)
SIC Should org.apache.activemq.transport.amqp.sasl.AmqpAuthenticator$DefaultAuthenticationBroker be a _static_ inner class?

Dodgy code Warnings

Code Warning
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpConnection.onActiveMQCommand(Command)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpConnection$2.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpConnection$4.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpConnection$5.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpReceiver$2.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpSender$3.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpSender$4.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpSession$3.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpSession$5.onResponse(AmqpProtocolConverter, Response)
BC Unchecked/unconfirmed cast from org.apache.activemq.command.Response to org.apache.activemq.command.ExceptionResponse in org.apache.activemq.transport.amqp.protocol.AmqpTransactionCoordinator$1.onResponse(AmqpProtocolConverter, Response)
REC Exception is caught when Exception is not thrown in org.apache.activemq.transport.amqp.message.AmqpMessageSupport.getBinaryFromMessageBody(ActiveMQObjectMessage)
REC Exception is caught when Exception is not thrown in org.apache.activemq.transport.amqp.message.AmqpMessageSupport.getBinaryFromMessageBody(ActiveMQTextMessage)
REC Exception is caught when Exception is not thrown in org.apache.activemq.transport.amqp.protocol.AmqpSender.pumpOutbound()

Details

BC_UNCONFIRMED_CAST: Unchecked/unconfirmed cast

This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

BX_UNBOXING_IMMEDIATELY_REBOXED: Boxed value is unboxed and then immediately reboxed

A boxed value is unboxed and then immediately reboxed.

CT_CONSTRUCTOR_THROW: Be wary of letting constructors throw exceptions.

Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks

A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.

See SEI CERT Rule OBJ-11 for more information.

DE_MIGHT_IGNORE: Method might ignore exception

This method might ignore an exception.  In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.

DM_DEFAULT_ENCODING: Reliance on default encoding

Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behavior to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.

EI_EXPOSE_REP: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

EI_EXPOSE_REP2: May expose internal representation by incorporating reference to mutable object

This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

MS_MUTABLE_ARRAY: Field is a mutable array

A final static field references an array and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the array.

OS_OPEN_STREAM: Method may fail to close stream

The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.

REC_CATCH_EXCEPTION: Exception is caught when Exception is not thrown

This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:

try {
    ...
} catch (RuntimeException e) {
    throw e;
} catch (Exception e) {
    ... deal with all non-runtime exceptions ...
}

SIC_INNER_SHOULD_BE_STATIC: Should be a static inner class

This class is an inner class, but does not use its embedded reference to the object which created it.  This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary.  If possible, the class should be made static.