Project: ActiveMQ :: Shiro
SpotBugs version: 4.8.3
Code analyzed:
855 lines of code analyzed, in 30 classes, in 7 packages.
Metric | Total | Density* |
---|---|---|
High Priority Warnings | 0.00 | |
Medium Priority Warnings | 25 | 29.24 |
Total Warnings | 25 | 29.24 |
(* Defects per Thousand lines of non-commenting source statements)
Warning Type | Number |
---|---|
Bad practice Warnings | 7 |
Malicious code vulnerability Warnings | 17 |
Dodgy code Warnings | 1 |
Total | 25 |
Click on a warning row to see full context information.
Code | Warning |
---|---|
CT | Exception thrown in class org.apache.activemq.shiro.ConnectionReference at new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.authz.DestinationAction at new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.env.IniEnvironment at new org.apache.activemq.shiro.env.IniEnvironment(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.env.IniEnvironment at new org.apache.activemq.shiro.env.IniEnvironment(Ini) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.subject.ConnectionSubjectResolver at new org.apache.activemq.shiro.subject.ConnectionSubjectResolver(ConnectionContext) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.subject.ConnectionSubjectResolver at new org.apache.activemq.shiro.subject.ConnectionSubjectResolver(ConnectionReference) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class org.apache.activemq.shiro.subject.SubjectConnectionReference at new org.apache.activemq.shiro.subject.SubjectConnectionReference(ConnectionContext, ConnectionInfo, Environment, Subject) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
Code | Warning |
---|---|
EI | org.apache.activemq.shiro.ConnectionReference.getConnectionContext() may expose internal representation by returning ConnectionReference.connectionContext |
EI | org.apache.activemq.shiro.ConnectionReference.getConnectionInfo() may expose internal representation by returning ConnectionReference.connectionInfo |
EI | org.apache.activemq.shiro.ShiroPlugin.getAuthenticationFilter() may expose internal representation by returning ShiroPlugin.authenticationFilter |
EI | org.apache.activemq.shiro.ShiroPlugin.getAuthorizationFilter() may expose internal representation by returning ShiroPlugin.authorizationFilter |
EI | org.apache.activemq.shiro.ShiroPlugin.getSubjectFilter() may expose internal representation by returning ShiroPlugin.subjectFilter |
EI | org.apache.activemq.shiro.authz.DestinationAction.getConnectionContext() may expose internal representation by returning DestinationAction.connectionContext |
EI | org.apache.activemq.shiro.authz.DestinationAction.getDestination() may expose internal representation by returning DestinationAction.destination |
EI2 | new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) may expose internal representation by storing an externally mutable object into ConnectionReference.connectionContext |
EI2 | new org.apache.activemq.shiro.ConnectionReference(ConnectionContext, ConnectionInfo, Environment) may expose internal representation by storing an externally mutable object into ConnectionReference.connectionInfo |
EI2 | org.apache.activemq.shiro.ShiroPlugin.installPlugin(Broker) may expose internal representation by storing an externally mutable object into ShiroPlugin.broker |
EI2 | org.apache.activemq.shiro.ShiroPlugin.setAuthenticationFilter(AuthenticationFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.authenticationFilter |
EI2 | org.apache.activemq.shiro.ShiroPlugin.setAuthorizationFilter(AuthorizationFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.authorizationFilter |
EI2 | org.apache.activemq.shiro.ShiroPlugin.setSubjectFilter(SubjectFilter) may expose internal representation by storing an externally mutable object into ShiroPlugin.subjectFilter |
EI2 | new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) may expose internal representation by storing an externally mutable object into DestinationAction.connectionContext |
EI2 | new org.apache.activemq.shiro.authz.DestinationAction(ConnectionContext, ActiveMQDestination, String) may expose internal representation by storing an externally mutable object into DestinationAction.destination |
EI2 | new org.apache.activemq.shiro.env.IniEnvironment(Ini) may expose internal representation by storing an externally mutable object into IniEnvironment.ini |
EI2 | org.apache.activemq.shiro.env.IniEnvironment.setIni(Ini) may expose internal representation by storing an externally mutable object into IniEnvironment.ini |
Code | Warning |
---|---|
Eq | org.apache.activemq.shiro.authz.ActiveMQWildcardPermission doesn't override org.apache.shiro.authz.permission.WildcardPermission.equals(Object) |
Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks
A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.
See SEI CERT Rule OBJ-11
for more information.
Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
This class extends a class that defines an equals method and adds fields, but doesn't define an equals method itself. Thus, equality on instances of this class will ignore the identity of the subclass and the added fields. Be sure this is what is intended, and that you don't need to override the equals method. Even if you don't need to override the equals method, consider overriding it anyway to document the fact that the equals method for the subclass just return the result of invoking super.equals(o).