Fork me on GitHub

SpotBugs Bug Detector Report

The following document contains the results of SpotBugs

SpotBugs Version is 4.8.6

Threshold is medium

Effort is default

Summary

Classes Bugs Errors Missing Classes
237 79 0 9

Files

Class Bugs
org.apache.rat.Defaults 1
org.apache.rat.Defaults$Builder 2
org.apache.rat.OptionCollection 2
org.apache.rat.ReportConfiguration 2
org.apache.rat.ReportConfiguration$NoCloseOutputStream 1
org.apache.rat.Reporter 5
org.apache.rat.analysis.HeaderCheckWorker 3
org.apache.rat.analysis.license.SimplePatternBasedLicense 2
org.apache.rat.analysis.matchers.CopyrightMatcher 2
org.apache.rat.analysis.matchers.SimpleTextMatcher 2
org.apache.rat.annotation.AbstractLicenseAppender 2
org.apache.rat.api.Document 1
org.apache.rat.commandline.Arg 3
org.apache.rat.commandline.ArgumentContext 4
org.apache.rat.commandline.Converters$FileConverter 2
org.apache.rat.commandline.StyleSheets 1
org.apache.rat.config.exclusion.ExclusionUtils 2
org.apache.rat.config.exclusion.fileProcessors.CVSIgnoreBuilder 1
org.apache.rat.config.exclusion.plexus.MatchPattern 2
org.apache.rat.config.parameters.Description 3
org.apache.rat.config.results.ClaimValidator 1
org.apache.rat.configuration.MatcherBuilderTracker 1
org.apache.rat.configuration.XMLConfigurationReader 3
org.apache.rat.configuration.XMLConfigurationWriter 1
org.apache.rat.configuration.builders.ChildContainerBuilder 1
org.apache.rat.configuration.builders.MatcherRefBuilder 1
org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy 1
org.apache.rat.document.ArchiveEntryDocument 1
org.apache.rat.document.ArchiveEntryName 2
org.apache.rat.document.DocumentName 2
org.apache.rat.document.DocumentNameMatcher$FileFilterPredicate 1
org.apache.rat.header.HeaderMatcher 1
org.apache.rat.help.Help 1
org.apache.rat.help.Licenses 1
org.apache.rat.license.SimpleLicense$Builder 1
org.apache.rat.mp.AbstractRatMojo 1
org.apache.rat.mp.RatCheckMojo 2
org.apache.rat.mp.RatReportMojo 4
org.apache.rat.mp.Regex 2
org.apache.rat.plugin.HelpMojo 1
org.apache.rat.report.ConfigurationReport 1
org.apache.rat.report.claim.ClaimReporterMultiplexer 1
org.apache.rat.report.claim.LicenseAddingReport 1
org.apache.rat.report.xml.writer.XmlWriter 1
org.apache.rat.utils.DefaultLog 1
org.apache.rat.utils.Log 1
org.apache.rat.utils.ReportingSet 1

org.apache.rat.Defaults

Bug Category Details Line Priority
org.apache.rat.Defaults.getLicenseSetFactory() may expose internal representation by returning Defaults.setFactory MALICIOUS_CODE EI_EXPOSE_REP 147 Medium

org.apache.rat.Defaults$Builder

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 191 Medium
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 220 Medium

org.apache.rat.OptionCollection

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.OptionCollection.parseCommands(File, String[], Consumer, boolean): new java.io.PrintWriter(OutputStream) I18N DM_DEFAULT_ENCODING 179 High
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 220 Medium

org.apache.rat.ReportConfiguration

Bug Category Details Line Priority
org.apache.rat.ReportConfiguration.getClaimValidator() may expose internal representation by returning ReportConfiguration.claimValidator MALICIOUS_CODE EI_EXPOSE_REP 804 Medium
org.apache.rat.ReportConfiguration.getLicenseSetFactory() may expose internal representation by returning ReportConfiguration.licenseSetFactory MALICIOUS_CODE EI_EXPOSE_REP 812 Medium

org.apache.rat.ReportConfiguration$NoCloseOutputStream

Bug Category Details Line Priority
new org.apache.rat.ReportConfiguration$NoCloseOutputStream(OutputStream) may expose internal representation by storing an externally mutable object into ReportConfiguration$NoCloseOutputStream.delegate MALICIOUS_CODE EI_EXPOSE_REP2 845 Medium

org.apache.rat.Reporter

Bug Category Details Line Priority
new org.apache.rat.Reporter(ReportConfiguration) may expose internal representation by storing an externally mutable object into Reporter.configuration MALICIOUS_CODE EI_EXPOSE_REP2 74 Medium
A malicious XSLT could be provided to trigger remote code execution SECURITY MALICIOUS_XSLT 144 Medium
The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks SECURITY XXE_DOCUMENT 99 Medium
The use of TransformerFactory.newInstance(...) (TransformerFactory) is vulnerable to XML External Entity attacks SECURITY XXE_DTD_TRANSFORM_FACTORY 140 Medium
The use of TransformerFactory.newInstance(...) is vulnerable to XSLT External Entity attacks SECURITY XXE_XSLT_TRANSFORM_FACTORY 140 Medium

org.apache.rat.analysis.HeaderCheckWorker

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 131 Medium
Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 112 Medium
new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) may expose internal representation by storing an externally mutable object into HeaderCheckWorker.licenses MALICIOUS_CODE EI_EXPOSE_REP2 135 Medium

org.apache.rat.analysis.license.SimplePatternBasedLicense

Bug Category Details Line Priority
org.apache.rat.analysis.license.SimplePatternBasedLicense.getPatterns() may expose internal representation by returning SimplePatternBasedLicense.patterns MALICIOUS_CODE EI_EXPOSE_REP 46 Medium
org.apache.rat.analysis.license.SimplePatternBasedLicense.setPatterns(String[]) may expose internal representation by storing an externally mutable object into SimplePatternBasedLicense.patterns MALICIOUS_CODE EI_EXPOSE_REP2 50 Medium

org.apache.rat.analysis.matchers.CopyrightMatcher

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 95 Medium
Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 120 Medium

org.apache.rat.analysis.matchers.SimpleTextMatcher

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 44 Medium
Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 56 Medium

org.apache.rat.annotation.AbstractLicenseAppender

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.annotation.AbstractLicenseAppender.append(File): new java.io.FileWriter(File) I18N DM_DEFAULT_ENCODING 302 High
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 301 Medium

org.apache.rat.api.Document

Bug Category Details Line Priority
org.apache.rat.api.Document.getMetaData() may expose internal representation by returning Document.metaData MALICIOUS_CODE EI_EXPOSE_REP 127 Medium

org.apache.rat.commandline.Arg

Bug Category Details Line Priority
org.apache.rat.commandline.Arg.group() may expose internal representation by returning Arg.group MALICIOUS_CODE EI_EXPOSE_REP 534 Medium
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 733 Medium
Exception is caught when Exception is not thrown in org.apache.rat.commandline.Arg.processConfigurationArgs(ArgumentContext) STYLE REC_CATCH_EXCEPTION 678 Medium

org.apache.rat.commandline.ArgumentContext

Bug Category Details Line Priority
org.apache.rat.commandline.ArgumentContext.getCommandLine() may expose internal representation by returning ArgumentContext.commandLine MALICIOUS_CODE EI_EXPOSE_REP 85 Medium
org.apache.rat.commandline.ArgumentContext.getConfiguration() may expose internal representation by returning ArgumentContext.configuration MALICIOUS_CODE EI_EXPOSE_REP 77 Medium
new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.commandLine MALICIOUS_CODE EI_EXPOSE_REP2 52 Medium
new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.configuration MALICIOUS_CODE EI_EXPOSE_REP2 53 Medium

org.apache.rat.commandline.Converters$FileConverter

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 91 Medium
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 97 Medium

org.apache.rat.commandline.StyleSheets

Bug Category Details Line Priority
This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 91 Medium

org.apache.rat.config.exclusion.ExclusionUtils

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterable(File, Predicate): new java.io.FileReader(File) I18N DM_DEFAULT_ENCODING 178 High
Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterator(File, Predicate): new java.io.FileReader(File) I18N DM_DEFAULT_ENCODING 149 High

org.apache.rat.config.exclusion.fileProcessors.CVSIgnoreBuilder

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 49 Medium

org.apache.rat.config.exclusion.plexus.MatchPattern

Bug Category Details Line Priority
org.apache.rat.config.exclusion.plexus.MatchPattern.getTokenizedPathChars() may expose internal representation by returning MatchPattern.tokenizedChar MALICIOUS_CODE EI_EXPOSE_REP 111 Medium
org.apache.rat.config.exclusion.plexus.MatchPattern.getTokenizedPathString() may expose internal representation by returning MatchPattern.tokenized MALICIOUS_CODE EI_EXPOSE_REP 107 Medium

org.apache.rat.config.parameters.Description

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ComponentType, String, String, boolean, Class, Collection, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 85 Medium
Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ConfigComponent, boolean, Class, Collection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 107 Medium
org.apache.rat.config.parameters.Description.getChildren() may expose internal representation by returning Description.children MALICIOUS_CODE EI_EXPOSE_REP 190 Medium

org.apache.rat.config.results.ClaimValidator

Bug Category Details Line Priority
Boxed value is unboxed and then immediately reboxed in org.apache.rat.config.results.ClaimValidator.lambda$setMin$1(int, ClaimStatistic$Counter, Integer) PERFORMANCE BX_UNBOXING_IMMEDIATELY_REBOXED 88 Medium

org.apache.rat.configuration.MatcherBuilderTracker

Bug Category Details Line Priority
Public static org.apache.rat.configuration.MatcherBuilderTracker.instance() may expose internal representation by returning MatcherBuilderTracker.instance MALICIOUS_CODE MS_EXPOSE_REP 55 Medium

org.apache.rat.configuration.XMLConfigurationReader

Bug Category Details Line Priority
This web server request could be used by an attacker to expose internal services and filesystem. SECURITY URLCONNECTION_SSRF_FD 180 Medium
The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks SECURITY XXE_DOCUMENT 162 Medium
The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks SECURITY XXE_DOCUMENT 181 Medium

org.apache.rat.configuration.XMLConfigurationWriter

Bug Category Details Line Priority
new org.apache.rat.configuration.XMLConfigurationWriter(ReportConfiguration) may expose internal representation by storing an externally mutable object into XMLConfigurationWriter.configuration MALICIOUS_CODE EI_EXPOSE_REP2 63 Medium

org.apache.rat.configuration.builders.ChildContainerBuilder

Bug Category Details Line Priority
Usage of GetResource in org.apache.rat.configuration.builders.ChildContainerBuilder.setResource(String) may be unsafe if class is extended BAD_PRACTICE UI_INHERITANCE_UNSAFE_GETRESOURCE 62 Medium

org.apache.rat.configuration.builders.MatcherRefBuilder

Bug Category Details Line Priority
org.apache.rat.configuration.builders.MatcherRefBuilder.setMatcherMap(Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder.matchers MALICIOUS_CODE EI_EXPOSE_REP2 67 Medium

org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy

Bug Category Details Line Priority
new org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy(String, Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder$IHeaderMatcherProxy.matchers MALICIOUS_CODE EI_EXPOSE_REP2 114 Medium

org.apache.rat.document.ArchiveEntryDocument

Bug Category Details Line Priority
new org.apache.rat.document.ArchiveEntryDocument(ArchiveEntryName, byte[], DocumentNameMatcher) may expose internal representation by storing an externally mutable object into ArchiveEntryDocument.contents MALICIOUS_CODE EI_EXPOSE_REP2 45 Medium

org.apache.rat.document.ArchiveEntryName

Bug Category Details Line Priority
org.apache.rat.document.ArchiveEntryName doesn't override DocumentName.equals(Object) STYLE EQ_DOESNT_OVERRIDE_EQUALS 1 Medium
This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 50 Medium

org.apache.rat.document.DocumentName

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 131 Medium
This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 139 Medium

org.apache.rat.document.DocumentNameMatcher$FileFilterPredicate

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 387 Medium

org.apache.rat.header.HeaderMatcher

Bug Category Details Line Priority
new org.apache.rat.header.HeaderMatcher(CharFilter, int, HeaderBean[]) may expose internal representation by storing an externally mutable object into HeaderMatcher.headers MALICIOUS_CODE EI_EXPOSE_REP2 55 Medium

org.apache.rat.help.Help

Bug Category Details Line Priority
Found reliance on default encoding in new org.apache.rat.help.Help(PrintStream): new java.io.PrintWriter(OutputStream) I18N DM_DEFAULT_ENCODING 65 High

org.apache.rat.help.Licenses

Bug Category Details Line Priority
new org.apache.rat.help.Licenses(ReportConfiguration, Writer) may expose internal representation by storing an externally mutable object into Licenses.config MALICIOUS_CODE EI_EXPOSE_REP2 68 Medium

org.apache.rat.license.SimpleLicense$Builder

Bug Category Details Line Priority
org.apache.rat.license.SimpleLicense$Builder.setLicenseFamilies(SortedSet) may expose internal representation by storing an externally mutable object into SimpleLicense$Builder.licenseFamilies MALICIOUS_CODE EI_EXPOSE_REP2 211 Medium

org.apache.rat.mp.AbstractRatMojo

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 492 Medium

org.apache.rat.mp.RatCheckMojo

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 238 Medium
Exception is caught when Exception is not thrown in org.apache.rat.mp.RatCheckMojo.check(ReportConfiguration) STYLE REC_CATCH_EXCEPTION 209 Medium

org.apache.rat.mp.RatReportMojo

Bug Category Details Line Priority
org.apache.rat.mp.RatReportMojo.getSink() may expose internal representation by returning RatReportMojo.sink MALICIOUS_CODE EI_EXPOSE_REP 331 Medium
org.apache.rat.mp.RatReportMojo.generate(Sink, SinkFactory, Locale) may expose internal representation by storing an externally mutable object into RatReportMojo.sink MALICIOUS_CODE EI_EXPOSE_REP2 261 Medium
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 142 Medium
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 281 Medium

org.apache.rat.mp.Regex

Bug Category Details Line Priority
Format string should use %n rather than \n in org.apache.rat.mp.Regex.set(String) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 37 Medium
Format string should use %n rather than \n in org.apache.rat.mp.Regex.setExpression(String) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 33 Medium

org.apache.rat.plugin.HelpMojo

Bug Category Details Line Priority
The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks SECURITY XXE_DOCUMENT 77 Medium

org.apache.rat.report.ConfigurationReport

Bug Category Details Line Priority
new org.apache.rat.report.ConfigurationReport(IXmlWriter, ReportConfiguration) may expose internal representation by storing an externally mutable object into ConfigurationReport.configuration MALICIOUS_CODE EI_EXPOSE_REP2 43 Medium

org.apache.rat.report.claim.ClaimReporterMultiplexer

Bug Category Details Line Priority
new org.apache.rat.report.claim.ClaimReporterMultiplexer(IXmlWriter, boolean, DocumentAnalyser, List) may expose internal representation by storing an externally mutable object into ClaimReporterMultiplexer.reporters MALICIOUS_CODE EI_EXPOSE_REP2 54 Medium

org.apache.rat.report.claim.LicenseAddingReport

Bug Category Details Line Priority
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_IN 52 Medium

org.apache.rat.report.xml.writer.XmlWriter

Bug Category Details Line Priority
new org.apache.rat.report.xml.writer.XmlWriter(Writer) may expose internal representation by storing an externally mutable object into XmlWriter.writer MALICIOUS_CODE EI_EXPOSE_REP2 417 Medium

org.apache.rat.utils.DefaultLog

Bug Category Details Line Priority
Public static org.apache.rat.utils.DefaultLog.getInstance() may expose internal representation by returning DefaultLog.instance MALICIOUS_CODE MS_EXPOSE_REP 44 Medium

org.apache.rat.utils.Log

Bug Category Details Line Priority
Possible information exposure through an error message SECURITY INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE 131 Medium

org.apache.rat.utils.ReportingSet

Bug Category Details Line Priority
new org.apache.rat.utils.ReportingSet(SortedSet) may expose internal representation by storing an externally mutable object into ReportingSet.delegate MALICIOUS_CODE EI_EXPOSE_REP2 52 Medium