The following document contains the results of SpotBugs
SpotBugs Version is 4.8.5
Threshold is medium
Effort is default
| Classes | Bugs | Errors | Missing Classes |
|---|---|---|---|
| 139 | 53 | 0 | 5 |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.Defaults(Log, Set) is or uses a map or set of URLs, which can be a performance hog | PERFORMANCE | DMI_COLLECTION_OF_URLS | 93-95 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.Defaults$Builder.fileNames is or uses a map or set of URLs, which can be a performance hog | PERFORMANCE | DMI_COLLECTION_OF_URLS | Not available | High |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 207 | Medium |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 240 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 467 | Medium |
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 624 | Medium |
| This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 487 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Switch statement found in org.apache.rat.ReportConfiguration.setAddLicenseHeaders(AddLicenseHeaders) where one case falls through to the next case | STYLE | SF_SWITCH_FALLTHROUGH | 625-628 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.ReportConfiguration$NoCloseOutputStream(OutputStream) may expose internal representation by storing an externally mutable object into ReportConfiguration$NoCloseOutputStream.delegate | MALICIOUS_CODE | EI_EXPOSE_REP2 | 699 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.Reporter at new org.apache.rat.Reporter(ReportConfiguration) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 96 | Medium |
| new org.apache.rat.Reporter(ReportConfiguration) may expose internal representation by storing an externally mutable object into Reporter.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 76 | Medium |
| A malicious XSLT could be provided to trigger remote code execution | SECURITY | MALICIOUS_XSLT | 133 | Medium |
| The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks | SECURITY | XXE_DOCUMENT | 89 | Medium |
| The use of TransformerFactory.newInstance(...) (TransformerFactory) is vulnerable to XML External Entity attacks | SECURITY | XXE_DTD_TRANSFORM_FACTORY | 128 | Medium |
| The use of TransformerFactory.newInstance(...) is vulnerable to XSLT External Entity attacks | SECURITY | XXE_XSLT_TRANSFORM_FACTORY | 128 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(Reader, int, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 123 | Medium |
| Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(Reader, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 106 | Medium |
| new org.apache.rat.analysis.HeaderCheckWorker(Reader, int, Collection, Document) may expose internal representation by storing an externally mutable object into HeaderCheckWorker.licenses | MALICIOUS_CODE | EI_EXPOSE_REP2 | 127 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.analysis.license.SimplePatternBasedLicense.getPatterns() may expose internal representation by returning SimplePatternBasedLicense.patterns | MALICIOUS_CODE | EI_EXPOSE_REP | 44 | Medium |
| org.apache.rat.analysis.license.SimplePatternBasedLicense.setPatterns(String[]) may expose internal representation by storing an externally mutable object into SimplePatternBasedLicense.patterns | MALICIOUS_CODE | EI_EXPOSE_REP2 | 48 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 83 | Medium |
| Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 108 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 42 | Medium |
| Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 55 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 236 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.api.Document.getMetaData() may expose internal representation by returning Document.metaData | MALICIOUS_CODE | EI_EXPOSE_REP | 119 | Medium |
| This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 93 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ComponentType, String, String, boolean, Class, Collection, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 88 | Medium |
| Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ConfigComponent, boolean, Class, Collection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 113 | Medium |
| org.apache.rat.config.parameters.Description.getChildren() may expose internal representation by returning Description.children | MALICIOUS_CODE | EI_EXPOSE_REP | 206 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.configuration.MatcherBuilderTracker.INSTANCE should be package protected | MALICIOUS_CODE | MS_PKGPROTECT | Not available | Medium |
| Primitive field org.apache.rat.configuration.MatcherBuilderTracker.INSTANCE is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. | BAD_PRACTICE | PA_PUBLIC_PRIMITIVE_ATTRIBUTE | 46 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This web server request could be used by an attacker to expose internal services and filesystem. | SECURITY | URLCONNECTION_SSRF_FD | 177 | Medium |
| The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks | SECURITY | XXE_DOCUMENT | 157 | Medium |
| The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks | SECURITY | XXE_DOCUMENT | 178 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.configuration.XMLConfigurationWriter(ReportConfiguration) may expose internal representation by storing an externally mutable object into XMLConfigurationWriter.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 60 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Usage of GetResource in org.apache.rat.configuration.builders.ChildContainerBuilder.setResource(String) may be unsafe if class is extended | BAD_PRACTICE | UI_INHERITANCE_UNSAFE_GETRESOURCE | 61 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.configuration.builders.MatcherRefBuilder.setMatcherMap(Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder.matchers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 69 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy(String, Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder$IHeaderMatcherProxy.matchers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 113 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.document.impl.ArchiveEntryDocument(Path, byte[]) may expose internal representation by storing an externally mutable object into ArchiveEntryDocument.contents | MALICIOUS_CODE | EI_EXPOSE_REP2 | 53 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.document.impl.util.DocumentAnalyserMultiplexer(IDocumentAnalyser[]) may expose internal representation by storing an externally mutable object into DocumentAnalyserMultiplexer.analysers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 31 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.header.HeaderMatcher(CharFilter, int, HeaderBean[]) may expose internal representation by storing an externally mutable object into HeaderMatcher.headers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 55 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Dead store to result in org.apache.rat.license.LicenseFamilySetFactory.findFamily(String, SortedSet) | STYLE | DLS_DEAD_LOCAL_STORE | 118 | High |
| Dead store to result in org.apache.rat.license.LicenseFamilySetFactory.hasFamily(String, SortedSet) | STYLE | DLS_DEAD_LOCAL_STORE | 106 | High |
| new org.apache.rat.license.LicenseFamilySetFactory(SortedSet, Collection) may expose internal representation by storing an externally mutable object into LicenseFamilySetFactory.approvedLicenses | MALICIOUS_CODE | EI_EXPOSE_REP2 | 43 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.license.LicenseSetFactory(SortedSet, Collection) may expose internal representation by storing an externally mutable object into LicenseSetFactory.approvedLicenses | MALICIOUS_CODE | EI_EXPOSE_REP2 | 70 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.ConfigurationReport(IXmlWriter, ReportConfiguration) may expose internal representation by storing an externally mutable object into ConfigurationReport.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 42 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.claim.util.ClaimReporterMultiplexer(IXmlWriter, boolean, IDocumentAnalyser, List) may expose internal representation by storing an externally mutable object into ClaimReporterMultiplexer.reporters | MALICIOUS_CODE | EI_EXPOSE_REP2 | 51 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_IN | 43 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.xml.writer.impl.base.XmlWriter(Writer) may expose internal representation by storing an externally mutable object into XmlWriter.writer | MALICIOUS_CODE | EI_EXPOSE_REP2 | 419 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Possible information exposure through an error message | SECURITY | INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE | 114 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Possible null pointer dereference in org.apache.rat.walker.DirectoryWalker.isNotIgnoredDirectory(Path) due to return value of called method | STYLE | NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE | 92 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Possible null pointer dereference in org.apache.rat.walker.Walker.isNotIgnored(Path) due to return value of called method | STYLE | NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE | 63 | Medium |