The following document contains the results of SpotBugs
SpotBugs Version is 4.8.6
Threshold is medium
Effort is default
| Classes | Bugs | Errors | Missing Classes |
|---|---|---|---|
| 3117 | 54 | 0 | 57 |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.OptionCollection.parseCommands(File, String[], Consumer, boolean): new java.io.PrintWriter(OutputStream) | I18N | DM_DEFAULT_ENCODING | 179 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.ReportConfiguration$NoCloseOutputStream(OutputStream) may expose internal representation by storing an externally mutable object into ReportConfiguration$NoCloseOutputStream.delegate | MALICIOUS_CODE | EI_EXPOSE_REP2 | 845 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.Reporter(ReportConfiguration) may expose internal representation by storing an externally mutable object into Reporter.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 74 | Medium |
| A malicious XSLT could be provided to trigger remote code execution | SECURITY | MALICIOUS_XSLT | 144 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 131 | Medium |
| Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 112 | Medium |
| new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) may expose internal representation by storing an externally mutable object into HeaderCheckWorker.licenses | MALICIOUS_CODE | EI_EXPOSE_REP2 | 135 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.analysis.license.SimplePatternBasedLicense.setPatterns(String[]) may expose internal representation by storing an externally mutable object into SimplePatternBasedLicense.patterns | MALICIOUS_CODE | EI_EXPOSE_REP2 | 50 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 95 | Medium |
| Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 120 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 44 | Medium |
| Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 56 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception is caught when Exception is not thrown in org.apache.rat.commandline.Arg.processConfigurationArgs(ArgumentContext) | STYLE | REC_CATCH_EXCEPTION | 678 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.commandLine | MALICIOUS_CODE | EI_EXPOSE_REP2 | 52 | Medium |
| new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 53 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterable(File, Predicate): new java.io.FileReader(File) | I18N | DM_DEFAULT_ENCODING | 178 | High |
| Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterator(File, Predicate): new java.io.FileReader(File) | I18N | DM_DEFAULT_ENCODING | 149 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ComponentType, String, String, boolean, Class, Collection, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 85 | Medium |
| Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ConfigComponent, boolean, Class, Collection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. | BAD_PRACTICE | CT_CONSTRUCTOR_THROW | 107 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Boxed value is unboxed and then immediately reboxed in org.apache.rat.config.results.ClaimValidator.lambda$setMin$1(int, ClaimStatistic$Counter, Integer) | PERFORMANCE | BX_UNBOXING_IMMEDIATELY_REBOXED | 88 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Public static org.apache.rat.configuration.MatcherBuilderTracker.instance() may expose internal representation by returning MatcherBuilderTracker.instance | MALICIOUS_CODE | MS_EXPOSE_REP | 55 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| This web server request could be used by an attacker to expose internal services and filesystem. | SECURITY | URLCONNECTION_SSRF_FD | 180 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.configuration.XMLConfigurationWriter(ReportConfiguration) may expose internal representation by storing an externally mutable object into XMLConfigurationWriter.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 63 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Usage of GetResource in org.apache.rat.configuration.builders.ChildContainerBuilder.setResource(String) may be unsafe if class is extended | BAD_PRACTICE | UI_INHERITANCE_UNSAFE_GETRESOURCE | 62 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.configuration.builders.MatcherRefBuilder.setMatcherMap(Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder.matchers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 67 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy(String, Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder$IHeaderMatcherProxy.matchers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 114 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.document.ArchiveEntryDocument(ArchiveEntryName, byte[], DocumentNameMatcher) may expose internal representation by storing an externally mutable object into ArchiveEntryDocument.contents | MALICIOUS_CODE | EI_EXPOSE_REP2 | 45 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.document.ArchiveEntryName doesn't override DocumentName.equals(Object) | STYLE | EQ_DOESNT_OVERRIDE_EQUALS | 1 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.header.HeaderMatcher(CharFilter, int, HeaderBean[]) may expose internal representation by storing an externally mutable object into HeaderMatcher.headers | MALICIOUS_CODE | EI_EXPOSE_REP2 | 55 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in new org.apache.rat.help.Help(PrintStream): new java.io.PrintWriter(OutputStream) | I18N | DM_DEFAULT_ENCODING | 65 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.help.Licenses(ReportConfiguration, Writer) may expose internal representation by storing an externally mutable object into Licenses.config | MALICIOUS_CODE | EI_EXPOSE_REP2 | 68 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| org.apache.rat.license.SimpleLicense$Builder.setLicenseFamilies(SortedSet) may expose internal representation by storing an externally mutable object into SimpleLicense$Builder.licenseFamilies | MALICIOUS_CODE | EI_EXPOSE_REP2 | 211 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.ConfigurationReport(IXmlWriter, ReportConfiguration) may expose internal representation by storing an externally mutable object into ConfigurationReport.configuration | MALICIOUS_CODE | EI_EXPOSE_REP2 | 43 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.claim.ClaimReporterMultiplexer(IXmlWriter, boolean, DocumentAnalyser, List) may expose internal representation by storing an externally mutable object into ClaimReporterMultiplexer.reporters | MALICIOUS_CODE | EI_EXPOSE_REP2 | 54 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.report.xml.writer.XmlWriter(Writer) may expose internal representation by storing an externally mutable object into XmlWriter.writer | MALICIOUS_CODE | EI_EXPOSE_REP2 | 417 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| The regular expression "-(-[a-z0-9]+)+" is vulnerable to a denial of service attack (ReDOS) | SECURITY | REDOS | 35 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): java.io.ByteArrayOutputStream.toString() | I18N | DM_DEFAULT_ENCODING | 148 | High |
| Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): new java.io.FileWriter(File) | I18N | DM_DEFAULT_ENCODING | 115 | High |
| Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): new java.io.OutputStreamWriter(OutputStream) | I18N | DM_DEFAULT_ENCODING | 117 | High |
| Exceptional return value of java.io.File.mkdirs() ignored in org.apache.rat.tools.AntGenerator.main(String[]) | BAD_PRACTICE | RV_RETURN_VALUE_IGNORED_BAD_PRACTICE | 113 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.tools.ArgumentTypes.main(String[]): new java.io.FileWriter(String) | I18N | DM_DEFAULT_ENCODING | 44 | High |
| Found reliance on default encoding in org.apache.rat.tools.ArgumentTypes.main(String[]): new java.io.OutputStreamWriter(OutputStream) | I18N | DM_DEFAULT_ENCODING | 44 | High |
| This API (java/io/FileWriter.<init>(Ljava/lang/String;)V) writes to a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_OUT | 44 | High |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.tools.MavenGenerator.main(String[]): new java.io.FileWriter(File) | I18N | DM_DEFAULT_ENCODING | 112 | High |
| Exceptional return value of java.io.File.mkdirs() ignored in org.apache.rat.tools.MavenGenerator.main(String[]) | BAD_PRACTICE | RV_RETURN_VALUE_IGNORED_BAD_PRACTICE | 110 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.tools.Naming.main(String[]): new java.io.FileWriter(String) | I18N | DM_DEFAULT_ENCODING | 154 | High |
| This API (java/io/FileWriter.<init>(Ljava/lang/String;)V) writes to a file whose location might be specified by user input | SECURITY | PATH_TRAVERSAL_OUT | 154 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Found reliance on default encoding in org.apache.rat.tools.xsd.XsdGenerator.getInputStream(): new java.io.OutputStreamWriter(OutputStream) | I18N | DM_DEFAULT_ENCODING | 96 | High |
| A malicious XSLT could be provided to trigger remote code execution | SECURITY | MALICIOUS_XSLT | 78 | Medium |
| The use of TransformerFactory.newInstance(...) (TransformerFactory) is vulnerable to XML External Entity attacks | SECURITY | XXE_DTD_TRANSFORM_FACTORY | 74 | Medium |
| The use of TransformerFactory.newInstance(...) is vulnerable to XSLT External Entity attacks | SECURITY | XXE_XSLT_TRANSFORM_FACTORY | 74 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Public static org.apache.rat.utils.DefaultLog.getInstance() may expose internal representation by returning DefaultLog.instance | MALICIOUS_CODE | MS_EXPOSE_REP | 44 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| Possible information exposure through an error message | SECURITY | INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE | 131 | Medium |
| Bug | Category | Details | Line | Priority |
|---|---|---|---|---|
| new org.apache.rat.utils.ReportingSet(SortedSet) may expose internal representation by storing an externally mutable object into ReportingSet.delegate | MALICIOUS_CODE | EI_EXPOSE_REP2 | 52 | Medium |