SpotBugs Bug Detector Report

The following document contains the results of SpotBugs

SpotBugs Version is 4.8.6

Threshold is medium

Effort is default

Summary

Classes Bugs Errors Missing Classes
3223 64 0 47

Files

Class Bugs
org.apache.rat.OptionCollection 1
org.apache.rat.ReportConfiguration$NoCloseOutputStream 1
org.apache.rat.Reporter 2
org.apache.rat.analysis.HeaderCheckWorker 3
org.apache.rat.analysis.license.SimplePatternBasedLicense 1
org.apache.rat.analysis.matchers.CopyrightMatcher 2
org.apache.rat.analysis.matchers.SimpleTextMatcher 2
org.apache.rat.anttasks.Help$AntHelpFormatter 1
org.apache.rat.commandline.ArgumentContext 2
org.apache.rat.config.exclusion.ExclusionUtils 2
org.apache.rat.config.parameters.Description 2
org.apache.rat.config.results.ClaimValidator 1
org.apache.rat.configuration.MatcherBuilderTracker 1
org.apache.rat.configuration.XMLConfigurationReader 1
org.apache.rat.configuration.XMLConfigurationWriter 1
org.apache.rat.configuration.builders.ChildContainerBuilder 1
org.apache.rat.configuration.builders.MatcherRefBuilder 1
org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy 1
org.apache.rat.document.ArchiveEntryDocument 1
org.apache.rat.document.ArchiveEntryName 1
org.apache.rat.header.HeaderMatcher 1
org.apache.rat.help.Help 2
org.apache.rat.help.Licenses 1
org.apache.rat.license.SimpleLicense$Builder 1
org.apache.rat.report.ConfigurationReport 1
org.apache.rat.report.claim.ClaimReporterMultiplexer 1
org.apache.rat.report.xml.writer.XmlWriter 1
org.apache.rat.tools.AbstractOption 1
org.apache.rat.tools.AntGenerator 6
org.apache.rat.tools.AntGenerator$GenerateType 1
org.apache.rat.tools.AntOption 1
org.apache.rat.tools.AntOption$2 1
org.apache.rat.tools.AntOption$BuildType 2
org.apache.rat.tools.ArgumentTypes 3
org.apache.rat.tools.MavenGenerator 3
org.apache.rat.tools.MavenOption 1
org.apache.rat.tools.Naming 2
org.apache.rat.tools.xsd.XsdGenerator 4
org.apache.rat.utils.DefaultLog 1
org.apache.rat.utils.Log 1
org.apache.rat.utils.ReportingSet 1

org.apache.rat.OptionCollection

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.OptionCollection.parseCommands(File, String[], Consumer, boolean): new java.io.PrintWriter(OutputStream) I18N DM_DEFAULT_ENCODING 154 High

org.apache.rat.ReportConfiguration$NoCloseOutputStream

Bug Category Details Line Priority
new org.apache.rat.ReportConfiguration$NoCloseOutputStream(OutputStream) may expose internal representation by storing an externally mutable object into ReportConfiguration$NoCloseOutputStream.delegate MALICIOUS_CODE EI_EXPOSE_REP2 845 Medium

org.apache.rat.Reporter

Bug Category Details Line Priority
new org.apache.rat.Reporter(ReportConfiguration) may expose internal representation by storing an externally mutable object into Reporter.configuration MALICIOUS_CODE EI_EXPOSE_REP2 74 Medium
A malicious XSLT could be provided to trigger remote code execution SECURITY MALICIOUS_XSLT 144 Medium

org.apache.rat.analysis.HeaderCheckWorker

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 131 Medium
Exception thrown in class org.apache.rat.analysis.HeaderCheckWorker at new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, Collection, Document) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 112 Medium
new org.apache.rat.analysis.HeaderCheckWorker(IHeaderMatcher, Reader, int, Collection, Document) may expose internal representation by storing an externally mutable object into HeaderCheckWorker.licenses MALICIOUS_CODE EI_EXPOSE_REP2 135 Medium

org.apache.rat.analysis.license.SimplePatternBasedLicense

Bug Category Details Line Priority
org.apache.rat.analysis.license.SimplePatternBasedLicense.setPatterns(String[]) may expose internal representation by storing an externally mutable object into SimplePatternBasedLicense.patterns MALICIOUS_CODE EI_EXPOSE_REP2 48 Medium

org.apache.rat.analysis.matchers.CopyrightMatcher

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 95 Medium
Exception thrown in class org.apache.rat.analysis.matchers.CopyrightMatcher at new org.apache.rat.analysis.matchers.CopyrightMatcher(String, String, String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 120 Medium

org.apache.rat.analysis.matchers.SimpleTextMatcher

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 44 Medium
Exception thrown in class org.apache.rat.analysis.matchers.SimpleTextMatcher at new org.apache.rat.analysis.matchers.SimpleTextMatcher(String, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 56 Medium

org.apache.rat.anttasks.Help$AntHelpFormatter

Bug Category Details Line Priority
Dead store to lpad in org.apache.rat.anttasks.Help$AntHelpFormatter.renderOptions(StringBuffer, int, Options, int, int) STYLE DLS_DEAD_LOCAL_STORE 171 Medium

org.apache.rat.commandline.ArgumentContext

Bug Category Details Line Priority
new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.commandLine MALICIOUS_CODE EI_EXPOSE_REP2 52 Medium
new org.apache.rat.commandline.ArgumentContext(File, ReportConfiguration, CommandLine) may expose internal representation by storing an externally mutable object into ArgumentContext.configuration MALICIOUS_CODE EI_EXPOSE_REP2 53 Medium

org.apache.rat.config.exclusion.ExclusionUtils

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterable(File, Predicate): new java.io.FileReader(File) I18N DM_DEFAULT_ENCODING 178 High
Found reliance on default encoding in org.apache.rat.config.exclusion.ExclusionUtils.asIterator(File, Predicate): new java.io.FileReader(File) I18N DM_DEFAULT_ENCODING 149 High

org.apache.rat.config.parameters.Description

Bug Category Details Line Priority
Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ComponentType, String, String, boolean, Class, Collection, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 85 Medium
Exception thrown in class org.apache.rat.config.parameters.Description at new org.apache.rat.config.parameters.Description(ConfigComponent, boolean, Class, Collection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. BAD_PRACTICE CT_CONSTRUCTOR_THROW 107 Medium

org.apache.rat.config.results.ClaimValidator

Bug Category Details Line Priority
Boxed value is unboxed and then immediately reboxed in org.apache.rat.config.results.ClaimValidator.lambda$setMin$1(int, ClaimStatistic$Counter, Integer) PERFORMANCE BX_UNBOXING_IMMEDIATELY_REBOXED 88 Medium

org.apache.rat.configuration.MatcherBuilderTracker

Bug Category Details Line Priority
Public static org.apache.rat.configuration.MatcherBuilderTracker.instance() may expose internal representation by returning MatcherBuilderTracker.instance MALICIOUS_CODE MS_EXPOSE_REP 55 Medium

org.apache.rat.configuration.XMLConfigurationReader

Bug Category Details Line Priority
This web server request could be used by an attacker to expose internal services and filesystem. SECURITY URLCONNECTION_SSRF_FD 180 Medium

org.apache.rat.configuration.XMLConfigurationWriter

Bug Category Details Line Priority
new org.apache.rat.configuration.XMLConfigurationWriter(ReportConfiguration) may expose internal representation by storing an externally mutable object into XMLConfigurationWriter.configuration MALICIOUS_CODE EI_EXPOSE_REP2 63 Medium

org.apache.rat.configuration.builders.ChildContainerBuilder

Bug Category Details Line Priority
Usage of GetResource in org.apache.rat.configuration.builders.ChildContainerBuilder.setResource(String) may be unsafe if class is extended BAD_PRACTICE UI_INHERITANCE_UNSAFE_GETRESOURCE 62 Medium

org.apache.rat.configuration.builders.MatcherRefBuilder

Bug Category Details Line Priority
org.apache.rat.configuration.builders.MatcherRefBuilder.setMatcherMap(Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder.matchers MALICIOUS_CODE EI_EXPOSE_REP2 67 Medium

org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy

Bug Category Details Line Priority
new org.apache.rat.configuration.builders.MatcherRefBuilder$IHeaderMatcherProxy(String, Map) may expose internal representation by storing an externally mutable object into MatcherRefBuilder$IHeaderMatcherProxy.matchers MALICIOUS_CODE EI_EXPOSE_REP2 114 Medium

org.apache.rat.document.ArchiveEntryDocument

Bug Category Details Line Priority
new org.apache.rat.document.ArchiveEntryDocument(ArchiveEntryName, byte[], DocumentNameMatcher) may expose internal representation by storing an externally mutable object into ArchiveEntryDocument.contents MALICIOUS_CODE EI_EXPOSE_REP2 45 Medium

org.apache.rat.document.ArchiveEntryName

Bug Category Details Line Priority
org.apache.rat.document.ArchiveEntryName doesn't override DocumentName.equals(Object) STYLE EQ_DOESNT_OVERRIDE_EQUALS 1 Medium

org.apache.rat.header.HeaderMatcher

Bug Category Details Line Priority
new org.apache.rat.header.HeaderMatcher(CharFilter, int, HeaderBean[]) may expose internal representation by storing an externally mutable object into HeaderMatcher.headers MALICIOUS_CODE EI_EXPOSE_REP2 55 Medium

org.apache.rat.help.Help

Bug Category Details Line Priority
Found reliance on default encoding in new org.apache.rat.help.Help(PrintStream): new java.io.PrintWriter(OutputStream) I18N DM_DEFAULT_ENCODING 65 High
org.apache.rat.help.Help.NOTES is a mutable array MALICIOUS_CODE MS_MUTABLE_ARRAY 41 High

org.apache.rat.help.Licenses

Bug Category Details Line Priority
new org.apache.rat.help.Licenses(ReportConfiguration, Writer) may expose internal representation by storing an externally mutable object into Licenses.config MALICIOUS_CODE EI_EXPOSE_REP2 68 Medium

org.apache.rat.license.SimpleLicense$Builder

Bug Category Details Line Priority
org.apache.rat.license.SimpleLicense$Builder.setLicenseFamilies(SortedSet) may expose internal representation by storing an externally mutable object into SimpleLicense$Builder.licenseFamilies MALICIOUS_CODE EI_EXPOSE_REP2 211 Medium

org.apache.rat.report.ConfigurationReport

Bug Category Details Line Priority
new org.apache.rat.report.ConfigurationReport(IXmlWriter, ReportConfiguration) may expose internal representation by storing an externally mutable object into ConfigurationReport.configuration MALICIOUS_CODE EI_EXPOSE_REP2 43 Medium

org.apache.rat.report.claim.ClaimReporterMultiplexer

Bug Category Details Line Priority
new org.apache.rat.report.claim.ClaimReporterMultiplexer(IXmlWriter, boolean, DocumentAnalyser, List) may expose internal representation by storing an externally mutable object into ClaimReporterMultiplexer.reporters MALICIOUS_CODE EI_EXPOSE_REP2 54 Medium

org.apache.rat.report.xml.writer.XmlWriter

Bug Category Details Line Priority
new org.apache.rat.report.xml.writer.XmlWriter(Writer) may expose internal representation by storing an externally mutable object into XmlWriter.writer MALICIOUS_CODE EI_EXPOSE_REP2 417 Medium

org.apache.rat.tools.AbstractOption

Bug Category Details Line Priority
The regular expression "-(-[a-z0-9]+)+" is vulnerable to a denial of service attack (ReDOS) SECURITY REDOS 37 Medium

org.apache.rat.tools.AntGenerator

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): java.io.ByteArrayOutputStream.toString() I18N DM_DEFAULT_ENCODING 217 High
Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): new java.io.FileWriter(File) I18N DM_DEFAULT_ENCODING 176 High
Found reliance on default encoding in org.apache.rat.tools.AntGenerator.main(String[]): new java.io.OutputStreamWriter(OutputStream) I18N DM_DEFAULT_ENCODING 178 High
Exceptional return value of java.io.File.mkdirs() ignored in org.apache.rat.tools.AntGenerator.main(String[]) BAD_PRACTICE RV_RETURN_VALUE_IGNORED_BAD_PRACTICE 174 Medium
Format string should use %n rather than \n in org.apache.rat.tools.AntGenerator.getElementClass(AntOption) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 262 Medium
Format string should use %n rather than \n in org.apache.rat.tools.AntGenerator.main(String[]) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 207 Medium

org.apache.rat.tools.AntGenerator$GenerateType

Bug Category Details Line Priority
Format string should use %n rather than \n in org.apache.rat.tools.AntGenerator$GenerateType.getMethodFormat(AntOption) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 287 Medium

org.apache.rat.tools.AntOption

Bug Category Details Line Priority
Public static org.apache.rat.tools.AntOption.getUnsupportedOptions() may expose internal representation by returning AntOption.UNSUPPORTED_LIST MALICIOUS_CODE MS_EXPOSE_REP 150 Medium

org.apache.rat.tools.AntOption$2

Bug Category Details Line Priority
Format string should use %n rather than \n in org.apache.rat.tools.AntOption$2.getMethodFormat(AntOption) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 137 Medium

org.apache.rat.tools.AntOption$BuildType

Bug Category Details Line Priority
Format string should use %n rather than \n in org.apache.rat.tools.AntOption$BuildType.getMethodFormat(AntOption) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 314 Medium
Format string should use %n rather than \n in org.apache.rat.tools.AntOption$BuildType.getMultipleFormat(AntOption) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 305 Medium

org.apache.rat.tools.ArgumentTypes

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.tools.ArgumentTypes.main(String[]): new java.io.FileWriter(String) I18N DM_DEFAULT_ENCODING 44 High
Found reliance on default encoding in org.apache.rat.tools.ArgumentTypes.main(String[]): new java.io.OutputStreamWriter(OutputStream) I18N DM_DEFAULT_ENCODING 44 High
This API (java/io/FileWriter.<init>(Ljava/lang/String;)V) writes to a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_OUT 44 High

org.apache.rat.tools.MavenGenerator

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.tools.MavenGenerator.main(String[]): new java.io.FileWriter(File) I18N DM_DEFAULT_ENCODING 107 High
Exceptional return value of java.io.File.mkdirs() ignored in org.apache.rat.tools.MavenGenerator.main(String[]) BAD_PRACTICE RV_RETURN_VALUE_IGNORED_BAD_PRACTICE 105 Medium
Format string should use %n rather than \n in org.apache.rat.tools.MavenGenerator.main(String[]) BAD_PRACTICE VA_FORMAT_STRING_USES_NEWLINE 136 Medium

org.apache.rat.tools.MavenOption

Bug Category Details Line Priority
Public static org.apache.rat.tools.MavenOption.getFilteredOptions() may expose internal representation by returning MavenOption.UNSUPPORTED_LIST MALICIOUS_CODE MS_EXPOSE_REP 69 Medium

org.apache.rat.tools.Naming

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.tools.Naming.main(String[]): new java.io.FileWriter(String) I18N DM_DEFAULT_ENCODING 152 High
This API (java/io/FileWriter.<init>(Ljava/lang/String;)V) writes to a file whose location might be specified by user input SECURITY PATH_TRAVERSAL_OUT 152 Medium

org.apache.rat.tools.xsd.XsdGenerator

Bug Category Details Line Priority
Found reliance on default encoding in org.apache.rat.tools.xsd.XsdGenerator.getInputStream(): new java.io.OutputStreamWriter(OutputStream) I18N DM_DEFAULT_ENCODING 96 High
A malicious XSLT could be provided to trigger remote code execution SECURITY MALICIOUS_XSLT 78 Medium
The use of TransformerFactory.newInstance(...) (TransformerFactory) is vulnerable to XML External Entity attacks SECURITY XXE_DTD_TRANSFORM_FACTORY 74 Medium
The use of TransformerFactory.newInstance(...) is vulnerable to XSLT External Entity attacks SECURITY XXE_XSLT_TRANSFORM_FACTORY 74 Medium

org.apache.rat.utils.DefaultLog

Bug Category Details Line Priority
Public static org.apache.rat.utils.DefaultLog.getInstance() may expose internal representation by returning DefaultLog.instance MALICIOUS_CODE MS_EXPOSE_REP 44 Medium

org.apache.rat.utils.Log

Bug Category Details Line Priority
Possible information exposure through an error message SECURITY INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE 52 Medium

org.apache.rat.utils.ReportingSet

Bug Category Details Line Priority
new org.apache.rat.utils.ReportingSet(SortedSet) may expose internal representation by storing an externally mutable object into ReportingSet.delegate MALICIOUS_CODE EI_EXPOSE_REP2 52 Medium