SonarQube Vulnerability Report

Report Generated On
Fri Aug 02 2019
Project Name
java tomcat
Application
tomcat
Release
1.0.0
Delta analysis
No

Summary of the Detected Vulnerabilities

Severity Number of Issues
BLOCKER 0
CRITICAL 2
MAJOR 0
MINOR 5

Detail of the Detected Vulnerabilities

Rule Severity Component Line Description Message Status
squid:S2975 BLOCKER java/org/apache/catalina/util/URLEncoder.java 190 "clone" should not be overridden Remove this "clone" implementation; use a copy constructor or copy factory instead. TO_REVIEW

Known Security Rules

Rule Description
squid:S864

The rules of operator precedence are complicated and can lead to errors. For this reason, parentheses should be used for clarification in complex statements. However, this does not mean that parentheses should be gratuitously added around every operation.

This rule raises issues when && and || are used in combination, when assignment and equality or relational operators are used in together in a condition, and for other operator combinations according to the following table:

+, -, *, /, % <<, >>, >>> & ^ |
+, -, *, /, % x x x x
<<, >>, >>> x x x x
& x x x x
^ x x x x
| x x x x

Noncompliant Code Example

x = a + b - c;
x = a + 1 << b;  // Noncompliant

if ( a > b || c < d || a == d) {...}
if ( a > b && c < d || a == b) {...}  // Noncompliant
if (a = f(b,c) == 1) { ... } // Noncompliant; == evaluated first

Compliant Solution

x = a + b - c;
x = (a + 1) << b;

if ( a > b || c < d || a == d) {...}
if ( (a > b && c < d) || a == b) {...}
if ( (a = f(b,c)) == 1) { ... }

See

  • MISRA C:2004, 12.1 - Limited dependence should be placed on C's operator precedence rules in expressions
  • MISRA C:2004, 12.2 - The value of an expression shall be the same under any order of evaluation that the standard permits.
  • MISRA C:2004, 12.5 - The operands of a logical && or || shall be primary-expressions.
  • MISRA C++:2008, 5-0-1 - The value of an expression shall be the same under any order of evaluation that the standard permits.
  • MISRA C++:2008, 5-0-2 - Limited dependence should be placed on C++ operator precedence rules in expressions
  • MISRA C++:2008, 5-2-1 - Each operand of a logical && or || shall be a postfix-expression.
  • MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit
  • CERT, EXP00-C. - Use parentheses for precedence of operation
  • CERT, EXP53-J. - Use parentheses for precedence of operation
  • MITRE, CWE-783 - Operator Precedence Logic Error
squid:S2115

Failure to password-protect a database is so careless or naive as to be almost negligent. Databases should always be password protected, but the use of a database connection with an empty password is a clear indication of a database that is not protected.

This rule flags database connections with empty passwords.

Noncompliant Code Example

Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", "");
Connection conn2 = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=");

Compliant Solution

DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=password");

DriverManager.getConnection("jdbc:mysql://address=(host=myhost1)(port=1111)(key1=value1)(user=sandy)(password=secret),address=(host=myhost2)(port=2222)(key2=value2)(user=sandy)(password=secret)/db");

DriverManager.getConnection("jdbc:mysql://sandy:secret@[myhost1:1111,myhost2:2222]/db");

String url = "jdbc:postgresql://localhost/test";
Properties props = new Properties();
props.setProperty("user", "fred");
props.setProperty("password", "secret");
DriverManager.getConnection(url, props);

See

squid:S1148

Throwable.printStackTrace(...) prints a Throwable and its stack trace to some stream. By default that stream System.Err, which could inadvertently expose sensitive information.

Loggers should be used instead to print Throwables, as they have many advantages:

  • Users are able to easily retrieve the logs.
  • The format of log messages is uniform and allow users to browse the logs easily.

This rule raises an issue when printStackTrace is used without arguments, i.e. when the stack trace is printed to the default stream.

Noncompliant Code Example

try {
  /* ... */
} catch(Exception e) {
  e.printStackTrace();        // Noncompliant
}

Compliant Solution

try {
  /* ... */
} catch(Exception e) {
  LOGGER.log("context", e);
}

See

squid:S2975

Many consider clone and Cloneable broken in Java, largely because the rules for overriding clone are tricky and difficult to get right, according to Joshua Bloch:

Object's clone method is very tricky. It's based on field copies, and it's "extra-linguistic." It creates an object without calling a constructor. There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years, both in and outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have a shallow copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two independent objects. If you modify one, the other changes as well. And all of a sudden, you get random behavior.

A copy constructor or copy factory should be used instead.

This rule raises an issue when clone is overridden, whether or not Cloneable is implemented.

Noncompliant Code Example

public class MyClass {
  // ...

  public Object clone() { // Noncompliant
    //...
  }
}

Compliant Solution

public class MyClass {
  // ...

  MyClass (MyClass source) {
    //...
  }
}

See

See Also

  • S2157 - "Cloneables" should implement "clone"
  • S1182 - Classes that override "clone" should be "Cloneable" and call "super.clone()"