Sast security fix #455
Sast security fix #455
Conversation
Signed-off-by: Arun Venmany <[email protected]>
Signed-off-by: Arun Venmany <[email protected]>
… gradle Signed-off-by: Arun Venmany <[email protected]>
| factory.setXIncludeAware(false); | ||
| factory.setNamespaceAware(true); | ||
| factory.setExpandEntityReferences(false); | ||
| return factory; |
There was a problem hiding this comment.
Are we not allowed to have a singleton instance of the factory? We were only doing the initialization once before. This can get called many times from maven/gradle plugins. This new code is creating a new one every single time.
| XPath xPath = XPathFactory.newInstance().newXPath(); | ||
| NodeList nodeList = (NodeList) xPath.compile(expression).evaluate(doc, XPathConstants.NODESET); | ||
| NodeList nodeList = (NodeList) expression | ||
| .evaluate(doc, XPathConstants.NODESET); |
| @@ -511,8 +521,14 @@ private Document parseDocument(URL url) throws IOException, SAXException { | |||
| } | |||
|
|
|||
| private Document parseDocument(InputStream in) throws SAXException, IOException { | |||
| try (InputStream ins = in) { // ins will be auto-closed | |||
| InputStream ins = null; | |||
There was a problem hiding this comment.
Why are we getting rid of try with resources which is the new better way to ensure streams are closed?
| @@ -52,8 +52,8 @@ public abstract class BinaryScannerUtil { | |||
| "in the application’s API usage: %s. Review and update your application to ensure it is not using conflicting APIs " + | |||
| "from different levels of MicroProfile, Java EE, or Jakarta EE."; | |||
| public static final String BINARY_SCANNER_CONFLICT_MESSAGE4 = "[None available]"; // format should match JVM Set.toString() | |||
| public static final String BINARY_SCANNER_CONFLICT_MESSAGE5 = "A working set of features could not be generated due to conflicts " + | |||
| "in the required features: %s and required levels of MicroProfile: %s, Java EE or Jakarta EE: %s. Review and update your application to ensure it " + | |||
| public static final String BINARY_SCANNER_CONFLICT_MESSAGE5 = "A working set of features could not be generated due to conflicts " + | |||
There was a problem hiding this comment.
Are there any actual changes to this file? or all formatting? If the latter, please revert the changes to this file.
| @@ -947,7 +948,7 @@ public void onFileChange(File file) { | |||
| // Parse hostname, http, https ports for integration tests to use | |||
| parseHostNameAndPorts(serverTask, messagesLogFile); | |||
| } catch (IOException e) { | |||
| throw new PluginExecutionException("An error occurred while starting the server: " + e.getMessage(), e); | |||
| throw new PluginExecutionException("An error occurred while starting the server: " + e.getMessage()); | |||
There was a problem hiding this comment.
I don't think we should do these changes. There is no security risk here because this is all open source. We need this level of detail to support our customers when they report issues. We can document this reasoning in the spreadsheet for all of this category of issues.
| @@ -53,7 +53,7 @@ public static boolean isServerRunning(File installDirectory, File outputDirector | |||
| return false; | |||
| } | |||
| } catch (Exception e) { | |||
| e.printStackTrace(); | |||
| System.out.println("exception while reading pidfile " + e.getMessage()); | |||
There was a problem hiding this comment.
We should not do System.out.println. Can a logger be passed in?
No description provided.