SpotBugs Bug Detector Report
The following document contains the results of SpotBugs
SpotBugs Version is 4.8.6
Threshold is medium
Effort is
Summary
| Classes |
Bugs |
Errors |
Missing Classes |
| 91 |
99 |
0 |
2 |
waffle.jaas.GroupPrincipal
| Bug |
Category |
Details |
Line |
Priority |
| waffle.jaas.GroupPrincipal doesn't override UserPrincipal.equals(Object) |
STYLE |
EQ_DOESNT_OVERRIDE_EQUALS |
1 |
Medium |
waffle.jaas.GroupPrincipalTest
| Bug |
Category |
Details |
Line |
Priority |
| Object deserialization is used in waffle.jaas.GroupPrincipalTest.testIsSerializable() |
SECURITY |
OBJECT_DESERIALIZATION |
101 |
High |
waffle.jaas.RolePrincipalTest
| Bug |
Category |
Details |
Line |
Priority |
| Object deserialization is used in waffle.jaas.RolePrincipalTest.testIsSerializable() |
SECURITY |
OBJECT_DESERIALIZATION |
101 |
High |
waffle.jaas.UserPrincipalTest
| Bug |
Category |
Details |
Line |
Priority |
| Object deserialization is used in waffle.jaas.UserPrincipalTest.testIsSerializable() |
SECURITY |
OBJECT_DESERIALIZATION |
101 |
High |
waffle.jaas.WindowsLoginModule
| Bug |
Category |
Details |
Line |
Priority |
| waffle.jaas.WindowsLoginModule.initialize(Subject, CallbackHandler, Map, Map) may expose internal representation by storing an externally mutable object into WindowsLoginModule.subject |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
94 |
Medium |
| Method waffle.jaas.WindowsLoginModule.login() throws alternative exception from catch block without history |
CORRECTNESS |
LEST_LOST_EXCEPTION_STACK_TRACE |
140 |
Medium |
| Method waffle.jaas.WindowsLoginModule.login() throws alternative exception from catch block without history |
CORRECTNESS |
LEST_LOST_EXCEPTION_STACK_TRACE |
144 |
Medium |
| Method waffle.jaas.WindowsLoginModule.login() throws alternative exception from catch block without history |
CORRECTNESS |
LEST_LOST_EXCEPTION_STACK_TRACE |
152 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
139 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
142 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
151 |
Medium |
waffle.jaas.WindowsLoginModuleTest$1
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.jaas.WindowsLoginModuleTest$1 at new waffle.jaas.WindowsLoginModuleTest$1(WindowsLoginModuleTest) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
241 |
Medium |
waffle.jaas.WindowsLoginModuleTest$2
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.jaas.WindowsLoginModuleTest$2 at new waffle.jaas.WindowsLoginModuleTest$2(WindowsLoginModuleTest) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
267 |
Medium |
waffle.servlet.CorsAwareNegotiateSecurityFilterTest
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.servlet.CorsAwareNegotiateSecurityFilterTest.doFilterTestCorsPreflightRequest() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
74 |
Medium |
| Method waffle.servlet.CorsAwareNegotiateSecurityFilterTest.doFilterTestCorsPreflightRequest() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
89 |
Medium |
waffle.servlet.CorsAwareNegotiateSecurityFilterTest$1
waffle.servlet.CorsAwareNegotiateSecurityFilterTest$2
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.servlet.CorsAwareNegotiateSecurityFilterTest$2 at new waffle.servlet.CorsAwareNegotiateSecurityFilterTest$2(CorsAwareNegotiateSecurityFilterTest) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
93 |
Medium |
waffle.servlet.NegotiateSecurityFilter
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.servlet.NegotiateSecurityFilter.init(FilterConfig) is excessively complex, with a cyclomatic complexity of 68 |
STYLE |
CC_CYCLOMATIC_COMPLEXITY |
324 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilter.init(FilterConfig) accesses list or array with constant index |
CORRECTNESS |
CLI_CONSTANT_LIST_INDEX |
418 |
Medium |
| Unconstrained method waffle.servlet.NegotiateSecurityFilter.sendUnauthorized(HttpServletResponse, boolean) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
490 |
High |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
185 |
Medium |
waffle.servlet.NegotiateSecurityFilterTest
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.servlet.NegotiateSecurityFilterTest.testCorsAndBearerAuthorizationI_init(FilterConfig) uses AccessibleObject.setAccessible to modify accessibility of classes |
CORRECTNESS |
RFI_SET_ACCESSIBLE |
115 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilterTest.testCorsAndBearerAuthorizationI_init(FilterConfig) uses AccessibleObject.setAccessible to modify accessibility of classes |
CORRECTNESS |
RFI_SET_ACCESSIBLE |
116 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilterTest.testCorsAndBearerAuthorizationI_init(FilterConfig) uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
86 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilterTest.testCorsAndBearerAuthorizationI_init(FilterConfig) uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
122 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilterTest.testExcludeCorsAndOAUTHBearerAuthorization_doFilter(HttpServletRequest, HttpServletResponse, FilterChain, FilterConfig) uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
152 |
Medium |
| Method waffle.servlet.NegotiateSecurityFilterTest.testExcludeCorsAndOAUTHBearerAuthorization_doFilter(HttpServletRequest, HttpServletResponse, FilterChain, FilterConfig) uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
182 |
Medium |
waffle.servlet.NegotiateSecurityFilterTest$4
| Bug |
Category |
Details |
Line |
Priority |
| Method new waffle.servlet.NegotiateSecurityFilterTest$4(NegotiateSecurityFilterTest, FilterConfig, HttpServletRequest) needlessly boxes a boolean constant |
PERFORMANCE |
NAB_NEEDLESS_BOOLEAN_CONSTANT_CONVERSION |
173 |
Medium |
| Return value of jakarta.servlet.http.HttpServletRequest.getHeader(String) ignored, but method has no side effect |
STYLE |
RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT |
174 |
Medium |
waffle.servlet.NegotiateSecurityFilterTest$5
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.servlet.NegotiateSecurityFilterTest$5 at new waffle.servlet.NegotiateSecurityFilterTest$5(NegotiateSecurityFilterTest, FilterChain, HttpServletRequest, HttpServletResponse) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
184 |
Medium |
waffle.servlet.WaffleInfoServlet
| Bug |
Category |
Details |
Line |
Priority |
| Unconstrained method waffle.servlet.WaffleInfoServlet.getWaffleInfoResponse(HttpServletRequest, HttpServletResponse) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
112 |
High |
| Method waffle.servlet.WaffleInfoServlet.getWaffleInfoResponse(HttpServletRequest, HttpServletResponse) throws alternative exception from catch block without history |
CORRECTNESS |
LEST_LOST_EXCEPTION_STACK_TRACE |
112 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
111 |
Medium |
waffle.servlet.WindowsPrincipal
| Bug |
Category |
Details |
Line |
Priority |
| Class waffle.servlet.WindowsPrincipal defines List based fields but uses them like Sets |
PERFORMANCE |
DLC_DUBIOUS_LIST_COLLECTION |
238 |
Medium |
| waffle.servlet.WindowsPrincipal.getGroups() may expose internal representation by returning WindowsPrincipal.groups |
MALICIOUS_CODE |
EI_EXPOSE_REP |
156 |
Medium |
| Class waffle.servlet.WindowsPrincipal 'overloads' a method with both instance and static versions |
STYLE |
MOM_MISLEADING_OVERLOAD_MODEL |
156 |
Medium |
| Method waffle.servlet.WindowsPrincipal.getGroups(IWindowsAccount[]) does not presize the allocation of a collection |
PERFORMANCE |
PSC_PRESIZE_COLLECTIONS |
127 |
Medium |
waffle.servlet.spi.NegotiateSecurityFilterProvider
| Bug |
Category |
Details |
Line |
Priority |
| waffle.servlet.spi.NegotiateSecurityFilterProvider.getProtocols() may expose internal representation by returning NegotiateSecurityFilterProvider.protocolsList |
MALICIOUS_CODE |
EI_EXPOSE_REP |
88 |
Medium |
| waffle.servlet.spi.NegotiateSecurityFilterProvider.setProtocols(List) may expose internal representation by storing an externally mutable object into NegotiateSecurityFilterProvider.protocolsList |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
98 |
Medium |
waffle.servlet.spi.SecurityFilterProviderCollection
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.servlet.spi.SecurityFilterProviderCollection at new waffle.servlet.spi.SecurityFilterProviderCollection(String[], IWindowsAuthProvider) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
89 |
Medium |
| Unconstrained method new waffle.servlet.spi.SecurityFilterProviderCollection(String[], IWindowsAuthProvider) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
89 |
High |
| Method waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(HttpServletRequest, HttpServletResponse) appears to call the same method on the same object redundantly |
PERFORMANCE |
PRMC_POSSIBLY_REDUNDANT_METHOD_CALLS |
156 |
Medium |
| Method new waffle.servlet.spi.SecurityFilterProviderCollection(SecurityFilterProvider[]) does not presize the allocation of a collection |
PERFORMANCE |
PSC_PRESIZE_COLLECTIONS |
64 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
93 |
Medium |
waffle.util.AuthorizationHeader
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.util.AuthorizationHeader.getTokenBytes() throws alternative exception from catch block without history |
CORRECTNESS |
LEST_LOST_EXCEPTION_STACK_TRACE |
123 |
Medium |
| Method waffle.util.AuthorizationHeader.isBearerAuthorizationHeader() makes literal string comparisons passing the literal as an argument |
STYLE |
LSC_LITERAL_STRING_COMPARISON |
191 |
High |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
122 |
Medium |
| Method waffle.util.AuthorizationHeader.isBearerAuthorizationHeader() compares string without case after enforcing a case |
PERFORMANCE |
SPP_USELESS_CASING |
191 |
Medium |
waffle.util.CorsPreFlightCheck
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.util.CorsPreFlightCheck.isPreflight(HttpServletRequest) makes literal string comparisons passing the literal as an argument |
STYLE |
LSC_LITERAL_STRING_COMPARISON |
74 |
High |
| Method waffle.util.CorsPreFlightCheck.isPreflight(HttpServletRequest) makes literal string comparisons passing the literal as an argument |
STYLE |
LSC_LITERAL_STRING_COMPARISON |
84 |
High |
waffle.util.CorsPreFlightCheckTest
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.util.CorsPreFlightCheckTest.testCorsMethodPreflightHeadersPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
132 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testCorsMethodPreflightHeadersPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
143 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testExpectedCorsPreflightHeadersPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
62 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testExpectedCorsPreflightHeadersPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
77 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testNoCorsHeadersPreflightHeaderPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
160 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testNoCorsHeadersPreflightHeaderPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
176 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testNoCorsPreflightOriginPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
96 |
Medium |
| Method waffle.util.CorsPreFlightCheckTest.testNoCorsPreflightOriginPresent() uses a Side Effect Constructor |
STYLE |
SEC_SIDE_EFFECT_CONSTRUCTOR |
112 |
Medium |
waffle.util.CorsPreFlightCheckTest$1
waffle.util.CorsPreFlightCheckTest$2
waffle.util.CorsPreFlightCheckTest$3
waffle.util.CorsPreFlightCheckTest$4
waffle.util.CorsPreFlightCheckTest$5
waffle.util.CorsPreFlightCheckTest$6
waffle.util.CorsPreFlightCheckTest$7
waffle.util.CorsPreFlightCheckTest$8
waffle.util.NtlmMessage
| Bug |
Category |
Details |
Line |
Priority |
| Hard coded cryptographic key found |
SECURITY |
HARD_CODE_KEY |
33-74 |
Medium |
waffle.util.WaffleInfo
| Bug |
Category |
Details |
Line |
Priority |
| This use of org/slf4j/Logger.error(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages |
SECURITY |
CRLF_INJECTION_LOGS |
342 |
Medium |
| Format should be constant. Use placeholder to reduce the needless cost of parameter construction. see http://www.slf4j.org/faq.html#logging_performance |
CORRECTNESS |
SLF4J_FORMAT_SHOULD_BE_CONST |
363 |
High |
| Format should be constant. Use placeholder to reduce the needless cost of parameter construction. see http://www.slf4j.org/faq.html#logging_performance |
CORRECTNESS |
SLF4J_FORMAT_SHOULD_BE_CONST |
366 |
High |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
367 |
Medium |
waffle.windows.auth.impl.WindowsAuthProviderImpl
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.windows.auth.impl.WindowsAuthProviderImpl at new waffle.windows.auth.impl.WindowsAuthProviderImpl() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
93 |
Medium |
| Exception thrown in class waffle.windows.auth.impl.WindowsAuthProviderImpl at new waffle.windows.auth.impl.WindowsAuthProviderImpl(int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
103 |
Medium |
| Constrained method waffle.windows.auth.impl.WindowsAuthProviderImpl.getCurrentComputer() converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CHECKED |
187 |
Medium |
| Method waffle.windows.auth.impl.WindowsAuthProviderImpl.getCurrentComputer() calls InetAddress.getLocalHost(), which may be a security risk |
CORRECTNESS |
MDM_INETADDRESS_GETLOCALHOST |
185 |
Medium |
| Method waffle.windows.auth.impl.WindowsAuthProviderImpl.getDomains() does not presize the allocation of a collection |
PERFORMANCE |
PSC_PRESIZE_COLLECTIONS |
196 |
Medium |
waffle.windows.auth.impl.WindowsAuthProviderImpl$ContinueContext
| Bug |
Category |
Details |
Line |
Priority |
| Class waffle.windows.auth.impl.WindowsAuthProviderImpl$ContinueContext defines fields that are used only as locals |
CORRECTNESS |
FCBL_FIELD_COULD_BE_LOCAL |
81 |
Medium |
| Class waffle.windows.auth.impl.WindowsAuthProviderImpl$ContinueContext defines fields that are used only as locals |
CORRECTNESS |
FCBL_FIELD_COULD_BE_LOCAL |
82 |
Medium |
waffle.windows.auth.impl.WindowsComputerImpl
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.windows.auth.impl.WindowsComputerImpl.getGroups() does not presize the allocation of a collection |
PERFORMANCE |
PSC_PRESIZE_COLLECTIONS |
67 |
Medium |
waffle.windows.auth.impl.WindowsCredentialsHandleImpl
| Bug |
Category |
Details |
Line |
Priority |
| waffle.windows.auth.impl.WindowsCredentialsHandleImpl.getHandle() may expose internal representation by returning WindowsCredentialsHandleImpl.handle |
MALICIOUS_CODE |
EI_EXPOSE_REP |
119 |
Medium |
waffle.windows.auth.impl.WindowsIdentityImpersonationContextImpl
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.windows.auth.impl.WindowsIdentityImpersonationContextImpl at new waffle.windows.auth.impl.WindowsIdentityImpersonationContextImpl(WinNT$HANDLE) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
46 |
Medium |
waffle.windows.auth.impl.WindowsIdentityImpl
| Bug |
Category |
Details |
Line |
Priority |
| new waffle.windows.auth.impl.WindowsIdentityImpl(WinNT$HANDLE) may expose internal representation by storing an externally mutable object into WindowsIdentityImpl.windowsIdentity |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
60 |
Medium |
waffle.windows.auth.impl.WindowsSecurityContextImpersonationContextImpl
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class waffle.windows.auth.impl.WindowsSecurityContextImpersonationContextImpl at new waffle.windows.auth.impl.WindowsSecurityContextImpersonationContextImpl(Sspi$CtxtHandle) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
50 |
Medium |
| new waffle.windows.auth.impl.WindowsSecurityContextImpersonationContextImpl(Sspi$CtxtHandle) may expose internal representation by storing an externally mutable object into WindowsSecurityContextImpersonationContextImpl.ctx |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
53 |
Medium |
waffle.windows.auth.impl.WindowsSecurityContextImpl
| Bug |
Category |
Details |
Line |
Priority |
| waffle.windows.auth.impl.WindowsSecurityContextImpl.getHandle() may expose internal representation by returning WindowsSecurityContextImpl.ctx |
MALICIOUS_CODE |
EI_EXPOSE_REP |
195 |
Medium |
| waffle.windows.auth.impl.WindowsSecurityContextImpl.setSecurityContext(Sspi$CtxtHandle) may expose internal representation by storing an externally mutable object into WindowsSecurityContextImpl.ctx |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
235 |
Medium |
| Class waffle.windows.auth.impl.WindowsSecurityContextImpl 'overloads' a method with both instance and static versions |
STYLE |
MOM_MISLEADING_OVERLOAD_MODEL |
168-175 |
Medium |
