SpotBugs Bug Detector Report
The following document contains the results of SpotBugs
SpotBugs Version is 4.8.6
Threshold is medium
Effort is
Summary
| Classes |
Bugs |
Errors |
Missing Classes |
| 20 |
36 |
0 |
2 |
waffle.apache.GenericWindowsPrincipal
| Bug |
Category |
Details |
Line |
Priority |
| waffle.apache.GenericWindowsPrincipal.getGroups() may expose internal representation by returning GenericWindowsPrincipal.groups |
MALICIOUS_CODE |
EI_EXPOSE_REP |
118 |
Medium |
| Class waffle.apache.GenericWindowsPrincipal 'overloads' a method with both instance and static versions |
STYLE |
MOM_MISLEADING_OVERLOAD_MODEL |
118 |
Medium |
| Method waffle.apache.GenericWindowsPrincipal.getGroups(IWindowsAccount[]) does not presize the allocation of a collection |
PERFORMANCE |
PSC_PRESIZE_COLLECTIONS |
107 |
Medium |
waffle.apache.MixedAuthenticator
| Bug |
Category |
Details |
Line |
Priority |
| This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages |
SECURITY |
CRLF_INJECTION_LOGS |
86 |
Medium |
| This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages |
SECURITY |
CRLF_INJECTION_LOGS |
241 |
Medium |
| Unconstrained method waffle.apache.MixedAuthenticator.redirectTo(Request, HttpServletResponse, String) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
297 |
High |
| method waffle.apache.MixedAuthenticator.negotiate(Request, HttpServletResponse, AuthorizationHeader) converts an exception into a boolean 'error code' value |
STYLE |
EXS_EXCEPTION_SOFTENING_RETURN_FALSE |
167 |
Medium |
| method waffle.apache.MixedAuthenticator.post(Request, HttpServletResponse) converts an exception into a boolean 'error code' value |
STYLE |
EXS_EXCEPTION_SOFTENING_RETURN_FALSE |
249 |
Medium |
| RequestDispatcher populated with user controlled parameters |
SECURITY |
REQUESTDISPATCHER_FILE_DISCLOSURE |
295 |
Medium |
| Format should be constant. Use placeholder to reduce the needless cost of parameter construction. see http://www.slf4j.org/faq.html#logging_performance |
CORRECTNESS |
SLF4J_FORMAT_SHOULD_BE_CONST |
247 |
High |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
165 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
187 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
248 |
Medium |
waffle.apache.MixedAuthenticatorTest
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.apache.MixedAuthenticatorTest.testChallengeGET() accesses list or array with constant index |
CORRECTNESS |
CLI_CONSTANT_LIST_INDEX |
120 |
Medium |
waffle.apache.NegotiateAuthenticator
| Bug |
Category |
Details |
Line |
Priority |
| This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages |
SECURITY |
CRLF_INJECTION_LOGS |
79 |
Medium |
| method waffle.apache.NegotiateAuthenticator.authenticate(Request, HttpServletResponse) converts an exception into a boolean 'error code' value |
STYLE |
EXS_EXCEPTION_SOFTENING_RETURN_FALSE |
114 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
112 |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
134 |
Medium |
waffle.apache.NegotiateAuthenticatorTest
| Bug |
Category |
Details |
Line |
Priority |
| Method waffle.apache.NegotiateAuthenticatorTest.testChallengeGET() accesses list or array with constant index |
CORRECTNESS |
CLI_CONSTANT_LIST_INDEX |
122 |
Medium |
waffle.apache.WaffleAuthenticatorBase
| Bug |
Category |
Details |
Line |
Priority |
| Unconstrained method waffle.apache.WaffleAuthenticatorBase.sendError(HttpServletResponse, int) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
240 |
High |
| Unconstrained method waffle.apache.WaffleAuthenticatorBase.sendUnauthorized(HttpServletResponse) converts checked exception to unchecked |
STYLE |
EXS_EXCEPTION_SOFTENING_NO_CONSTRAINTS |
224 |
High |
| Format should be constant. Use placeholder to reduce the needless cost of parameter construction. see http://www.slf4j.org/faq.html#logging_performance |
CORRECTNESS |
SLF4J_FORMAT_SHOULD_BE_CONST |
257 |
High |
|
Logger should be final field. Change this field (log) to final field.
|
STYLE |
SLF4J_LOGGER_SHOULD_BE_FINAL |
Not available |
Medium |
|
To prevent illegal usage, logger should be private field. Change this field (log) to private field.
|
STYLE |
SLF4J_LOGGER_SHOULD_BE_PRIVATE |
Not available |
Medium |
| To make log readable, log format () should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
258 |
Medium |
waffle.apache.WaffleAuthenticatorBaseTest$1
| Bug |
Category |
Details |
Line |
Priority |
| Non derivable method waffle.apache.WaffleAuthenticatorBaseTest$1.authenticate(Request, HttpServletResponse) declares throwing an exception that isn't thrown |
CORRECTNESS |
BED_BOGUS_EXCEPTION_DECLARATION |
56 |
Medium |
| Non derivable method waffle.apache.WaffleAuthenticatorBaseTest$1.doAuthenticate(Request, HttpServletResponse) declares throwing an exception that isn't thrown |
CORRECTNESS |
BED_BOGUS_EXCEPTION_DECLARATION |
62 |
Medium |
waffle.apache.WindowsAccountTest
| Bug |
Category |
Details |
Line |
Priority |
| Object deserialization is used in waffle.apache.WindowsAccountTest.testIsSerializable() |
SECURITY |
OBJECT_DESERIALIZATION |
90 |
High |
waffle.apache.catalina.SimpleHttpRequest
| Bug |
Category |
Details |
Line |
Priority |
| waffle.apache.catalina.SimpleHttpRequest.getSession() may expose internal representation by returning SimpleHttpRequest.httpSession |
MALICIOUS_CODE |
EI_EXPOSE_REP |
173 |
Medium |
| waffle.apache.catalina.SimpleHttpRequest.getSession(boolean) may expose internal representation by returning SimpleHttpRequest.httpSession |
MALICIOUS_CODE |
EI_EXPOSE_REP |
178 |
Medium |
| This method waffle.apache.catalina.SimpleHttpRequest.setQueryString(String) parses a String that is a field |
STYLE |
STT_STRING_PARSING_A_FIELD |
215 |
Medium |
waffle.apache.catalina.SimpleHttpResponse
| Bug |
Category |
Details |
Line |
Priority |
| To make log readable, log format ({} {}) should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
62 |
Medium |
| To make log readable, log format ({}: {}) should contain non-sign character. |
BAD_PRACTICE |
SLF4J_SIGN_ONLY_FORMAT |
65 |
Medium |
| waffle.apache.catalina.SimpleHttpResponse.flushBuffer() makes inefficient use of keySet iterator instead of entrySet iterator |
PERFORMANCE |
WMI_WRONG_MAP_ITERATOR |
64 |
Medium |
