Skip to content

Cleanup FindSecBugs warnings #189

New issue
New issue
Open
Open
Cleanup FindSecBugs warnings#189
Labels
internal
@oleg-nenashev

Description

@oleg-nenashev
oleg-nenashev
opened on Oct 12, 2020

Recent Jenkins Parent POM versions introduce FindSecBugs: https://find-sec-bugs.github.io/ (introduced in jenkinsci/pom#61). All these issues do not seem to be relevant to Custom WAR Packager itself, but some of them might be relevant to https://github.com/jenkinsci/custom-distribution-service from @sladyn98 , also CC @halkeye . It is unlikely, but it is better to do a graceful review/cleanup while the service is in the alpha state.


[2020-10-12T05:54:06.847Z] [INFO] --- spotbugs-maven-plugin:4.1.3:check (spotbugs) @ custom-war-packager-lib ---

[2020-10-12T05:54:06.848Z] [INFO] BugInstance size is 20

[2020-10-12T05:54:06.848Z] [INFO] Error size is 0

[2020-10-12T05:54:06.848Z] [INFO] Total bugs: 20

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.config.Config, io.jenkins.tools.warpackager.lib.config.BuildSettings, io.jenkins.tools.warpackager.lib.config.Config] At Config.java:[line 118]At BuildSettings.java:[line 111]At Config.java:[line 118] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.config.Config, io.jenkins.tools.warpackager.lib.config.BuildSettings, io.jenkins.tools.warpackager.lib.config.Config] At Config.java:[line 114]At BuildSettings.java:[line 111]At Config.java:[line 114] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.config.Config, io.jenkins.tools.warpackager.lib.config.Config] At Config.java:[line 72]At Config.java:[line 72] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 150]At Builder.java:[line 150] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 204]At Builder.java:[line 204] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 274]At Builder.java:[line 274] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 327]At Builder.java:[line 327] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 234]At Builder.java:[line 135]At Builder.java:[line 136] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder] At Builder.java:[line 241]At Builder.java:[line 241] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 205] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 211] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 73] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 164]At Builder.java:[line 156]At Builder.java:[line 157]At JenkinsWarPatcher.java:[line 110]At JenkinsWarPatcher.java:[line 135]At JenkinsWarPatcher.java:[line 140]At JenkinsWarPatcher.java:[line 164] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 224] XXE_DOCUMENT

[2020-10-12T05:54:06.848Z] [ERROR] Medium: The use of TransformerFactory.newInstance(...) (TransformerFactory) is vulnerable to XML External Entity attacks [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 252] XXE_DTD_TRANSFORM_FACTORY

[2020-10-12T05:54:06.848Z] [ERROR] Medium: The use of TransformerFactory.newInstance(...) is vulnerable to XSLT External Entity attacks [io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher] At JenkinsWarPatcher.java:[line 252] XXE_XSLT_TRANSFORM_FACTORY

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This web server request could be used by an attacker to expose internal services and filesystem. [io.jenkins.tools.warpackager.lib.impl.plugins.UpdateCenterPluginInfoProvider] At UpdateCenterPluginInfoProvider.java:[line 46] URLCONNECTION_SSRF_FD

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.config.SourceInfo, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.plugins.MavenPluginInfoProvider, io.jenkins.tools.warpackager.lib.impl.plugins.MavenPluginInfoProvider, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper] At MavenHelper.java:[line 106]At SourceInfo.java:[line 43]At Builder.java:[line 114]At Builder.java:[line 118]At Builder.java:[line 121]At Builder.java:[line 128]At Builder.java:[line 197]At Builder.java:[line 261]At Builder.java:[line 291]At Builder.java:[line 292]At Builder.java:[line 298]At Builder.java:[line 303]At Builder.java:[line 306]At MavenPluginInfoProvider.java:[line 32]At MavenPluginInfoProvider.java:[line 33]At MavenHelper.java:[line 92]At MavenHelper.java:[line 95]At MavenHelper.java:[line 104] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input [io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.impl.plugins.MavenPluginInfoProvider, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper] At MavenHelper.java:[line 86]At MavenPluginInfoProvider.java:[line 32]At MavenHelper.java:[line 85]At MavenHelper.java:[line 92]At MavenHelper.java:[line 95] PATH_TRAVERSAL_IN

[2020-10-12T05:54:06.848Z] [ERROR] Medium: This usage of java/lang/ProcessBuilder.<init>([Ljava/lang/String;)V can be vulnerable to Command Injection [io.jenkins.tools.warpackager.lib.util.SystemCommandHelper, io.jenkins.tools.warpackager.lib.config.DockerBuildSettings, io.jenkins.tools.warpackager.lib.config.SourceInfo, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.Builder, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.JenkinsWarPatcher, io.jenkins.tools.warpackager.lib.impl.plugins.MavenPluginInfoProvider, io.jenkins.tools.warpackager.lib.impl.plugins.MavenPluginInfoProvider, io.jenkins.tools.warpackager.lib.util.DockerfileBuilder, io.jenkins.tools.warpackager.lib.util.DockerfileBuilder, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.MavenHelper, io.jenkins.tools.warpackager.lib.util.SystemCommandHelper, io.jenkins.tools.warpackager.lib.util.SystemCommandHelper, io.jenkins.tools.warpackager.lib.util.SystemCommandHelper, io.jenkins.tools.warpackager.lib.util.SystemCommandHelper, io.jenkins.tools.warpackager.lib.util.SystemCommandHelper] At SystemCommandHelper.java:[line 32]At DockerBuildSettings.java:[line 67]At SourceInfo.java:[line 43]At Builder.java:[line 114]At Builder.java:[line 118]At Builder.java:[line 121]At Builder.java:[line 128]At Builder.java:[line 147]At Builder.java:[line 156]At Builder.java:[line 157]At Builder.java:[line 165]At Builder.java:[line 197]At Builder.java:[line 261]At Builder.java:[line 291]At Builder.java:[line 292]At Builder.java:[line 298]At Builder.java:[line 303]At Builder.java:[line 306]At Builder.java:[line 329]At Builder.java:[line 344]At Builder.java:[line 349]At Builder.java:[line 350]At JenkinsWarPatcher.java:[line 110]At JenkinsWarPatcher.java:[line 135]At JenkinsWarPatcher.java:[line 140]At JenkinsWarPatcher.java:[line 165]At MavenPluginInfoProvider.java:[line 32]At MavenPluginInfoProvider.java:[line 33]At DockerfileBuilder.java:[line 55]At DockerfileBuilder.java:[line 60]At MavenHelper.java:[line 46]At MavenHelper.java:[line 53]At MavenHelper.java:[line 59]At MavenHelper.java:[line 61]At MavenHelper.java:[line 62]At MavenHelper.java:[line 66]At MavenHelper.java:[line 69]At MavenHelper.java:[line 107]At MavenHelper.java:[line 114]At MavenHelper.java:[line 132]At MavenHelper.java:[line 138]At MavenHelper.java:[line 161]At MavenHelper.java:[line 165]At MavenHelper.java:[line 166]At SystemCommandHelper.java:[line 29]At SystemCommandHelper.java:[line 36]At SystemCommandHelper.java:[line 37]At SystemCommandHelper.java:[line 44]At SystemCommandHelper.java:[line 50] COMMAND_INJECTION

[2020-10-12T05:54:06.848Z] [INFO]

Metadata

Metadata

Assignees

No one assigned

    Labels

    internal

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions