<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <FindBugsFilter xmlns="https://github.com/spotbugs/filter/3.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd"> <!-- v v CN_IDIOM_NO_SUPER_CALL = clone method does not call supper.clone(). OK since shallow clone wanted--> <Match> <Class name="org.apache.ofbiz.entity.GenericEntity" /> <Method name="clone" /> <Bug pattern="CN_IDIOM_NO_SUPER_CALL" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.GenericPK" /> <Method name="clone" /> <Bug pattern="CN_IDIOM_NO_SUPER_CALL" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.GenericValue" /> <Method name="clone" /> <Bug pattern="CN_IDIOM_NO_SUPER_CALL" /> </Match> <!-- ^ ^ CN_IDIOM_NO_SUPER_CALL = clone method does not call supper.clone(). OK since shallow clone wanted--> <!-- v v OK because of synchronized use --> <Match> <Class name="org.apache.ofbiz.webapp.view.ApacheFopWorker" /> <Method name="getFactoryInstance" /> <Bug pattern="DC_DOUBLECHECK" /> </Match> <Match> <Class name="org.apache.ofbiz.accounting.thirdparty.valuelink.ValueLinkApi" /> <Method name="getWorkingKeyIndex" /> <Bug pattern="DC_DOUBLECHECK" /> </Match> <!-- ^ ^ OK because of synchronized use --> <!-- v v OK see remark about OWASP advice at bottom of OFBIZ-9973 --> <Match> <Class name="org.apache.ofbiz.pricat.PricatParseExcelHtmlThread" /> <Method name="storePricatFile" /> <Bug pattern="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE" /> </Match> <Match> <Class name="org.apache.ofbiz.security.SecuredUpload" /> <Method name="isValidFileName" /> <Bug pattern="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE" /> </Match> <!-- ^ ^ OK see remark about OWASP advice at bottom of OFBIZ-9973 --> <!-- v v OK all is internal --> <!-- Though asmentioned by SpotBugs: "a PreparedStatement, is more efficient" --> <Match> <Class name="org.apache.ofbiz.entity.util.SequenceUtil" /> <Method name="SequenceBank" /> <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.jdbc.DatabaseUtil" /> <Method name="createTable" /> <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.util.SequenceUtil$SequenceBank" /> <Method name="fillBank" /> <Bug pattern="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" /> </Match> <!-- ^ ^ OK all is internal --> <!-- v v OK all is internal (as long as not proved otherwise...)--> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="partialSelect"/> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="select" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="selectByMultiRelation" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="selectCountByCondition" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="selectListIteratorByCondition" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="singleInsert" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="customUpdate" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="updateByCondition" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> <Class name="org.apache.ofbiz.entity.datasource.GenericDAO" /> <Method name="singleUpdate" /> <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <!-- ^ ^ OK all is internal (as long as not proved otherwise...)--> <!-- v v not a problem, false positive --> <Match> <!-- It's OK, cf. OFBIZ-9973 --> <Class name="org.apache.ofbiz.product.imagemanagement.FrameImage" /> <Method name="previewFrameImage" /> <Bug pattern="PT_RELATIVE_PATH_TRAVERSAL" /> </Match> <Match> <!-- not a problem, this is used only once during test, no possible collisions --> <!-- Moreover this is now commented out to allow building with BuilBot 3.3.2 --> <Class name="org.apache.ofbiz.service.test.XmlRpcTests" /> <Field name="url" /> <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" /> </Match> <Match> <!-- not a problem, report is initialised by initHtmlReport and then feed by different threads --> <Class name="org.apache.ofbiz.htmlreport.AbstractReportThread" /> <Field name="report" /> <Bug pattern="UWF_UNWRITTEN_FIELD " /> </Match> <Match> <!-- not a problem, servletContext is initialised by contextInitialized() and then only read before being destroyed by contextDestroyed() --> <Class name="org.apache.ofbiz.ws.rs.listener.ApiContextListener" /> <Field name="servletContext" /> <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" /> </Match> <Match> <!-- not a problem, apiKey is initialised by UtilProperties.getPropertyValue() and then only read or possibly modified by the only constructor --> <Class name="org.apache.ofbiz.ecommerce.janrain.JanrainHelper" /> <Field name="apiKey" /> <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" /> </Match> <Match> <!-- not a problem, baseUrl is initialised by UtilProperties.getPropertyValue() and then only read or possibly modified by the only constructor --> <Class name="org.apache.ofbiz.ecommerce.janrain.JanrainHelper" /> <Field name="baseUrl" /> <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" /> </Match> <Match> <!-- not a problem, as specified in org.jsoup.nodes.Element : @param attributes initial attributes (optional, may be null) --> <Class name="org.apache.ofbiz.widget.WidgetWorker" /> <Method name="makeHiddenFormLinkFormElement" /> <Bug pattern="NP_NONNULL_PARAM_VIOLATION" /> </Match> <Match> <!-- not a problem, the alert is right in SecuredUpload. But isValidText is also called in other situations where no dereferencing is done) --> <Class name="org.apache.ofbiz.security.SecuredUpload" /> <Method name="isValidText" /> <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE" /> </Match> <Match> <!-- not a problem, we check before for a Collection. Could be also a List or a Set, we cant to be sure it's a Map--> <Class name="org.apache.ofbiz.base.util.collections.GenericMapValues" /> <Method name="equals" /> <Bug pattern="EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS" /> </Match><!-- ^ ^ not a problem, false positives --> <Match> <!-- As it's also used by WebAppCacheTest class I made it package. That's safer but not enough as private so it's here with the whole class--> <Class name="org.apache.ofbiz.webapp.WebAppCache" /> <Bug pattern="SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR" /> </Match> </FindBugsFilter>