issue-4 #5
issue-4 #5
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
|
|
||
| public static boolean match(final String filter, final OperationData data) | ||
| { | ||
| final String[] expression = filter.split("="); |
There was a problem hiding this comment.
StringSplitter: String.split(String) has surprising behavior (details)
| final String[] expression = filter.split("="); | |
| final List<String> expression = Splitter.on('=').splitToList(filter); |
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| } | ||
|
|
||
| final boolean existsOnClassPath = ExtractMojo.class.getClassLoader().getResourceAsStream(source) != null; | ||
| final boolean existsOnFilesystem = Files.exists(Paths.get(source)); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
|
||
| if (targetFile == null) | ||
| { | ||
| targetFile = Paths.get(project.getBuild().getOutputDirectory()).resolve(name + ".yaml").toFile(); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| public static boolean match(final OperationFilter filter, final OperationData data) | ||
| { | ||
| final String path = filter.getPointer().startsWith("/") ? filter.getPointer() : "/" + filter.getPointer(); | ||
| final String regexp = filter.getExpression(); |
There was a problem hiding this comment.
UnusedVariable: The local variable 'regexp' is never read. (details)
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| } | ||
|
|
||
| @Override | ||
| public boolean equals(final Object o) |
There was a problem hiding this comment.
EqualsGetClass: Prefer instanceof to getClass when implementing Object#equals. (details)
| public boolean equals(final Object o) | |
| if (!(o instanceof OperationFilter)) return false; |
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
|
||
| if (outputFile == null) | ||
| { | ||
| outputFile = Paths.get(project.getBuild().getOutputDirectory()).resolve(name + ".yaml").toFile(); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| } | ||
|
|
||
| final boolean existsOnClassPath = ExtractMojo.class.getClassLoader().getResourceAsStream(source) != null; | ||
| final boolean existsOnFilesystem = Files.exists(Paths.get(source)); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| </dependency> | ||
| <dependency> | ||
| <groupId>org.apache.maven.plugin-tools</groupId> | ||
| <artifactId>maven-plugin-annotations</artifactId> | ||
| <version>3.6.0</version> | ||
| <version>3.6.4</version> | ||
| <scope>provided</scope> | ||
| </dependency> | ||
| <dependency> |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:maven/org.apache.maven/maven-core@3.8.5
0 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:maven/com.google.guava/guava@27.0.1-jre
SEVERE Vulnerabilities (1)
[sonatype-2020-0926] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
guava - Creation of Temporary File in Directory with Insecure Permissions [CVE-2020-8908]
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-379
pkg:maven/commons-io/commons-io@2.6
SEVERE Vulnerabilities (1)
[sonatype-2018-0705] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
commons-io - Path Traversal [CVE-2021-29425]
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-22
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
No description provided.