SpotBugs Bug Detector Report
The following document contains the results of SpotBugs
SpotBugs Version is 4.9.4
Threshold is medium
Effort is max
Summary
| Classes |
Bugs |
Errors |
Missing Classes |
| 120 |
40 |
0 |
0 |
org.forgerock.json.jose.builders.AbstractJwtBuilder
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.builders.AbstractJwtBuilder.claims(JwtClaimsSet) may expose internal representation by storing an externally mutable object into AbstractJwtBuilder.claimsSet |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
63 |
Medium |
org.forgerock.json.jose.builders.EncryptedThenSignedJwtBuilder
| Bug |
Category |
Details |
Line |
Priority |
| new org.forgerock.json.jose.builders.EncryptedThenSignedJwtBuilder(EncryptedJwtBuilder, SigningHandler, JwsAlgorithm) may expose internal representation by storing an externally mutable object into EncryptedThenSignedJwtBuilder.encryptedJwtBuilder |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
50 |
Medium |
org.forgerock.json.jose.jwe.EncryptedJwt
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jwe.EncryptedJwt.getHeader() may expose internal representation by returning EncryptedJwt.header |
MALICIOUS_CODE |
EI_EXPOSE_REP |
110 |
Medium |
| new org.forgerock.json.jose.jwe.EncryptedJwt(JweHeader, String, byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into EncryptedJwt.authenticationTag |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
103 |
Medium |
| new org.forgerock.json.jose.jwe.EncryptedJwt(JweHeader, String, byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into EncryptedJwt.ciphertext |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
102 |
Medium |
| new org.forgerock.json.jose.jwe.EncryptedJwt(JweHeader, String, byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into EncryptedJwt.encryptedContentEncryptionKey |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
100 |
Medium |
| new org.forgerock.json.jose.jwe.EncryptedJwt(JweHeader, String, byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into EncryptedJwt.header |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
98 |
Medium |
| new org.forgerock.json.jose.jwe.EncryptedJwt(JweHeader, String, byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into EncryptedJwt.initialisationVector |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
101 |
Medium |
org.forgerock.json.jose.jwe.JweEncryption
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jwe.JweEncryption.getAuthenticationTag() may expose internal representation by returning JweEncryption.authenticationTag |
MALICIOUS_CODE |
EI_EXPOSE_REP |
57 |
Medium |
| org.forgerock.json.jose.jwe.JweEncryption.getCiphertext() may expose internal representation by returning JweEncryption.ciphertext |
MALICIOUS_CODE |
EI_EXPOSE_REP |
48 |
Medium |
| new org.forgerock.json.jose.jwe.JweEncryption(byte[], byte[]) may expose internal representation by storing an externally mutable object into JweEncryption.authenticationTag |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
39 |
Medium |
| new org.forgerock.json.jose.jwe.JweEncryption(byte[], byte[]) may expose internal representation by storing an externally mutable object into JweEncryption.ciphertext |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
38 |
Medium |
org.forgerock.json.jose.jwe.handlers.encryption.AbstractRSAESPkcs1V15AesCbcHmacEncryptionHandler
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class org.forgerock.json.jose.jwe.handlers.encryption.AbstractRSAESPkcs1V15AesCbcHmacEncryptionHandler at new org.forgerock.json.jose.jwe.handlers.encryption.AbstractRSAESPkcs1V15AesCbcHmacEncryptionHandler(SigningManager, EncryptionMethod) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
52 |
Medium |
org.forgerock.json.jose.jwk.EcJWK
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class org.forgerock.json.jose.jwk.EcJWK at new org.forgerock.json.jose.jwk.EcJWK(ECPublicKey, ECPrivateKey, KeyUse, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
81 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.EcJWK at new org.forgerock.json.jose.jwk.EcJWK(ECPublicKey, KeyUse, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
67 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.EcJWK at new org.forgerock.json.jose.jwk.EcJWK(KeyUse, String, String, String, String, String, String, String, String, List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
125 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.EcJWK at new org.forgerock.json.jose.jwk.EcJWK(KeyUse, String, String, String, String, String, String, String, List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
105 |
Medium |
org.forgerock.json.jose.jwk.JWK
| Bug |
Category |
Details |
Line |
Priority |
| Possible null pointer dereference of kty in new org.forgerock.json.jose.jwk.JWK(KeyType, KeyUse, String, String, String, String, List) |
CORRECTNESS |
NP_NULL_ON_SOME_PATH |
94 |
High |
| new org.forgerock.json.JsonException(String) not thrown in new org.forgerock.json.jose.jwk.JWK(KeyType, KeyUse, String, String, String, String, List) |
CORRECTNESS |
RV_EXCEPTION_NOT_THROWN |
92 |
High |
org.forgerock.json.jose.jwk.JWKLookup
| Bug |
Category |
Details |
Line |
Priority |
| Found reliance on default encoding in org.forgerock.json.jose.jwk.JWKLookup.lookup(String, KeyType): String.getBytes() |
I18N |
DM_DEFAULT_ENCODING |
52 |
High |
org.forgerock.json.jose.jwk.JWKSet
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class org.forgerock.json.jose.jwk.JWKSet at new org.forgerock.json.jose.jwk.JWKSet(List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
78 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.JWKSet at new org.forgerock.json.jose.jwk.JWKSet(JsonValue) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
67 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.JWKSet at new org.forgerock.json.jose.jwk.JWKSet(JWK) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
56 |
Medium |
org.forgerock.json.jose.jwk.OctJWK
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class org.forgerock.json.jose.jwk.OctJWK at new org.forgerock.json.jose.jwk.OctJWK(KeyUse, String, String, String, String, String, List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
46 |
Medium |
org.forgerock.json.jose.jwk.store.JwksStore
| Bug |
Category |
Details |
Line |
Priority |
| This write of the 64-bit primitive variable "cacheMissCacheTimeInMs" may not atomic |
MT_CORRECTNESS |
AT_NONATOMIC_64BIT_PRIMITIVE |
185 |
Medium |
| This write of the 64-bit primitive variable "cacheTimeoutInMs" may not atomic |
MT_CORRECTNESS |
AT_NONATOMIC_64BIT_PRIMITIVE |
177 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.store.JwksStore at new org.forgerock.json.jose.jwk.store.JwksStore(String, Duration, Duration, URL, JWKSetParser) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
88 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jwk.store.JwksStore at new org.forgerock.json.jose.jwk.store.JwksStore(String, Duration, Duration, URL, SimpleHTTPClient) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
62 |
Medium |
| Invocation of java.net.URL.equals(Object), which blocks to do domain name resolution, in org.forgerock.json.jose.jwk.store.JwksStore.setJwkUrl(URL) |
PERFORMANCE |
DMI_BLOCKING_METHODS_ON_URL |
197 |
High |
org.forgerock.json.jose.jws.JwtSecureHeader
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jws.JwtSecureHeader.setJwkSetUrl(URL) invokes inefficient new String(String) constructor |
PERFORMANCE |
DM_STRING_CTOR |
79 |
Medium |
| org.forgerock.json.jose.jws.JwtSecureHeader.setX509Url(URL) invokes inefficient new String(String) constructor |
PERFORMANCE |
DM_STRING_CTOR |
135 |
Medium |
org.forgerock.json.jose.jws.SignedJwt
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jws.SignedJwt.getHeader() may expose internal representation by returning SignedJwt.header |
MALICIOUS_CODE |
EI_EXPOSE_REP |
132 |
Medium |
| new org.forgerock.json.jose.jws.SignedJwt(JwsHeader, JwtClaimsSet, SigningHandler) may expose internal representation by storing an externally mutable object into SignedJwt.header |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
57 |
Medium |
| new org.forgerock.json.jose.jws.SignedJwt(JwsHeader, JwtClaimsSet, byte[], byte[]) may expose internal representation by storing an externally mutable object into SignedJwt.header |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
79 |
Medium |
| new org.forgerock.json.jose.jws.SignedJwt(JwsHeader, JwtClaimsSet, byte[], byte[]) may expose internal representation by storing an externally mutable object into SignedJwt.signature |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
82 |
Medium |
| new org.forgerock.json.jose.jws.SignedJwt(JwsHeader, JwtClaimsSet, byte[], byte[]) may expose internal representation by storing an externally mutable object into SignedJwt.signingInput |
MALICIOUS_CODE |
EI_EXPOSE_REP2 |
81 |
Medium |
org.forgerock.json.jose.jws.handlers.ECDSASigningHandler
| Bug |
Category |
Details |
Line |
Priority |
| Exception thrown in class org.forgerock.json.jose.jws.handlers.ECDSASigningHandler at new org.forgerock.json.jose.jws.handlers.ECDSASigningHandler(ECPrivateKey) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
54 |
Medium |
| Exception thrown in class org.forgerock.json.jose.jws.handlers.ECDSASigningHandler at new org.forgerock.json.jose.jws.handlers.ECDSASigningHandler(ECPublicKey) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
BAD_PRACTICE |
CT_CONSTRUCTOR_THROW |
65 |
Medium |
org.forgerock.json.jose.jwt.JwtClaimsSet
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jwt.JwtClaimsSet.setClaims(Map) makes inefficient use of keySet iterator instead of entrySet iterator |
PERFORMANCE |
WMI_WRONG_MAP_ITERATOR |
417 |
Medium |
org.forgerock.json.jose.jwt.JwtHeader
| Bug |
Category |
Details |
Line |
Priority |
| org.forgerock.json.jose.jwt.JwtHeader.setParameters(Map) makes inefficient use of keySet iterator instead of entrySet iterator |
PERFORMANCE |
WMI_WRONG_MAP_ITERATOR |
148 |
Medium |
