[keycloak-dev] Code cleanup

[Bruno Oliveira]

Hi Thomas, some months ago I did the same with findbugs, the problems is
the fact that the plugin can show you some false positives, into other
situations where they are not exploitable. For example, non final public
static fields for let's say a code with no exposure.

For the dead code, I would definitely file a Jira and submit a PR. For
the security reports from findbugs, maybe a separated (sensitive) Jira
makes sense.

In this way we evaluated how likely and exploitable is the issue.

Makes sense?

On 2016-06-29, Thomas Darimont wrote:
> Hello group,
>
> I just ran findbugs [1] with the find-sec-bugs [0] and found quite a bunch
> of rather
> suspicious places in the Keycloak codebase.
>
> Note that I don't wont to blame anyone but rather try to improve the
> codebase :)
>
> For instance there are some quite prominent (and sensitive) non-final
> public static fields that could
> be easily changed to something else (in case they aren't inlined).
> https://github.com/keycloak/keycloak/blob/3c0f7e2ee2140a9e69e4e95eb24d5a122e63e09a/server-spi/src/main/java/org/keycloak/models/AdminRoles.java#L25
>
> Further more there seem to be some dead code left-overs from merges spread
> over the codebase e.g:
> https://github.com/keycloak/keycloak/blob/3a669ad7d5b4a72a8eb2bbb23e91083b63f59a2f/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java#L144
>
> Question is how to deal with that?
> I could send PRs for those issues - they would contain quite a bunch of
> files
> with minor changes. Would you be open to such contributions and if so, what
> JIRA issue
> should one reference here?
>
> Cheers,
> Thomas
>
> [0] http://find-sec-bugs.github.io/
> [1] https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration

> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


--

abstractj
PGP: 0x84DC9914