<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 29 June 2016 at 17:55, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Hello group,<br></div><div><br></div><div>I just ran findbugs [1] with the find-sec-bugs [0] and found quite a bunch of rather </div><div>suspicious places in the Keycloak codebase.</div><div><br></div><div>Note that I don't wont to blame anyone but rather try to improve the codebase :)</div><div><br></div><div>For instance there are some quite prominent (and sensitive) non-final public static fields that could </div><div>be easily changed to something else (in case they aren't inlined).</div><div><a href="https://github.com/keycloak/keycloak/blob/3c0f7e2ee2140a9e69e4e95eb24d5a122e63e09a/server-spi/src/main/java/org/keycloak/models/AdminRoles.java#L25" target="_blank">https://github.com/keycloak/keycloak/blob/3c0f7e2ee2140a9e69e4e95eb24d5a122e63e09a/server-spi/src/main/java/org/keycloak/models/AdminRoles.java#L25</a> </div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Further more there seem to be some dead code left-overs from merges spread over the codebase e.g:</div><div><a href="https://github.com/keycloak/keycloak/blob/3a669ad7d5b4a72a8eb2bbb23e91083b63f59a2f/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java#L144" target="_blank">https://github.com/keycloak/keycloak/blob/3a669ad7d5b4a72a8eb2bbb23e91083b63f59a2f/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java#L144</a> </div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Question is how to deal with that?</div><div>I could send PRs for those issues - they would contain quite a bunch of files </div><div>with minor changes. Would you be open to such contributions and if so, what JIRA issue </div><div>should one reference here?</div></div></blockquote><div><br></div><div>Ideally it would be broken into JIRAs and sent PRs for a few changes at a time. If you send to many changes in one PR/JIRA it would be much more effort to review the PR.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div>[0] <a href="http://find-sec-bugs.github.io/" target="_blank">http://find-sec-bugs.github.io/</a></div><div>[1] <a href="https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration" target="_blank">https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration</a> </div><div><br></div></div>
<br>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div></div>