January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-7961) Coverity static analysis: Serializable *Callback classes containes non-serializable fields

by Martin Choma (JIRA)

Martin Choma created WFLY-7961: ---------------------------------- Summary: Coverity static analysis: Serializable *Callback classes containes non-serializable fields Key: WFLY-7961 URL: https://issues.jboss.org/browse/WFLY-7961 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Coverity static analysis found, there is couple of *Callback classes, which are mark as Serializable, and contains non-serializable fields. CredentialCallback CredentialUpdateCallback MechanismInformationCallback SSLCallback SecurityIdentityCallback ServerCredentialCallback TrustedAuthoritiesCallback Either mark fields as transient or Serializable. https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84905... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7950) Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7950?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-7950: ------------------------------- Description: Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity. https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=86223... Please resolve this inconsistent situation. By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested. {code:title=hipchat.log} [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication? [3:23 PM] Darran Lofthouse: No it can't be [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity [3:26 PM] David M. Lloyd: among other problems [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right? [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI {code} was: Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity. https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=84867... Please resolve this inconsistent situation. By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested. {code:title=hipchat.log} [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication? [3:23 PM] Darran Lofthouse: No it can't be [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity [3:26 PM] David M. Lloyd: among other problems [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right? [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI {code} > Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount > ------------------------------------------------------------------------------------------------------- > > Key: WFLY-7950 > URL: https://issues.jboss.org/browse/WFLY-7950 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Darran Lofthouse > > Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity. > https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=86223... > Please resolve this inconsistent situation. > By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested. > {code:title=hipchat.log} > [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication? > [3:23 PM] Darran Lofthouse: No it can't be > [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state > [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity > [3:26 PM] David M. Lloyd: among other problems > [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it > [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right? > [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7951) Coverity static analysis: Performace optimalization in map iterating

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7951?page=com.atlassian.jira.plugin.... ] Martin Choma closed WFLY-7951. ------------------------------ Resolution: Duplicate Duplicate with WFLY-7956 > Coverity static analysis: Performace optimalization in map iterating > -------------------------------------------------------------------- > > Key: WFLY-7951 > URL: https://issues.jboss.org/browse/WFLY-7951 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > Priority: Minor > > Coverity static analysis found iterating over map can be enhanced > https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=84867... > Instead of Map.keySet() + Map.get() combo use just Map.entrySet(). > > {code:java|title=ElytronHttpExchange#getRequestParameters} > for (String name : queryParameters.keySet()) { > List<String> values = new ArrayList<>(queryParameters.get(name)); > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7960) Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7960?page=com.atlassian.jira.plugin.... ] Martin Choma reassigned WFLY-7960: ---------------------------------- Assignee: Ilia Vassilev (was: Darran Lofthouse) > Coverity static analysis: Dereference null return value in KeyUtil (Elytron) > ---------------------------------------------------------------------------- > > Key: WFLY-7960 > URL: https://issues.jboss.org/browse/WFLY-7960 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > > Coverity static analysis found possible use of null object comming from {{RawPBEKey.getSalt()}} passed into {{javax.crypto.spec.PBEParameterSpec.PBEParameterSpec}} > {code:java|title=javax.crypto.spec.PBEParameterSpec.java} > public PBEParameterSpec(byte[] salt, int iterationCount) { > this.salt = salt.clone(); > this.iterationCount = iterationCount; > } > {code} > Responsible elytron code: > {code:java|title=KeyUtils.java} > if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) { > final PBEKey pbeKey = (PBEKey) key; > // TODO: we miss the IV here > return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount())); > } > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84906... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7960) Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7960?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-7960: ------------------------------- Affects Version/s: 11.0.0.Alpha1 > Coverity static analysis: Dereference null return value in KeyUtil (Elytron) > ---------------------------------------------------------------------------- > > Key: WFLY-7960 > URL: https://issues.jboss.org/browse/WFLY-7960 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > > Coverity static analysis found possible use of null object comming from {{RawPBEKey.getSalt()}} passed into {{javax.crypto.spec.PBEParameterSpec.PBEParameterSpec}} > {code:java|title=javax.crypto.spec.PBEParameterSpec.java} > public PBEParameterSpec(byte[] salt, int iterationCount) { > this.salt = salt.clone(); > this.iterationCount = iterationCount; > } > {code} > Responsible elytron code: > {code:java|title=KeyUtils.java} > if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) { > final PBEKey pbeKey = (PBEKey) key; > // TODO: we miss the IV here > return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount())); > } > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84906... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7960) Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

by Martin Choma (JIRA)

Martin Choma created WFLY-7960: ---------------------------------- Summary: Coverity static analysis: Dereference null return value in KeyUtil (Elytron) Key: WFLY-7960 URL: https://issues.jboss.org/browse/WFLY-7960 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Coverity static analysis found possible use of null object comming from {{RawPBEKey.getSalt()}} passed into {{javax.crypto.spec.PBEParameterSpec.PBEParameterSpec}} {code:java|title=javax.crypto.spec.PBEParameterSpec.java} public PBEParameterSpec(byte[] salt, int iterationCount) { this.salt = salt.clone(); this.iterationCount = iterationCount; } {code} Responsible elytron code: {code:java|title=KeyUtils.java} if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) { final PBEKey pbeKey = (PBEKey) key; // TODO: we miss the IV here return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount())); } {code} https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84906... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-4) Automate testcases

by Hayk Hovsepyan (JIRA)

Hayk Hovsepyan created HAWKULARQE-4: --------------------------------------- Summary: Automate testcases Key: HAWKULARQE-4 URL: https://issues.jboss.org/browse/HAWKULARQE-4 Project: Hawkular QE Issue Type: Sub-task Reporter: Hayk Hovsepyan Assignee: mfoley user -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-4) Automate Testcases

by Hayk Hovsepyan (JIRA)

[ https://issues.jboss.org/browse/HAWKULARQE-4?page=com.atlassian.jira.plug... ] Hayk Hovsepyan updated HAWKULARQE-4: ------------------------------------ Summary: Automate Testcases (was: Automate testcases) > Automate Testcases > ------------------ > > Key: HAWKULARQE-4 > URL: https://issues.jboss.org/browse/HAWKULARQE-4 > Project: Hawkular QE > Issue Type: Sub-task > Reporter: Hayk Hovsepyan > Assignee: mfoley user > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-3) Manual Testcases - Create and Run

by Hayk Hovsepyan (JIRA)

Hayk Hovsepyan created HAWKULARQE-3: --------------------------------------- Summary: Manual Testcases - Create and Run Key: HAWKULARQE-3 URL: https://issues.jboss.org/browse/HAWKULARQE-3 Project: Hawkular QE Issue Type: Sub-task Reporter: Hayk Hovsepyan Assignee: mfoley user -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7959) Coverity static analysis: DefaultSingleSignOn.getIdentity() not synchronized

by Martin Choma (JIRA)

Martin Choma created WFLY-7959: ---------------------------------- Summary: Coverity static analysis: DefaultSingleSignOn.getIdentity() not synchronized Key: WFLY-7959 URL: https://issues.jboss.org/browse/WFLY-7959 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Minor Coverity static-analysis scan found getter is not synchronized, while setter is. {code} public SecurityIdentity getIdentity() { return this.entry.getCachedIdentity().getSecurityIdentity(); } {code} Current implementation is correct because in DefaultSingleSignOnEntry (currently only avalaible implementation of SingleSignOnEntry) cachedIdentity is volatile. However other implementations can be wrongly implemented. Once getIdentity() would be marked with synchronize modifier, such problem shouldn't occure. https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84908... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017