Hi Thomas, some months ago I did the same with findbugs, the problems is
the fact that the plugin can show you some false positives, into other
situations where they are not exploitable. For example, non final public
static fields for let's say a code with no exposure.
For the dead code, I would definitely file a Jira and submit a PR. For
the security reports from findbugs, maybe a separated (sensitive) Jira
makes sense.
In this way we evaluated how likely and exploitable is the issue.
Makes sense?
On 2016-06-29, Thomas Darimont wrote:
Hello group,
I just ran findbugs [1] with the find-sec-bugs [0] and found quite a bunch
of rather
suspicious places in the Keycloak codebase.
Note that I don't wont to blame anyone but rather try to improve the
codebase :)
For instance there are some quite prominent (and sensitive) non-final
public static fields that could
be easily changed to something else (in case they aren't inlined).
https://github.com/keycloak/keycloak/blob/3c0f7e2ee2140a9e69e4e95eb24d5a1...
Further more there seem to be some dead code left-overs from merges spread
over the codebase e.g:
https://github.com/keycloak/keycloak/blob/3a669ad7d5b4a72a8eb2bbb23e91083...
Question is how to deal with that?
I could send PRs for those issues - they would contain quite a bunch of
files
with minor changes. Would you be open to such contributions and if so, what
JIRA issue
should one reference here?
Cheers,
Thomas
[0]
http://find-sec-bugs.github.io/
[1]
https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914