Two weeks before, it was 3.12 in terms of density, now it is up by 0.0.5 pts,
We started at 3.95+, now density is almost reduced by one unit, so some good
sign i would say.
Santhosh
________________________________________
From: Daan Hoogland [daan.hoogl...@gmail.com]
Sent: Friday, September 05, 2014 9:00 AM
To: dev
Subject: Re: New Defects reported by Coverity Scan for cloudstack
H,
We are not anywhere near perfect (or arguably good) but according to
coverity we are improving:
<q>
*3.17*
Defect Density
<q/> However:
<q>Defect changes since previous build dated Aug 29, 2014
*8* Newly detected
*0* Eliminated
</q> and <q>Defects by status for current build
*2,961*Total defects
*1,395*Outstanding
*75*Dismissed
*1,491*Fixed
</q> lets keep it up all.
On Fri, Sep 5, 2014 at 2:07 PM, <scan-ad...@coverity.com> wrote:
>
> Hi,
>
>
> Please find the latest report on new defect(s) introduced to cloudstack
> found with Coverity Scan.
>
> Defect(s) Reported-by: Coverity Scan
> Showing 8 of 8 defect(s)
>
>
> ** CID 1237195: Dereference null return value (NULL_RETURNS)
> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
> java.util.List)()
>
> ** CID 1237196: Dereference null return value (NULL_RETURNS)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
>
> ** CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
>
> ** CID 1232335: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232337: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232336: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232334: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
> ** CID 1232333: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 1237195: Dereference null return value (NULL_RETURNS)
> /server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java: 305 in
> org.apache.cloudstack.network.lb.CertServiceImpl.createCertResponse(com.cloud.network.dao.SslCertVO,
> java.util.List)()
> 299 SslCertResponse response = new SslCertResponse();
> 300
> 301 Account account =
> _accountDao.findByIdIncludingRemoved(cert.getAccountId());
> 302 if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
> 303 // find the project
> 304 Project project =
> _projectMgr.findByProjectAccountIdIncludingRemoved(account.getId());
> >>> CID 1237195: Dereference null return value (NULL_RETURNS)
> >>> Calling a method on null object "project".
> 305 response.setProjectId(project.getUuid());
> 306 response.setProjectName(project.getName());
> 307 } else {
> 308 response.setAccountName(account.getAccountName());
> 309 }
> 310
>
>
> ________________________________________________________________________________________________________
> *** CID 1237196: Dereference null return value (NULL_RETURNS)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 214 public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216 String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217 Signature signature = Signature.getInstance("SHA1withRSA");
> 218 signature.initSign(signingKey);
> 219 signature.update(url.getBytes());
> >>> CID 1237196: Dereference null return value (NULL_RETURNS)
> >>> Dereferencing a pointer that might be null
> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
> 220 return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221 }
> 222
> 223 public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224 Security.addProvider(new BouncyCastleProvider());
> 225 KeyPairGenerator keyPairGenerator =
> KeyPairGenerator.getInstance("RSA", "BC");
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 220 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 214 public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216 String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217 Signature signature = Signature.getInstance("SHA1withRSA");
> 218 signature.initSign(signingKey);
> 219 signature.update(url.getBytes());
> >>> CID 1237196: Dereference null return value (NULL_RETURNS)
> >>> Dereferencing a pointer that might be null
> "org.opensaml.xml.util.Base64.encodeBytes(signature.sign(), 8)" when
> calling "java.net.URLEncoder.encode(java.lang.String, java.lang.String)".
> 220 return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221 }
> 222
> 223 public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224 Security.addProvider(new BouncyCastleProvider());
> 225 KeyPairGenerator keyPairGenerator =
> KeyPairGenerator.getInstance("RSA", "BC");
>
>
> ________________________________________________________________________________________________________
> *** CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
> /utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java: 219 in
> org.apache.cloudstack.utils.auth.SAMLUtils.generateSAMLRequestSignature(java.lang.String,
> java.security.PrivateKey)()
> 213
> 214 public static String generateSAMLRequestSignature(String
> urlEncodedString, PrivateKey signingKey)
> 215 throws NoSuchAlgorithmException, SignatureException,
> InvalidKeyException, UnsupportedEncodingException {
> 216 String url = urlEncodedString + "&SigAlg=" +
> URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
> HttpUtils.UTF_8);
> 217 Signature signature = Signature.getInstance("SHA1withRSA");
> 218 signature.initSign(signingKey);
> >>> CID 1237197: Dm: Dubious method used (FB.DM_DEFAULT_ENCODING)
> >>> Found reliance on default encoding: String.getBytes()
> 219 signature.update(url.getBytes());
> 220 return
> URLEncoder.encode(Base64.encodeBytes(signature.sign(),
> Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
> 221 }
> 222
> 223 public static KeyPair generateRandomKeyPair() throws
> NoSuchProviderException, NoSuchAlgorithmException {
> 224 Security.addProvider(new BouncyCastleProvider());
>
>
> ________________________________________________________________________________________________________
> *** CID 1232335: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232335: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucketObjectVersions(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232335: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232337: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeGetBucket(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232337: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232336: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232336: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232334: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232334: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
>
>
> ________________________________________________________________________________________________________
> *** CID 1232333: Cross-site scripting (XSS)
> /awsapi/src/com/cloud/bridge/service/S3RestServlet.java: 451 in
> com.cloud.bridge.service.controller.s3.S3BucketAction.executeListMultipartUploads(javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)()
> 445
> 446 public static void endResponse(HttpServletResponse response,
> String content) {
> 447 try {
> 448 byte[] data = content.getBytes();
> 449 response.setContentLength(data.length);
> 450 OutputStream os = response.getOutputStream();
> >>> CID 1232333: Cross-site scripting (XSS)
> >>> Printing to HTML output.
> 451 os.write(data);
> 452 os.close();
> 453 } catch (Throwable e) {
> 454 logger.error("Unexpected exception " + e.getMessage(),
> e);
> 455 }
> 456 }
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> http://scan.coverity.com/projects/943?tab=overview
>
> To unsubscribe from the email notification for new defects,
> http://scan5.coverity.com/cgi-bin/unsubscribe.py
>
>
>
>
--
Daan
