Showing 10 of 10 total issues
Method checkNotTooLong
has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
protected static void checkNotTooLong(final Map<String, String> errors, final String field, final String value, final int maxLength, final String message) {
Method runRequest
has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
public static Response runRequest(final Settings settings, final Object bean, final String invokeMethod, final Authentication request, final String logAction) {
Method checkNotNullEmptyOrTooLong
has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
protected static void checkNotNullEmptyOrTooLong(final Map<String, String> errors, final String field, final String value, final int maxLength, final String message) {
Method checkIntegerWithMax
has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
protected static void checkIntegerWithMax(final Map<String, String> errors, final String field, final int value, final int max, final String message) {
Method sanitize
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
@Transactional(Transactional.TxType.REQUIRED)
public void sanitize() {
clearExpireSessions();
List<Long> ids = findNextBatch(BLOCK);
long count = 0;
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method validate
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
@Override
public Map<String, String> validate() {
final Map<String, String> errors = super.validate();
if ((secret == null) == (url == null)) {
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Line length Open
testing to guarantee that the stability will remain high. The build requires Java 21,
- Read upRead up
- Exclude checks
MD013 - Line length
Tags: line_length
Aliases: line-length Parameters: linelength, codeblocks, tables (number; default 80, boolean; default true)
This rule is triggered when there are lines that are longer than the configured line length (default: 80 characters). To fix this, split the line up into multiple lines.
This rule has an exception where there is no whitespace beyond the configured line length. This allows you to still include items such as long URLs without being forced to break them in the middle.
You also have the option to exclude this rule for code blocks and tables. To
do this, set the code_blocks
and/or tables
parameters to false.
Code blocks are included in this rule by default since it is often a requirement for document readability, and tentatively compatible with code rules. Still, some languages do not lend themselves to short lines.
Not following: release/bin/edsFunctions.sh: openFile: does not exist (No such file or directory) Open
source release/bin/edsFunctions.sh
- Read upRead up
- Exclude checks
Not following: (error message here)
Reasons include: file not found, no permissions, not included on the command line, not allowing shellcheck
to follow files with -x
, etc.
Problematic code:
source somefile
Correct code:
# shellcheck disable=SC1091
source somefile
Rationale:
ShellCheck, for whichever reason, is not able to access the source file.
This could be because you did not include it on the command line, did not use shellcheck -x
to allow following other files, don't have permissions or a variety of other problems.
Feel free to ignore the error with a [[directive]].
Exceptions:
If you're fine with it, ignore the message with a [[directive]].
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Line length Open
is supported, but thanks to the flexibility of Jakarta EE, it is possible to use any
- Read upRead up
- Exclude checks
MD013 - Line length
Tags: line_length
Aliases: line-length Parameters: linelength, codeblocks, tables (number; default 80, boolean; default true)
This rule is triggered when there are lines that are longer than the configured line length (default: 80 characters). To fix this, split the line up into multiple lines.
This rule has an exception where there is no whitespace beyond the configured line length. This allows you to still include items such as long URLs without being forced to break them in the middle.
You also have the option to exclude this rule for code blocks and tables. To
do this, set the code_blocks
and/or tables
parameters to false.
Code blocks are included in this rule by default since it is often a requirement for document readability, and tentatively compatible with code rules. Still, some languages do not lend themselves to short lines.
Use a dynamically-generated, random IV. Open
new IvParameterSpec(((SecretEDSKey) key).getSalt().getBytes());
- Read upRead up
- Exclude checks
When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn't always produce the same ciphertext. The IV doesn't need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
Noncompliant Code Example
public class MyCbcClass { public String applyCBC(String strKey, String plainText) { byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8"); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant: the IV is hard coded and thus not generated with a secure random generator byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } }
Compliant Solution
public class MyCbcClass { SecureRandom random = new SecureRandom(); public String applyCBC(String strKey, String plainText) { byte[] bytesIV = new byte[16]; random.nextBytes(bytesIV); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } }
See
- OWASP Top 10 2017 Category A6 - Security Misconfiguration
- MITRE, CWE-329 - CWE-329: Not Using an Unpredictable IV with CBC Mode
- MITRE, CWE-330 - Use of Insufficiently Random Values
- NIST, SP-800-38A - Recommendation for Block Cipher Modes of Operation
- Derived from FindSecBugs rule STATIC_IV