Merge pull request #690 from oxeye-gal/invokedynamic-workaround #153
Annotations
3 errors and 11 warnings
Analyze (java)
This version of the CodeQL Action was deprecated on January 18th, 2023, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/
|
Analyze (java)
This version of the CodeQL Action was deprecated on January 18th, 2023, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/
|
Analyze (java)
This version of the CodeQL Action was deprecated on January 18th, 2023, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/
|
TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/android/BroadcastDetector.java#L51
Value annotated as carrying type qualifier SlashedClassName used where a value that must not carry that qualifier is required
|
EI_EXPOSE_REP:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/injection/InjectionPoint.java#L38
com.h3xstream.findsecbugs.injection.InjectionPoint.getInjectableArguments() may expose internal representation by returning InjectionPoint.injectableArguments
|
EI_EXPOSE_REP2:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/injection/InjectionPoint.java#L33
new com.h3xstream.findsecbugs.injection.InjectionPoint(int[], String) may expose internal representation by storing an externally mutable object into InjectionPoint.injectableArguments
|
NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/scala/PlayUnvalidatedRedirectDetector.java#L48
Possible null pointer dereference in com.h3xstream.findsecbugs.scala.PlayUnvalidatedRedirectDetector.sawOpcode(int) due to return value of called method
|
DM_DEFAULT_ENCODING:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/spring/CorsRegistryCORSDetector.java#L90
Found reliance on default encoding in com.h3xstream.findsecbugs.spring.CorsRegistryCORSDetector.getStringFromIdx(int): java.io.ByteArrayOutputStream.toString()
|
NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/spring/SignatureParserWithGeneric.java#L98
Possible null pointer dereference in com.h3xstream.findsecbugs.spring.SignatureParserWithGeneric.typeToJavaClass(Type) due to return value of called method
|
BC_UNCONFIRMED_CAST:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintAnalysis.java#L75
Unchecked/unconfirmed cast from edu.umd.cs.findbugs.classfile.MethodDescriptor to edu.umd.cs.findbugs.classfile.analysis.MethodInfo in new com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis(MethodGen, DepthFirstSearch, MethodDescriptor, TaintConfig, List)
|
SF_SWITCH_NO_DEFAULT:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintFrameModelingVisitor.java#L492
Switch statement found in com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitReturnInstruction(ReturnInstruction) where default case is missing
|
MS_PKGPROTECT:
findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/xss/XssJspDetector.java#L35
com.h3xstream.findsecbugs.xss.XssJspDetector.JSP_PARENT_CLASSES should be package protected
|
Analyze (java)
The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2, github/codeql-action/init@v1, github/codeql-action/autobuild@v1, github/codeql-action/analyze@v1. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
Analyze (java)
The "paths"/"paths-ignore" fields of the config only have effect for JavaScript, Python, and Ruby
|