Modify ↓
Opened 2 years ago
Last modified 2 years ago
#21920 new defect
New Coverity warnings
| Reported by: | Don-vip | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Core | Version: | |
| Keywords: | coverity | Cc: |
Description
The Coverity build was failing due to the tool version we used (2019) being not supported anymore.
I updated to the latest version and we have a bunch of new warnings (38):
https://scan6.scan.coverity.com/reports.htm#v10572/p10006
Attachments (1)
Note:
See TracTickets
for help on using tickets.
38 new defect(s) introduced to JOSM found with Coverity Scan. 14 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 38 defect(s) ** CID 1476017: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/NoteSessionImporter.java: 40 in org.openstreetmap.josm.io.session.NoteSessionImporter::load(org.w3c.dom.Element, org.openstreetmap.josm.io.session.SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() ________________________________________________________________________________________________________ *** CID 1476017: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/NoteSessionImporter.java: 40 in org.openstreetmap.josm.io.session.NoteSessionImporter::load(org.w3c.dom.Element, org.openstreetmap.josm.io.session.SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() 34 if (!"0.1".equals(version)) { 35 throw new IllegalDataException(tr("Version ''{0}'' of meta data for note layer is not supported. Expected: 0.1", version)); 36 } 37 try { 38 XPathFactory xPathFactory = XPathFactory.newInstance(); 39 XPath xpath = xPathFactory.newXPath(); >>> CID 1476017: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) >>> The application performs an `XPath` action without disabling `DTD` or enabling `XMLConstants.FEATURE_SECURE_PROCESSING` mode. If the parser handles untrusted data, it will be vulnerable to XML External Entity (XXE) attacks. 40 XPathExpression fileExp = xpath.compile("file/text()"); 41 String fileStr = (String) fileExp.evaluate(elem, XPathConstants.STRING); 42 if (Utils.isEmpty(fileStr)) { 43 throw new IllegalDataException(tr("File name expected for layer no. {0}", support.getLayerIndex())); 44 } 45 ** CID 1476016: (LOCK_EVASION) /src/org/openstreetmap/josm/gui/mappaint/styleelement/MapImage.java: 146 in org.openstreetmap.josm.gui.mappaint.styleelement.MapImage.getDisabled()() /src/org/openstreetmap/josm/gui/mappaint/styleelement/MapImage.java: 148 in org.openstreetmap.josm.gui.mappaint.styleelement.MapImage.getDisabled()() ________________________________________________________________________________________________________ *** CID 1476016: (LOCK_EVASION) /src/org/openstreetmap/josm/gui/mappaint/styleelement/MapImage.java: 146 in org.openstreetmap.josm.gui.mappaint.styleelement.MapImage.getDisabled()() 140 if (img == null) 141 getImage(); // fix #7498 ? 142 // This should fix #21919: NPE due to disabledImgCache being null (race condition with #loadImage()) 143 synchronized (this) { 144 Image disImg = GuiHelper.getDisabledImage(img); 145 if (disImg instanceof BufferedImage) { >>> CID 1476016: (LOCK_EVASION) >>> Thread1 sets "disabledImgCache" to a new value. Now the two threads have an inconsistent view of "disabledImgCache" and updates to fields of "disabledImgCache" or fields correlated with "disabledImgCache" may be lost. 146 disabledImgCache = (BufferedImage) disImg; 147 } else { 148 disabledImgCache = new BufferedImage(getWidth(), getHeight(), BufferedImage.TYPE_INT_ARGB); 149 Graphics g = disabledImgCache.getGraphics(); 150 g.drawImage(disImg, 0, 0, null); 151 g.dispose(); /src/org/openstreetmap/josm/gui/mappaint/styleelement/MapImage.java: 148 in org.openstreetmap.josm.gui.mappaint.styleelement.MapImage.getDisabled()() 142 // This should fix #21919: NPE due to disabledImgCache being null (race condition with #loadImage()) 143 synchronized (this) { 144 Image disImg = GuiHelper.getDisabledImage(img); 145 if (disImg instanceof BufferedImage) { 146 disabledImgCache = (BufferedImage) disImg; 147 } else { >>> CID 1476016: (LOCK_EVASION) >>> Thread1 sets "disabledImgCache" to a new value. Now the two threads have an inconsistent view of "disabledImgCache" and updates to fields of "disabledImgCache" or fields correlated with "disabledImgCache" may be lost. 148 disabledImgCache = new BufferedImage(getWidth(), getHeight(), BufferedImage.TYPE_INT_ARGB); 149 Graphics g = disabledImgCache.getGraphics(); 150 g.drawImage(disImg, 0, 0, null); 151 g.dispose(); 152 } 153 } ** CID 1476015: High impact security (SENSITIVE_DATA_LEAK) ________________________________________________________________________________________________________ *** CID 1476015: High impact security (SENSITIVE_DATA_LEAK) /src/org/openstreetmap/josm/gui/preferences/advanced/AdvancedPreference.java: 328 in org.openstreetmap.josm.gui.preferences.advanced.AdvancedPreference.readPreferencesFromXML()() 322 CustomConfigurator.readXML(f, tmpPrefs); 323 log.append(PreferencesUtils.getLog()); 324 } 325 log.append("</html>"); 326 String msg = log.toString().replace("\n", "<br/>"); 327 >>> CID 1476015: High impact security (SENSITIVE_DATA_LEAK) >>> Calling "LogShowDialog". This shows the sensitive data "msg" in a user interface. It may be exposed to unintended individuals. 328 new LogShowDialog(tr("Import log"), tr("<html>Here is file import summary. <br/>" 329 + "You can reject preferences changes by pressing \"Cancel\" in preferences dialog <br/>" 330 + "To activate some changes JOSM restart may be needed.</html>"), msg).showDialog(); 331 332 readPreferences(tmpPrefs); 333 // sorting after modification - first modified, then non-default, then default entries ** CID 1476014: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/datatransfer/importers/FilePaster.java: 39 in org.openstreetmap.josm.gui.datatransfer.importers.FilePaster.importData(javax.swing.TransferHandler$TransferSupport, org.openstreetmap.josm.gui.layer.OsmDataLayer, org.openstreetmap.josm.data.coor.EastNorth)() ________________________________________________________________________________________________________ *** CID 1476014: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/datatransfer/importers/FilePaster.java: 39 in org.openstreetmap.josm.gui.datatransfer.importers.FilePaster.importData(javax.swing.TransferHandler$TransferSupport, org.openstreetmap.josm.gui.layer.OsmDataLayer, org.openstreetmap.josm.data.coor.EastNorth)() 33 throws UnsupportedFlavorException, IOException { 34 @SuppressWarnings("unchecked") 35 List<File> files = (List<File>) support.getTransferable().getTransferData(df); 36 OpenFileAction.OpenFileTask task = new OpenFileAction.OpenFileTask(files, null); 37 task.setOptions(Options.RECORD_HISTORY); 38 MainApplication.worker.submit(task); >>> CID 1476014: Resource leaks (RESOURCE_LEAK) >>> Variable "files" going out of scope leaks the resource it refers to. 39 return true; 40 } ** CID 1476013: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/dialogs/layer/LayerListTransferHandler.java: 120 in org.openstreetmap.josm.gui.dialogs.layer.LayerListTransferHandler.importData(javax.swing.TransferHandler$TransferSupport)() ________________________________________________________________________________________________________ *** CID 1476013: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/dialogs/layer/LayerListTransferHandler.java: 120 in org.openstreetmap.josm.gui.dialogs.layer.LayerListTransferHandler.importData(javax.swing.TransferHandler$TransferSupport)() 114 layers.getManager().addLayer(layer); 115 layers.getManager().moveLayer(layer, dropLocation); 116 dropLocation++; 117 } 118 } 119 >>> CID 1476013: Resource leaks (RESOURCE_LEAK) >>> Variable "layers" going out of scope leaks the resource it refers to. 120 return true; 121 } catch (UnsupportedFlavorException e) { 122 Logging.warn("Flavor not supported", e); 123 return false; 124 } catch (IOException e) { 125 Logging.warn("Error while pasting layer", e); ** CID 1476012: Medium impact security (RISKY_CRYPTO) /src/org/openstreetmap/josm/io/CertificateAmendment.java: 252 in org.openstreetmap.josm.io.CertificateAmendment.addMissingCertificates()() ________________________________________________________________________________________________________ *** CID 1476012: Medium impact security (RISKY_CRYPTO) /src/org/openstreetmap/josm/io/CertificateAmendment.java: 252 in org.openstreetmap.josm.io.CertificateAmendment.addMissingCertificates()() 246 Logging.error(e); 247 } 248 249 if (certificateAdded) { 250 TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 251 tmf.init(keyStore); >>> CID 1476012: Medium impact security (RISKY_CRYPTO) >>> Establishing an SSL connection that allows the TLSv1.2 (and earlier) protocols is insecure. An attacker may be able to decrypt and extract sensitive data that is transmitted over the network. 252 SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); 253 sslContext.init(null, tmf.getTrustManagers(), null); 254 SSLContext.setDefault(sslContext); 255 } 256 } 257 ** CID 1476011: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/datatransfer/importers/TagTransferPaster.java: 28 in org.openstreetmap.josm.gui.datatransfer.importers.TagTransferPaster.getTags(javax.swing.TransferHandler$TransferSupport)() ________________________________________________________________________________________________________ *** CID 1476011: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/datatransfer/importers/TagTransferPaster.java: 28 in org.openstreetmap.josm.gui.datatransfer.importers.TagTransferPaster.getTags(javax.swing.TransferHandler$TransferSupport)() 22 super(TagTransferData.FLAVOR); 23 } 24 25 @Override 26 protected Map<String, String> getTags(TransferSupport support) throws UnsupportedFlavorException, IOException { 27 TagTransferData data = (TagTransferData) support.getTransferable().getTransferData(df); >>> CID 1476011: Resource leaks (RESOURCE_LEAK) >>> Variable "data" going out of scope leaks the resource it refers to. 28 return data.getTags(); 29 } ** CID 1476010: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/io/FileWatcher.java: 55 in org.openstreetmap.josm.io.FileWatcher.<init>()() ________________________________________________________________________________________________________ *** CID 1476010: Resource leaks (RESOURCE_LEAK) /src/org/openstreetmap/josm/io/FileWatcher.java: 55 in org.openstreetmap.josm.io.FileWatcher.<init>()() 49 50 /** 51 * Constructs a new {@code FileWatcher}. 52 */ 53 public FileWatcher() { 54 try { >>> CID 1476010: Resource leaks (RESOURCE_LEAK) >>> Failing to save or close resource created by "java.nio.file.FileSystems.getDefault()" leaks it. 55 watcher = FileSystems.getDefault().newWatchService(); 56 thread = new Thread(this::processEvents, "File Watcher"); 57 } catch (IOException | UnsupportedOperationException | UnsatisfiedLinkError e) { 58 Logging.error(e); 59 } 60 } ** CID 1476009: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/dialogs/properties/RelationRoleEditor.java: 44 in org.openstreetmap.josm.gui.dialogs.properties.RelationRoleEditor.editRole(org.openstreetmap.josm.data.osm.Relation, org.openstreetmap.josm.gui.dialogs.properties.PropertiesDialog$MemberInfo)() ________________________________________________________________________________________________________ *** CID 1476009: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/dialogs/properties/RelationRoleEditor.java: 44 in org.openstreetmap.josm.gui.dialogs.properties.RelationRoleEditor.editRole(org.openstreetmap.josm.data.osm.Relation, org.openstreetmap.josm.gui.dialogs.properties.PropertiesDialog$MemberInfo)() 38 final String oldRole = memberInfo.getRoleString(); 39 final DefaultNameFormatter formatter = DefaultNameFormatter.getInstance(); 40 final String newRole = JOptionPane.showInputDialog("<html>" + tr("Change role for {0} in relation {1}", 41 formatter.formatAsHtmlUnorderedList(Utils.transform(members, RelationMember::getMember), 5), 42 formatter.formatAsHtmlUnorderedList(relation)), 43 oldRole); >>> CID 1476009: Null pointer dereferences (NULL_RETURNS) >>> Calling a method on null object "oldRole". 44 if (newRole == null || oldRole.equals(newRole) || tr("<different>").equals(newRole)) { 45 return; 46 } 47 final List<RelationMember> newMembers = relation.getMembers(); 48 newMembers.replaceAll(m -> members.contains(m) ? new RelationMember(Utils.strip(newRole), m.getMember()) : m); 49 UndoRedoHandler.getInstance().add(new ChangeMembersCommand(relation, newMembers)); 50 } ** CID 1476008: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/layer/imagery/WMTSLayerSelection.java: 128 in org.openstreetmap.josm.gui.layer.imagery.WMTSLayerSelection$#1.update()() ________________________________________________________________________________________________________ *** CID 1476008: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/layer/imagery/WMTSLayerSelection.java: 128 in org.openstreetmap.josm.gui.layer.imagery.WMTSLayerSelection$#1.update()() 122 public void changedUpdate(DocumentEvent e) { 123 update(); 124 } 125 126 @SuppressWarnings({ "unchecked", "rawtypes" }) 127 private void update() { >>> CID 1476008: Null pointer dereferences (NULL_RETURNS) >>> Calling a method on null object "list.getRowSorter()". 128 ((TableRowSorter) list.getRowSorter()).setRowFilter(RowFilter.regexFilter("(?i)" + filter.getText())); 129 } 130 131 }); 132 add(filter, GBC.eop().fill(GBC.HORIZONTAL)); 133 add(new JScrollPane(this.list), GBC.eol().fill()); ** CID 1476007: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/GpxTracksSessionImporter.java: 41 in org.openstreetmap.josm.io.session.GpxTracksSessionImporter::load(org.w3c.dom.Element, SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() ________________________________________________________________________________________________________ *** CID 1476007: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/GpxTracksSessionImporter.java: 41 in org.openstreetmap.josm.io.session.GpxTracksSessionImporter::load(org.w3c.dom.Element, SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() 35 if (!"0.1".equals(version)) { 36 throw new IllegalDataException(tr("Version ''{0}'' of meta data for gpx track layer is not supported. Expected: 0.1", version)); 37 } 38 try { 39 XPathFactory xPathFactory = XPathFactory.newInstance(); 40 XPath xpath = xPathFactory.newXPath(); >>> CID 1476007: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) >>> The application performs an `XPath` action without disabling `DTD` or enabling `XMLConstants.FEATURE_SECURE_PROCESSING` mode. If the parser handles untrusted data, it will be vulnerable to XML External Entity (XXE) attacks. 41 XPathExpression fileExp = xpath.compile("file/text()"); 42 String fileStr = (String) fileExp.evaluate(elem, XPathConstants.STRING); 43 if (Utils.isEmpty(fileStr)) { 44 throw new IllegalDataException(tr("File name expected for layer no. {0}", support.getLayerIndex())); 45 } 46 ** CID 1476006: High impact security (SENSITIVE_DATA_LEAK) ________________________________________________________________________________________________________ *** CID 1476006: High impact security (SENSITIVE_DATA_LEAK) /src/org/openstreetmap/josm/actions/downloadtasks/PostDownloadHandler.java: 111 in <lambda implementing java.lang.Runnable>.run() 105 final Object error = errors.iterator().next(); 106 if (!GraphicsEnvironment.isHeadless()) { 107 SwingUtilities.invokeLater(() -> { 108 if (error instanceof Exception) { 109 ExceptionDialogUtil.explainException((Exception) error); 110 } else if (isNoDataErrorMessage(error)) { >>> CID 1476006: High impact security (SENSITIVE_DATA_LEAK) >>> Calling "Notification". This shows the sensitive data "error.toString()" in a user interface. It may be exposed to unintended individuals. 111 new Notification(error.toString()).setIcon(JOptionPane.WARNING_MESSAGE).show(); 112 } else { 113 JOptionPane.showMessageDialog( 114 MainApplication.getMainFrame(), 115 error.toString(), 116 tr("Error during download"), ** CID 1476005: Low impact security (SENSITIVE_DATA_LEAK) ________________________________________________________________________________________________________ *** CID 1476005: Low impact security (SENSITIVE_DATA_LEAK) /src/org/openstreetmap/josm/gui/oauth/FullyAutomaticAuthorizationUI.java: 489 in org.openstreetmap.josm.gui.oauth.FullyAutomaticAuthorizationUI$FullyAutomaticAuthorisationTask.realRun()() 483 ); 484 OAuthToken requestToken = authClient.getRequestToken( 485 getProgressMonitor().createSubTaskMonitor(1, false) 486 ); 487 getProgressMonitor().worked(1); 488 if (canceled) return; >>> CID 1476005: Low impact security (SENSITIVE_DATA_LEAK) >>> Calling "authorise". This logs the sensitive data "getOsmPassword()" to a file or the console. It may be exposed to unintended individuals. (The virtual call resolves to "org.openstreetmap.josm.gui.oauth.OsmOAuthAuthorizationClient.authorise(org.openstreetmap.josm.data.oauth.OAuthToken, java.lang.String, java.lang.String, org.openstreetmap.josm.data.oauth.OsmPrivileges, org.openstreetmap.josm.gui.progress.ProgressMonitor)".) 489 authClient.authorise( 490 requestToken, 491 getOsmUserName(), 492 getOsmPassword(), 493 pnlOsmPrivileges.getPrivileges(), 494 getProgressMonitor().createSubTaskMonitor(1, false) ** CID 1476004: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/preferences/ToolbarPreferences.java: 896 in org.openstreetmap.josm.gui.preferences.ToolbarPreferences$Settings$#3.createTransferable(javax.swing.JComponent)() ________________________________________________________________________________________________________ *** CID 1476004: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/gui/preferences/ToolbarPreferences.java: 896 in org.openstreetmap.josm.gui.preferences.ToolbarPreferences$Settings$#3.createTransferable(javax.swing.JComponent)() 890 } 891 892 @Override 893 protected Transferable createTransferable(JComponent c) { 894 TreePath[] paths = actionsTree.getSelectionPaths(); 895 List<ActionDefinition> dragActions = new ArrayList<>(); >>> CID 1476004: Null pointer dereferences (NULL_RETURNS) >>> Accessing length of null array "paths". 896 for (TreePath path : paths) { 897 DefaultMutableTreeNode node = (DefaultMutableTreeNode) path.getLastPathComponent(); 898 Object obj = node.getUserObject(); 899 if (obj == null) { 900 dragActions.add(ActionDefinition.getSeparator()); 901 } else if (obj instanceof Action) { ** CID 1476003: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/data/imagery/ImageryPatterns.java: 62 in <lambda implementing java.util.function.Predicate>.test() ________________________________________________________________________________________________________ *** CID 1476003: Null pointer dereferences (NULL_RETURNS) /src/org/openstreetmap/josm/data/imagery/ImageryPatterns.java: 62 in <lambda implementing java.util.function.Predicate>.test() 56 // Hide public constructor 57 } 58 59 private static void checkUrlPatterns(String url, Pattern[] allPatterns, String errMessage) { 60 Matcher m = PATTERN_PARAM.matcher(Objects.requireNonNull(url, "url")); 61 while (m.find()) { >>> CID 1476003: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing a pointer that might be "null" "m.group()" when calling "matcher". 62 if (Arrays.stream(allPatterns).noneMatch(pattern -> pattern.matcher(m.group()).matches())) { 63 throw new IllegalArgumentException(tr(errMessage, m.group(), url)); 64 } 65 } 66 } 67 ** CID 1476002: (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/layer/OsmDataLayer.java: 1157 in org.openstreetmap.josm.gui.layer.OsmDataLayer.removeClipboardDataFor(org.openstreetmap.josm.gui.layer.OsmDataLayer)() /src/org/openstreetmap/josm/gui/layer/OsmDataLayer.java: 1157 in org.openstreetmap.josm.gui.layer.OsmDataLayer.removeClipboardDataFor(org.openstreetmap.josm.gui.layer.OsmDataLayer)() ________________________________________________________________________________________________________ *** CID 1476002: (RESOURCE_LEAK) /src/org/openstreetmap/josm/gui/layer/OsmDataLayer.java: 1157 in org.openstreetmap.josm.gui.layer.OsmDataLayer.removeClipboardDataFor(org.openstreetmap.josm.gui.layer.OsmDataLayer)() 1151 if (clipboardContents != null && clipboardContents.isDataFlavorSupported(OsmLayerTransferData.OSM_FLAVOR)) { 1152 try { 1153 Object o = clipboardContents.getTransferData(OsmLayerTransferData.OSM_FLAVOR); 1154 if (o instanceof OsmLayerTransferData && osm.equals(((OsmLayerTransferData) o).getLayer())) { 1155 ClipboardUtils.clear(); 1156 } >>> CID 1476002: (RESOURCE_LEAK) >>> Variable "o" going out of scope leaks the resource it refers to. 1157 } catch (UnsupportedFlavorException | IOException e) { 1158 Logging.error(e); 1159 } 1160 } 1161 } 1162 /src/org/openstreetmap/josm/gui/layer/OsmDataLayer.java: 1157 in org.openstreetmap.josm.gui.layer.OsmDataLayer.removeClipboardDataFor(org.openstreetmap.josm.gui.layer.OsmDataLayer)() 1151 if (clipboardContents != null && clipboardContents.isDataFlavorSupported(OsmLayerTransferData.OSM_FLAVOR)) { 1152 try { 1153 Object o = clipboardContents.getTransferData(OsmLayerTransferData.OSM_FLAVOR); 1154 if (o instanceof OsmLayerTransferData && osm.equals(((OsmLayerTransferData) o).getLayer())) { 1155 ClipboardUtils.clear(); 1156 } >>> CID 1476002: (RESOURCE_LEAK) >>> Variable "o" going out of scope leaks the resource it refers to. 1157 } catch (UnsupportedFlavorException | IOException e) { 1158 Logging.error(e); 1159 } 1160 } 1161 } 1162 ** CID 1476001: SpotBugs: Bad practice (FB.RV_RETURN_VALUE_IGNORED_BAD_PRACTICE) /src/org/openstreetmap/josm/spi/lifecycle/Lifecycle.java: 85 in org.openstreetmap.josm.spi.lifecycle.Lifecycle.initialize_org.openstreetmap.josm.spi.lifecycle.InitializationSequence/<gen>java.util.function.Consumer_instance_2.<init>(java.util.concurrent.ExecutorService)() ________________________________________________________________________________________________________ *** CID 1476001: SpotBugs: Bad practice (FB.RV_RETURN_VALUE_IGNORED_BAD_PRACTICE) /src/org/openstreetmap/josm/spi/lifecycle/Lifecycle.java: 85 in org.openstreetmap.josm.spi.lifecycle.Lifecycle.initialize_org.openstreetmap.josm.spi.lifecycle.InitializationSequence/<gen>java.util.function.Consumer_instance_2.<init>(java.util.concurrent.ExecutorService)() 79 } 80 // asynchronous initializations to be completed eventually 81 initSequence.asynchronousRunnableTasks().forEach(x -> { 82 if (x != null) service.submit(x); 83 }); 84 initSequence.asynchronousCallableTasks().forEach(x -> { >>> CID 1476001: SpotBugs: Bad practice (FB.RV_RETURN_VALUE_IGNORED_BAD_PRACTICE) >>> Exceptional return value of java.util.concurrent.ExecutorService.submit(Callable) ignored. 85 if (x != null) service.submit(x); 86 }); 87 try { 88 service.shutdown(); 89 } catch (SecurityException e) { 90 Logging.log(Logging.LEVEL_ERROR, "Unable to shutdown executor service", e); ** CID 1476000: Null pointer dereferences (FORWARD_NULL) /src/org/openstreetmap/josm/gui/io/OnlineResourceMenu.java: 39 in org.openstreetmap.josm.gui.io.OnlineResourceMenu.<init>()() ________________________________________________________________________________________________________ *** CID 1476000: Null pointer dereferences (FORWARD_NULL) /src/org/openstreetmap/josm/gui/io/OnlineResourceMenu.java: 39 in org.openstreetmap.josm.gui.io.OnlineResourceMenu.<init>()() 33 addMenuListener(new ToggleMenuListener()); 34 35 for (OnlineResource onlineResource : OnlineResource.values()) { 36 ToggleOnlineResourceAction action = new ToggleOnlineResourceAction(onlineResource); 37 JCheckBoxMenuItem item = new JCheckBoxMenuItem(action); 38 action.addButtonModel(item.getModel()); >>> CID 1476000: Null pointer dereferences (FORWARD_NULL) >>> "add" dereferences null "super.popupMenu". 39 add(item); 40 } 41 } 42 43 private static class ToggleOnlineResourceAction extends ToggleAction { 44 private final OnlineResource onlineResource; ** CID 1475999: (SENSITIVE_DATA_LEAK) ________________________________________________________________________________________________________ *** CID 1475999: (SENSITIVE_DATA_LEAK) /src/org/openstreetmap/josm/gui/MainApplication.java: 1400 in org.openstreetmap.josm.gui.MainApplication$GuiFinalizationWorker.handleAutosave()() 1394 trn("JOSM found {0} unsaved osm data layer. ", 1395 "JOSM found {0} unsaved osm data layers. ", unsavedLayerFiles.size(), unsavedLayerFiles.size()) + 1396 tr("It looks like JOSM crashed last time. Would you like to restore the data?")); 1397 dialog.setButtonIcons("ok", "cancel", "dialogs/delete"); 1398 int selection = dialog.showDialog().getValue(); 1399 if (selection == 1) { >>> CID 1475999: (SENSITIVE_DATA_LEAK) >>> Calling "recoverUnsavedLayers". This shows the sensitive data "autosaveTask.autosaveDir" in a user interface. It may be exposed to unintended individuals. (The virtual call resolves to "org.openstreetmap.josm.gui.layer.AutosaveTask.recoverUnsavedLayers()".) 1400 autosaveTask.recoverUnsavedLayers(); 1401 } else if (selection == 3) { 1402 autosaveTask.discardUnsavedLayers(); 1403 } 1404 } 1405 try { /src/org/openstreetmap/josm/gui/MainApplication.java: 1400 in org.openstreetmap.josm.gui.MainApplication$GuiFinalizationWorker.handleAutosave()() 1394 trn("JOSM found {0} unsaved osm data layer. ", 1395 "JOSM found {0} unsaved osm data layers. ", unsavedLayerFiles.size(), unsavedLayerFiles.size()) + 1396 tr("It looks like JOSM crashed last time. Would you like to restore the data?")); 1397 dialog.setButtonIcons("ok", "cancel", "dialogs/delete"); 1398 int selection = dialog.showDialog().getValue(); 1399 if (selection == 1) { >>> CID 1475999: (SENSITIVE_DATA_LEAK) >>> Calling "recoverUnsavedLayers". This shows the sensitive data "autosaveTask.autosaveDir" in a user interface. It may be exposed to unintended individuals. (The virtual call resolves to "org.openstreetmap.josm.gui.layer.AutosaveTask.recoverUnsavedLayers()".) 1400 autosaveTask.recoverUnsavedLayers(); 1401 } else if (selection == 3) { 1402 autosaveTask.discardUnsavedLayers(); 1403 } 1404 } 1405 try { ** CID 1475998: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/MarkerSessionImporter.java: 39 in org.openstreetmap.josm.io.session.MarkerSessionImporter::load(org.w3c.dom.Element, org.openstreetmap.josm.io.session.SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() ________________________________________________________________________________________________________ *** CID 1475998: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) /src/org/openstreetmap/josm/io/session/MarkerSessionImporter.java: 39 in org.openstreetmap.josm.io.session.MarkerSessionImporter::load(org.w3c.dom.Element, org.openstreetmap.josm.io.session.SessionReader.ImportSupport, org.openstreetmap.josm.gui.progress.ProgressMonitor)() 33 if (!"0.1".equals(version)) { 34 throw new IllegalDataException(tr("Version ''{0}'' of meta data for marker layer is not supported. Expected: 0.1", version)); 35 } 36 try { 37 XPathFactory xPathFactory = XPathFactory.newInstance(); 38 XPath xpath = xPathFactory.newXPath(); >>> CID 1475998: Sigma (SIGMA.xml_external_entity_enabled_core_java_xpath) >>> The application performs an `XPath` action without disabling `DTD` or enabling `XMLConstants.FEATURE_SECURE_PROCESSING` mode. If the parser handles untrusted data, it will be vulnerable to XML External Entity (XXE) attacks. 39 XPathExpression fileExp = xpath.compile("file/text()"); 40 String fileStr = (String) fileExp.evaluate(elem, XPathConstants.STRING); 41 if (Utils.isEmpty(fileStr)) { 42 throw new IllegalDataException(tr("File name expected for layer no. {0}", support.getLayerIndex())); 43 } 44