Feature/remove unirest #1
Conversation
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| .intervalFunction(ofExponentialBackoff( | ||
| Duration.ofSeconds(Config.getInstance().getPropertyAsInt(ConfigKey.SNYK_RETRY_EXPONENTIAL_BACKOFF_INITIAL_DURATION_SECONDS)), | ||
| Config.getInstance().getPropertyAsInt(ConfigKey.SNYK_RETRY_EXPONENTIAL_BACKOFF_MULTIPLIER), | ||
| Duration.ofSeconds(Config.getInstance().getPropertyAsInt(ConfigKey.SNYK_RETRY_EXPONENTIAL_BACKOFF_MAX_DURATION_SECONDS)) | ||
| )) | ||
| .maxAttempts(Config.getInstance().getPropertyAsInt(ConfigKey.SNYK_RETRY_MAX_ATTEMPTS)) | ||
| .retryOnException(exception -> false) | ||
| .retryOnResult(response -> HttpStatus.TOO_MANY_REQUESTS == response.getStatus()) | ||
| .retryOnResult(response -> 429 == response.getStatusLine().getStatusCode()) |
There was a problem hiding this comment.
YodaCondition: The non-constant portion of an equals check generally comes first.
| .retryOnResult(response -> 429 == response.getStatusLine().getStatusCode()) | |
| .retryOnResult(response -> response.getStatusLine().getStatusCode() == 429) |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { | ||
| if (response.getEntity()!=null) { | ||
| String responseString = EntityUtils.toString(response.getEntity()); | ||
| final JSONObject responseJson = new org.json.JSONObject(responseString); |
There was a problem hiding this comment.
UnnecessarilyFullyQualified: This fully qualified name is unambiguous to the compiler if imported.
| final JSONObject responseJson = new org.json.JSONObject(responseString); | |
| final JSONObject responseJson = new JSONObject(responseString); |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| Results results; | ||
| try{ | ||
| if (response != null) { | ||
| if (response.getStatusLine().getStatusCode() == org.apache.http.HttpStatus.SC_OK) { |
There was a problem hiding this comment.
UnnecessarilyFullyQualified: This fully qualified name is unambiguous to the compiler if imported.
| if (response.getStatusLine().getStatusCode() == org.apache.http.HttpStatus.SC_OK) { | |
| if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| final HttpEntity entity = response.getEntity(); | ||
| if (entity != null) { | ||
| try (InputStream in = entity.getContent()) { | ||
| final Document document = XmlUtil.buildSecureDocumentBuilder().parse(in); |
There was a problem hiding this comment.
XXE_DOCUMENT: The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -66,21 +63,13 @@ public MetaModel analyze(final Component component) { | |||
| if (component.getPurl() == null || component.getPurl().getNamespace() == null) { | |||
| return meta; | |||
| } | |||
|
|
|||
| final UnirestInstance ui = UnirestFactory.getUnirestInstance(); | |||
| final String url = String.format(baseUrl + API_URL, caseEncode(component.getPurl().getNamespace()), caseEncode(component.getPurl().getName())); | |||
There was a problem hiding this comment.
💬 23 similar findings have been found in this PR
Var: Unnecessary 'final' modifier.
| final String url = String.format(baseUrl + API_URL, caseEncode(component.getPurl().getNamespace()), caseEncode(component.getPurl().getName())); | |
| String url = String.format(baseUrl + API_URL, caseEncode(component.getPurl().getNamespace()), caseEncode(component.getPurl().getName())); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 328 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 201 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 165 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 106 |
| src/main/java/org/dependencytrack/tasks/repositories/GemMetaAnalyzer.java | 65 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 134 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 345 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 116 |
| src/main/java/org/dependencytrack/tasks/repositories/GoModulesMetaAnalyzer.java | 68 |
| src/main/java/org/dependencytrack/tasks/repositories/GemMetaAnalyzer.java | 69 |
Showing 10 of 23 findings. Visit the Lift Web Console to see all.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| if (extTexts != null) { | ||
| for(int j = 0; j < extTexts.length(); ++j) { | ||
| JSONObject jso = extTexts.getJSONObject(j); | ||
| ExternalText externalText = new ExternalText(); |
There was a problem hiding this comment.
💬 20 similar findings have been found in this PR
Varifier: Consider using var here to avoid boilerplate.
| ExternalText externalText = new ExternalText(); | |
| var externalText = new ExternalText(); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 327 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 190 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 81 |
| src/main/java/org/dependencytrack/tasks/repositories/GemMetaAnalyzer.java | 73 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 278 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 322 |
| src/main/java/org/dependencytrack/tasks/repositories/GoModulesMetaAnalyzer.java | 72 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 171 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 155 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 106 |
Showing 10 of 20 findings. Visit the Lift Web Console to see all.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -64,29 +63,24 @@ public RepositoryType supportedRepositoryType() { | |||
| * {@inheritDoc} | |||
| */ | |||
| public MetaModel analyze(final Component component) { | |||
There was a problem hiding this comment.
💬 17 similar findings have been found in this PR
UnnecessaryFinal: Since Java 8, it's been unnecessary to make local variables and parameters final for use in lambdas or anonymous classes. Marking them as final is weakly discouraged, as it adds a fair amount of noise for minimal benefit.
| public MetaModel analyze(final Component component) { | |
| public MetaModel analyze( Component component) { |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 298 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 300 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 106 |
| src/main/java/org/dependencytrack/tasks/repositories/GoModulesMetaAnalyzer.java | 68 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 299 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 306 |
| src/main/java/org/dependencytrack/tasks/repositories/GemMetaAnalyzer.java | 68 |
| src/main/java/org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 328 |
| src/main/java/org/dependencytrack/tasks/repositories/GoModulesMetaAnalyzer.java | 72 |
| src/main/java/org/dependencytrack/tasks/repositories/AbstractMetaAnalyzer.java | 95 |
Showing 10 of 17 findings. Visit the Lift Web Console to see all.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| .formatted(component.getPurl(), response.getStatus(), errors.stream() | ||
| .map(error -> " - %s: %s (%s)".formatted(error.title(), error.detail(), error.code())) | ||
| .collect(Collectors.joining("\n")))); | ||
| final HttpUriRequest request = new HttpGet(requestUrl); |
There was a problem hiding this comment.
💬 4 similar findings have been found in this PR
HTTP_PARAMETER_POLLUTION: Concatenating user-controlled input into a URL
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java | 100 |
| src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java | 115 |
| src/main/java/org/dependencytrack/tasks/repositories/AbstractMetaAnalyzer.java | 95 |
| src/main/java/org/dependencytrack/util/VulnDBUtil.java | 81 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
🛠 Lift Auto-fixSome of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1 # Download the patch
curl https://lift.sonatype.com/api/patch/github.com/mehab/dependency-track/1.diff -o lift-autofixes.diff
# Apply the patch with git
git apply lift-autofixes.diff
# Review the changes
git diffWant it all in a single command? Open a terminal in your project's directory and copy and paste the following command: curl https://lift.sonatype.com/api/patch/github.com/mehab/dependency-track/1.diff | git applyOnce you're satisfied commit and push your changes in your project. Footnotes |
Signed-off-by: mehab <[email protected]>
| logger.error("Destination: " + destination); | ||
| logger.error("Response: " + response.getBody()); | ||
| logger.debug(content); | ||
| HttpPost request = new HttpPost(destination); |
There was a problem hiding this comment.
Varifier: Consider using var here to avoid boilerplate.
| HttpPost request = new HttpPost(destination); | |
| var request = new HttpPost(destination); |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -46,33 +54,31 @@ public void publish(final String publisherName, final PebbleTemplate template, f | |||
| return; | |||
| } | |||
| final String mimeType = getTemplateMimeType(config); | |||
There was a problem hiding this comment.
💬 10 similar findings have been found in this PR
Var: Unnecessary 'final' modifier.
| final String mimeType = getTemplateMimeType(config); | |
| String mimeType = getTemplateMimeType(config); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 61 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 96 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 44 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 85 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 72 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 96 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
|
||
| public abstract class AbstractWebhookPublisher implements Publisher { | ||
| private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(AbstractWebhookPublisher.class); | ||
|
|
||
| public void publish(final String publisherName, final PebbleTemplate template, final Notification notification, final JsonObject config) { |
There was a problem hiding this comment.
💬 10 similar findings have been found in this PR
UnnecessaryFinal: Since Java 8, it's been unnecessary to make local variables and parameters final for use in lambdas or anonymous classes. Marking them as final is weakly discouraged, as it adds a fair amount of noise for minimal benefit.
| public void publish(final String publisherName, final PebbleTemplate template, final Notification notification, final JsonObject config) { | |
| public void publish(final String publisherName, final PebbleTemplate template, Notification notification, final JsonObject config) { |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 44 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 43 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 96 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 96 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 72 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 56 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 85 |
| src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java | 61 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
…to feature/removeUnirest
| HttpPost request = new HttpPost(builder.build()); | ||
| request.addHeader("accept", "application/xml"); | ||
| HttpEntity data = MultipartEntityBuilder.create().setMode(HttpMultipartMode.BROWSER_COMPATIBLE) | ||
| .addBinaryBody("files[]", findingsJson, org.apache.http.entity.ContentType.APPLICATION_JSON, "findings.json") |
There was a problem hiding this comment.
UnnecessarilyFullyQualified: This fully qualified name is unambiguous to the compiler if imported.
| .addBinaryBody("files[]", findingsJson, org.apache.http.entity.ContentType.APPLICATION_JSON, "findings.json") | |
| .addBinaryBody("files[]", findingsJson, ContentType.APPLICATION_JSON, "findings.json") |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| final JSONObject crate = response.getBody().getObject().optJSONObject("crate"); | ||
| try (final CloseableHttpResponse response = processHttpRequest(url)) { | ||
| if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { | ||
| final HttpEntity entity = response.getEntity(); |
There was a problem hiding this comment.
💬 15 similar findings have been found in this PR
Var: Unnecessary 'final' modifier.
| final HttpEntity entity = response.getEntity(); | |
| HttpEntity entity = response.getEntity(); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 72 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 70 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 88 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 90 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 87 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 81 |
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 79 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 69 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 84 |
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 54 |
Showing 10 of 15 findings. Visit the Lift Web Console to see all.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| final JSONObject crate = response.getBody().getObject().optJSONObject("crate"); | ||
| try (final CloseableHttpResponse response = processHttpRequest(url)) { | ||
| if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { | ||
| final HttpEntity entity = response.getEntity(); |
There was a problem hiding this comment.
💬 15 similar findings have been found in this PR
UnnecessaryFinal: Since Java 8, it's been unnecessary to make local variables and parameters final for use in lambdas or anonymous classes. Marking them as final is weakly discouraged, as it adds a fair amount of noise for minimal benefit.
| final HttpEntity entity = response.getEntity(); | |
| HttpEntity entity = response.getEntity(); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 54 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 73 |
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 79 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 79 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 88 |
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 51 |
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 79 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 81 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 72 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 90 |
Showing 10 of 15 findings. Visit the Lift Web Console to see all.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -45,49 +50,54 @@ public FortifySscClient(final FortifySscUploader uploader, final URL baseURL) { | |||
|
|
|||
| public String generateOneTimeUploadToken(final String citoken) { | |||
| LOGGER.debug("Generating one-time upload token"); | |||
| final UnirestInstance ui = UnirestFactory.getUnirestInstance(); | |||
| HttpPost request = new HttpPost(baseURL + "/api/v1/fileTokens"); | |||
There was a problem hiding this comment.
💬 3 similar findings have been found in this PR
Varifier: Consider using var here to avoid boilerplate.
| HttpPost request = new HttpPost(baseURL + "/api/v1/fileTokens"); | |
| var request = new HttpPost(baseURL + "/api/v1/fileTokens"); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/dependencytrack/integrations/fortifyssc/FortifySscClient.java | 63 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 78 |
| src/main/java/org/dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 70 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
…y-track into feature/removeUnirest
…ndency-track into feature/removeUnirest
…y-track into feature/removeUnirest
| } | ||
|
|
||
| public <T> Results<T> parse(File file, Class<? extends ApiObject> apiObject) throws IOException { | ||
| String jsonData = Files.readString(Paths.get(file.toURI()), Charset.defaultCharset()); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/net/URI;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -663,8 +665,11 @@ public static org.cyclonedx.model.vulnerability.Vulnerability convert(final Quer | |||
| } | |||
|
|
|||
| /** | |||
| * Converts a parsed Bom to a native list of Dependency-Track component object | |||
| * Converts a parsed Bom to a native list of Dependency-Track component objects | |||
| * @param qm | |||
There was a problem hiding this comment.
EmptyBlockTag: A block tag (@param, @return, @throws, @deprecated) has an empty description. Block tags without descriptions don't add much value for future readers of the code; consider removing the tag entirely or adding a description.
| * @param qm | |
| * |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| final JSONArray jsonArray = new JSONArray(); | ||
| final org.cyclonedx.model.Dependency d1 = getDependencyFromBomRef(c1.getBomRef(), bom.getDependencies()); | ||
| final org.cyclonedx.model.Dependency d1 = getDependencyFromBomRef(c1.getKey(), bom.getDependencies()); |
There was a problem hiding this comment.
UnnecessarilyFullyQualified: This fully qualified name is unambiguous to the compiler if imported.
| final org.cyclonedx.model.Dependency d1 = getDependencyFromBomRef(c1.getKey(), bom.getDependencies()); | |
| final Dependency targetDep = getDependencyFromBomRef(targetBomRef, bom.getDependencies()); |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
| } | ||
|
|
||
| public <T> Results<T> parse(File file, Class<? extends ApiObject> apiObject) throws IOException { | ||
| String jsonData = Files.readString(Paths.get(file.toURI()), Charset.defaultCharset()); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/net/URI;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
| } | ||
|
|
||
| public <T> Results<T> parse(File file, Class<? extends ApiObject> apiObject) throws IOException { | ||
| String jsonData = Files.readString(Paths.get(file.toURI()), Charset.defaultCharset()); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/net/URI;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
|
|
||
| final LocalDate publishedDate = LocalDate.ofInstant(published.toInstant(), ZoneId.systemDefault()); | ||
| final LocalDate ageDate = publishedDate.plus(agePeriod); | ||
| final LocalDate today = LocalDate.now(); |
There was a problem hiding this comment.
JavaTimeDefaultTimeZone: LocalDate.now() is not allowed because it silently uses the system default time-zone. You must pass an explicit time-zone (e.g., ZoneId.of("America/Los_Angeles")) to this method.
| final LocalDate today = LocalDate.now(); | |
| final LocalDate today = LocalDate.now(ZoneId.systemDefault()); |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| case NUMERIC_EQUAL -> ageDate.isEqual(today); | ||
| case NUMERIC_NOT_EQUAL -> !ageDate.isEqual(today); | ||
| case NUMERIC_LESSER_THAN_OR_EQUAL -> ageDate.isEqual(today) || ageDate.isAfter(today); | ||
| case NUMERIC_LESS_THAN -> ageDate.isAfter(LocalDate.now()); |
There was a problem hiding this comment.
JavaTimeDefaultTimeZone: LocalDate.now() is not allowed because it silently uses the system default time-zone. You must pass an explicit time-zone (e.g., ZoneId.of("America/Los_Angeles")) to this method.
| case NUMERIC_LESS_THAN -> ageDate.isAfter(LocalDate.now()); | |
| case NUMERIC_LESS_THAN -> ageDate.isAfter(LocalDate.now(ZoneId.systemDefault())); |
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -55,6 +55,7 @@ public PolicyEngine() { | |||
| evaluators.add(new CpePolicyEvaluator()); | |||
| evaluators.add(new SwidTagIdPolicyEvaluator()); | |||
| evaluators.add(new VersionPolicyEvaluator()); | |||
| evaluators.add(new ComponentAgePolicyEvaluator()); | |||
There was a problem hiding this comment.
RESOURCE_LEAK: resource of type org.dependencytrack.persistence.QueryManager acquired by call to ComponentAgePolicyEvaluator() at line 58 is not released after line 58.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
…y-track into feature/removeUnirest
| .addPart("close_old_findings", new StringBody("true", ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("push_to_jira", new StringBody("push_to_jira", ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("test", new StringBody(testId, ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("scan_date", new StringBody(DATE_FORMAT.format(new Date()), ContentType.MULTIPART_FORM_DATA)) |
There was a problem hiding this comment.
JavaUtilDate: Date has a bad API that leads to bugs; prefer java.time.Instant or LocalDate.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| .addPart("minimum_severity", new StringBody("Info", ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("close_old_findings", new StringBody("true", ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("push_to_jira", new StringBody("push_to_jira", ContentType.MULTIPART_FORM_DATA)) | ||
| .addPart("scan_date", new StringBody(DATE_FORMAT.format(new Date()), ContentType.MULTIPART_FORM_DATA)) |
There was a problem hiding this comment.
JavaUtilDate: Date has a bad API that leads to bugs; prefer java.time.Instant or LocalDate.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| } | ||
|
|
||
| public <T> Results<T> parse(File file, Class<? extends ApiObject> apiObject) throws IOException { | ||
| String jsonData = Files.readString(Paths.get(file.toURI()), Charset.defaultCharset()); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/net/URI;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
…y-track into feature/removeUnirest
Signed-off-by: mehab <[email protected]>
…ndency-track into feature/removeUnirest
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
Signed-off-by: mehab <[email protected]>
| @@ -147,7 +147,7 @@ protected void handleUnexpectedHttpResponse(final Logger logger, String url, fin | |||
| ); | |||
| } | |||
|
|
|||
| protected void handleRequestException(final Logger logger, final Exception e) { | |||
| protected void handleRequestException(final Logger logger, final Throwable e) { | |||
There was a problem hiding this comment.
InconsistentCapitalization: Found the field 'LOGGER' with the same name as the parameter 'logger' but with different capitalization.
| protected void handleRequestException(final Logger logger, final Throwable e) { | |
| protected void handleRequestException(final Logger LOGGER, final Throwable e) { |
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Description
Addressed Issue
Additional Details
Checklist