SpotBugs Bug Detector Report

The following document contains the results of SpotBugs

SpotBugs Version is 4.9.3

Threshold is medium

Effort is default

Summary

Classes	Bugs	Errors	Missing Classes
308	35	0	0

Files

Class	Bugs
org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer	1
org.owasp.dependencycheck.analyzer.ArchiveAnalyzer	1
org.owasp.dependencycheck.analyzer.CentralAnalyzer	1
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer	1
org.owasp.dependencycheck.analyzer.GolangModAnalyzer	2
org.owasp.dependencycheck.analyzer.HintAnalyzer	1
org.owasp.dependencycheck.analyzer.JarAnalyzer	1
org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer	1
org.owasp.dependencycheck.data.cache.DataCacheFactory	1
org.owasp.dependencycheck.data.central.CentralSearch	1
org.owasp.dependencycheck.data.knownexploited.json.Vulnerability	8
org.owasp.dependencycheck.data.update.NvdApiDataSource	1
org.owasp.dependencycheck.data.update.nvd.api.CveApiJson20CveItemSource	1
org.owasp.dependencycheck.data.update.nvd.api.JsonArrayCveItemSource	1
org.owasp.dependencycheck.dependency.Dependency	2
org.owasp.dependencycheck.dependency.Vulnerability	1
org.owasp.dependencycheck.dependency.naming.CpeIdentifier	1
org.owasp.dependencycheck.dependency.naming.PurlIdentifier	2
org.owasp.dependencycheck.reporting.ReportGenerator	1
org.owasp.dependencycheck.utils.WriteLock	2
org.owasp.dependencycheck.xml.assembly.GrokParser	1
org.owasp.dependencycheck.xml.hints.HintParser	1
org.owasp.dependencycheck.xml.pom.PomProjectInputStream	1
org.owasp.dependencycheck.xml.suppression.SuppressionParser	1

org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer

Bug	Category	Details	Line	Priority
Possible null pointer dereference in org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer.loadSuppressionFile(SuppressionParser, String) due to return value of called method	STYLE	NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE	391	Medium

org.owasp.dependencycheck.analyzer.ArchiveAnalyzer

Bug	Category	Details	Line	Priority
Shared primitive variable "maxScanDepth" in one thread may not yield the value of the most recent write from another thread	MT_CORRECTNESS	AT_STALE_THREAD_WRITE_OF_PRIMITIVE	759	Medium

org.owasp.dependencycheck.analyzer.CentralAnalyzer

Bug	Category	Details	Line	Priority
Static field "numberOfRetries" is modified by an instance level synchronized method.	MT_CORRECTNESS	SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA	119	Medium

org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer

Bug	Category	Details	Line	Priority
Do not catch NullPointerException like in org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(String, String)	STYLE	DCN_NULLPOINTER_EXCEPTION	655	Medium

org.owasp.dependencycheck.analyzer.GolangModAnalyzer

Bug	Category	Details	Line	Priority
Static field "goPath" is modified by an instance level synchronization lock.	MT_CORRECTNESS	SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA	135	Medium
Suppressing annotation on the method org.owasp.dependencycheck.analyzer.GolangModAnalyzer.prepareFileTypeAnalyzer(Engine) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	220-269	Medium

org.owasp.dependencycheck.analyzer.HintAnalyzer

Bug	Category	Details	Line	Priority
Possible null pointer dereference in org.owasp.dependencycheck.analyzer.HintAnalyzer.loadHintRules() due to return value of called method	STYLE	NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE	295	Medium

org.owasp.dependencycheck.analyzer.JarAnalyzer

Bug	Category	Details	Line	Priority
Suppressing annotation on the method org.owasp.dependencycheck.analyzer.JarAnalyzer.isZipFile(Dependency) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	402-414	Medium

org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer

Bug	Category	Details	Line	Priority
Operation on the "unusedSuppressionRuleCount" shared variable in "UnusedSuppressionRuleAnalyzer" class is not atomic	MT_CORRECTNESS	AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE	129	Medium

org.owasp.dependencycheck.data.cache.DataCacheFactory

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.data.cache.DataCacheFactory at new org.owasp.dependencycheck.data.cache.DataCacheFactory(Settings) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	92	Medium

org.owasp.dependencycheck.data.central.CentralSearch

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.data.central.CentralSearch at new org.owasp.dependencycheck.data.central.CentralSearch(Settings) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	96	Medium

org.owasp.dependencycheck.data.knownexploited.json.Vulnerability

Bug	Category	Details	Line	Priority
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium
Comparison of String objects using == or != in org.owasp.dependencycheck.data.knownexploited.json.Vulnerability.equals(Object)	BAD_PRACTICE	ES_COMPARING_STRINGS_WITH_EQ	367	Medium

org.owasp.dependencycheck.data.update.NvdApiDataSource

Bug	Category	Details	Line	Priority
Exception is caught when Exception is not thrown in org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi()	STYLE	REC_CATCH_EXCEPTION	384	Medium

org.owasp.dependencycheck.data.update.nvd.api.CveApiJson20CveItemSource

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.data.update.nvd.api.CveApiJson20CveItemSource at new org.owasp.dependencycheck.data.update.nvd.api.CveApiJson20CveItemSource(InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	64	Medium

org.owasp.dependencycheck.data.update.nvd.api.JsonArrayCveItemSource

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.data.update.nvd.api.JsonArrayCveItemSource at new org.owasp.dependencycheck.data.update.nvd.api.JsonArrayCveItemSource(InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	63	Medium

org.owasp.dependencycheck.dependency.Dependency

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.dependency.Dependency at new org.owasp.dependencycheck.dependency.Dependency(File) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	194	Medium
Exception thrown in class org.owasp.dependencycheck.dependency.Dependency at new org.owasp.dependencycheck.dependency.Dependency(File, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	212	Medium

org.owasp.dependencycheck.dependency.Vulnerability

Bug	Category	Details	Line	Priority
Class org.owasp.dependencycheck.dependency.Vulnerability defines non-transient non-serializable instance field knownExploitedVulnerability	BAD_PRACTICE	SE_BAD_FIELD	Not available	High

org.owasp.dependencycheck.dependency.naming.CpeIdentifier

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.dependency.naming.CpeIdentifier at new org.owasp.dependencycheck.dependency.naming.CpeIdentifier(String, String, String, Confidence) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	100	Medium

org.owasp.dependencycheck.dependency.naming.PurlIdentifier

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.dependency.naming.PurlIdentifier at new org.owasp.dependencycheck.dependency.naming.PurlIdentifier(String, String, String, String, Confidence) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	117	Medium
Exception thrown in class org.owasp.dependencycheck.dependency.naming.PurlIdentifier at new org.owasp.dependencycheck.dependency.naming.PurlIdentifier(String, String, String, Confidence) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	99	Medium

org.owasp.dependencycheck.reporting.ReportGenerator

Bug	Category	Details	Line	Priority
Suppressing annotation on the method org.owasp.dependencycheck.reporting.ReportGenerator.processTemplate(String, File) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	428-434	Medium

org.owasp.dependencycheck.utils.WriteLock

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.utils.WriteLock at new org.owasp.dependencycheck.utils.WriteLock(Settings, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	112	Medium
Exception thrown in class org.owasp.dependencycheck.utils.WriteLock at new org.owasp.dependencycheck.utils.WriteLock(Settings, boolean, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	134	Medium

org.owasp.dependencycheck.xml.assembly.GrokParser

Bug	Category	Details	Line	Priority
Suppressing annotation on the method org.owasp.dependencycheck.xml.assembly.GrokParser.parse(File) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	67-71	Medium

org.owasp.dependencycheck.xml.hints.HintParser

Bug	Category	Details	Line	Priority
Suppressing annotation on the method org.owasp.dependencycheck.xml.hints.HintParser.parseHints(File) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	128-134	Medium

org.owasp.dependencycheck.xml.pom.PomProjectInputStream

Bug	Category	Details	Line	Priority
Exception thrown in class org.owasp.dependencycheck.xml.pom.PomProjectInputStream at new org.owasp.dependencycheck.xml.pom.PomProjectInputStream(InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.	BAD_PRACTICE	CT_CONSTRUCTOR_THROW	54	Medium

org.owasp.dependencycheck.xml.suppression.SuppressionParser

Bug	Category	Details	Line	Priority
Suppressing annotation on the method org.owasp.dependencycheck.xml.suppression.SuppressionParser.parseSuppressionRules(File) is unnecessary	STYLE	US_USELESS_SUPPRESSION_ON_METHOD	84-88	Medium