• Post Reply Bookmark Topic Watch Topic
  • New Topic

Static Block and a Fortify Error I received?  RSS feed

 
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everyone,
I'm wondering if someone can help me understand a recent Foritify error I received.    I apologize in advance if this isn't the place to ask this.   I'm still trying to learn Java and I recently was tasked in resolving this simple error but I didn't feel I received an adaquate explanation regarding the fix.



Fortify listed my original code below as a possible risk.




Here is how I resolved it. 



 
Marshal
Posts: 56610
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know why you had that compiler error. But is FIELDS an immutable object? If not, why is it exposed as a public constant?
 
Sheriff
Posts: 11495
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In that second code listing, where are BASE_TABLE_FIELDS and TABLE_FIELDS declared? Are they defined in cascading.tuple.Fields? If so, then there's a world of difference between the second code listing and the one that you says gives you a problem. In the first code listing, TABLE_FIELDS on line 15 refers to the array of TableField objects you declared on line 14.  In the second listing, TABLE_FIELDS on line 14 refers to the TABLE_FIELDS declared in cascading.tuple.Fields.
 
Lisa Austin
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Campbell Ritchie wrote:I don't know why you had that compiler error. But is FIELDS an immutable object? If not, why is it exposed as a public constant?


No compiler error.  It was just flagged in Fortify as a risk.   I didn't code the original class file.  I just was tasked with fixing the security flags found in the scan. 
 
Lisa Austin
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Junilu Lacar wrote:In that second code listing, where are BASE_TABLE_FIELDS and TABLE_FIELDS declared? Are they defined in cascading.tuple.Fields? If so, then there's a world of difference between the second code listing and the one that you says gives you a problem. In the first code listing, TABLE_FIELDS on line 15 refers to the array of TableField objects you declared on line 14.  In the second listing, TABLE_FIELDS on line 14 refers to the TABLE_FIELDS declared in cascading.tuple.Fields.



I apologize.  I purposely left out some items as the code is very long and I didn't think ( wrong assumption ) it would impact my question but I added it in below.  The TABLE_FIELDS is declared on the BaseReportsTable .

 
Junilu Lacar
Sheriff
Posts: 11495
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I found this rule that may be the reason for that line being flagged:

Race Condition: Class Initialization Cycle

Abstract
Assigning a static field to a new object calls the constructor even if it is dependent on other variables initialization, which may lead to objects being initialized incorrectly.

See https://vulncat.hpefod.com/en/weakness?codelang=Java%2fJSP&q=constructor
 
Lisa Austin
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Junilu Lacar wrote:I found this rule that may be the reason for that line being flagged:

Race Condition: Class Initialization Cycle

Abstract
Assigning a static field to a new object calls the constructor even if it is dependent on other variables initialization, which may lead to objects being initialized incorrectly.

See https://vulncat.hpefod.com/en/weakness?codelang=Java%2fJSP&q=constructor


Yes!    So my fix worked because the static block would be initialized first?
 
Lisa Austin
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Junilu Lacar wrote:I found this rule that may be the reason for that line being flagged:

Race Condition: Class Initialization Cycle

Abstract
Assigning a static field to a new object calls the constructor even if it is dependent on other variables initialization, which may lead to objects being initialized incorrectly.

See https://vulncat.hpefod.com/en/weakness?codelang=Java%2fJSP&q=constructor


Dang I wish I could edit.   So this is what confuses me.  Fortify flagged the FIELDS = makeTuleFields(TABLE_FIELDS) line but it was the TABLE_FIELDS = line below it which I placed in static blocks which resolved the issue.  The TABLE_FIELDS = appendFields(ExampleReportsTable.TABLE_FIELDS,BASE_TABLE_FIELDS); .    

 
Junilu Lacar
Sheriff
Posts: 11495
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not really sure that putting that statement in a static initializer block technically makes a difference. It's possible that you just found a workaround to a limitation in the Fortify analysis algorithm.
 
Junilu Lacar
Sheriff
Posts: 11495
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Lisa Austin wrote:Fortify flagged the FIELDS = makeTuleFields(TABLE_FIELDS) line but it was the TABLE_FIELDS = line below it which I placed in static blocks which resolved the issue.  The TABLE_FIELDS = appendFields(ExampleReportsTable.TABLE_FIELDS,BASE_TABLE_FIELDS); .    

You said, below it but in the code listing you posted, the TABLE_FIELDS = ... is above the line you say was flagged by Fortify.  Which one is it really, above or below? It makes a difference.  Static fields are initialized in textual order, that is, in the order they appear in your source code. If the TABLE_FIELDS field is initialized after the call to FIELDS = makeTuleFields(TABLE_FIELDS), that would be wrong.
 
Lisa Austin
Ranch Hand
Posts: 178
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Junilu Lacar wrote:
Lisa Austin wrote:Fortify flagged the FIELDS = makeTuleFields(TABLE_FIELDS) line but it was the TABLE_FIELDS = line below it which I placed in static blocks which resolved the issue.  The TABLE_FIELDS = appendFields(ExampleReportsTable.TABLE_FIELDS,BASE_TABLE_FIELDS); .    

You said, below it but in the code listing you posted, the TABLE_FIELDS = ... is above the line you say was flagged by Fortify.  Which one is it really, above or below? It makes a difference.  Static fields are initialized in textual order, that is, in the order they appear in your source code. If the TABLE_FIELDS field is initialized after the call to FIELDS = makeTuleFields(TABLE_FIELDS), that would be wrong.


You are correct.  I flipped it.  I'm going to end this question because I feel that I have created a mess out of this question.  I noticed another error I missed when I gave the example of the code I was working with.  Since I can't copy the literal code in question, I managed to make a bit of a mess out of my example of it.   Sorry about that and  I appreciate the help though   Thank You
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!