From notifications-return-10156-apmail-ofbiz-notifications-archive=ofbiz.apache.org@ofbiz.apache.org Sat Jul 8 10:07:03 2017 Return-Path: X-Original-To: apmail-ofbiz-notifications-archive@minotaur.apache.org Delivered-To: apmail-ofbiz-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D56C41A445 for ; Sat, 8 Jul 2017 10:07:03 +0000 (UTC) Received: (qmail 52526 invoked by uid 500); 8 Jul 2017 10:07:03 -0000 Delivered-To: apmail-ofbiz-notifications-archive@ofbiz.apache.org Received: (qmail 52504 invoked by uid 500); 8 Jul 2017 10:07:03 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 52492 invoked by uid 99); 8 Jul 2017 10:07:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Jul 2017 10:07:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 50F511AF8F8 for ; Sat, 8 Jul 2017 10:07:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id aQm4pAONeMac for ; Sat, 8 Jul 2017 10:07:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 348495F2AB for ; Sat, 8 Jul 2017 10:07:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5943AE0732 for ; Sat, 8 Jul 2017 10:07:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 11F1D24694 for ; Sat, 8 Jul 2017 10:07:00 +0000 (UTC) Date: Sat, 8 Jul 2017 10:07:00 +0000 (UTC) From: "Michael Brohl (JIRA)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Closed] (OFBIZ-9452) [FB] Package org.apache.ofbiz.accounting.tax MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-9452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Brohl closed OFBIZ-9452. -------------------------------- Resolution: Fixed Fix Version/s: Upcoming Release Thanks Kyra, your patch is in trunk r1801271. > [FB] Package org.apache.ofbiz.accounting.tax > -------------------------------------------- > > Key: OFBIZ-9452 > URL: https://issues.apache.org/jira/browse/OFBIZ-9452 > Project: OFBiz > Issue Type: Sub-task > Components: accounting > Affects Versions: Trunk > Reporter: Kyra Pritzel-Hentley > Assignee: Michael Brohl > Priority: Minor > Fix For: Upcoming Release > > Attachments: OFBIZ-9452_tax.TaxAuthorityServices_bugfixes.patch > > > TaxAuthorityServices.java:60, MS_SHOULD_BE_FINAL > * MS: org.apache.ofbiz.accounting.tax.TaxAuthorityServices.salestaxFinalDecimals isn't final but should be > This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. > TaxAuthorityServices.java:61, MS_SHOULD_BE_FINAL > * MS: org.apache.ofbiz.accounting.tax.TaxAuthorityServices.salestaxCalcDecimals isn't final but should be > This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. > TaxAuthorityServices.java:62, MS_SHOULD_BE_FINAL > * MS: org.apache.ofbiz.accounting.tax.TaxAuthorityServices.salestaxRounding isn't final but should be > This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. > TaxAuthorityServices.java:168, NP_LOAD_OF_KNOWN_NULL_VALUE > * NP: Load of known null value in org.apache.ofbiz.accounting.tax.TaxAuthorityServices.rateProductTaxCalc(DispatchContext, Map) > The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null). > TaxAuthorityServices.java:213, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > * RCN: Redundant nullcheck of shippingAddress, which is known to be non-null in org.apache.ofbiz.accounting.tax.TaxAuthorityServices.rateProductTaxCalc(DispatchContext, Map) > This method contains a redundant check of a known non-null value against the constant null. > TaxAuthorityServices.java:388,RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE > * RCN: Nullcheck of taxAuthorityRateProduct at line 388 of value previously dereferenced in org.apache.ofbiz.accounting.tax.TaxAuthorityServices.getTaxAdjustments(Delegator, GenericValue, GenericValue, String, String, Set, BigDecimal, BigDecimal, BigDecimal, BigDecimal, BigDecimal) > A value is checked here to see whether it is null, but this value can't be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous. -- This message was sent by Atlassian JIRA (v6.4.14#64029)