Review

Detector:

Findbugs

Target:

project '

axis1

' version

1.2

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-10
In File:	org/apache/axis/components/compiler/Jikes.java
In Method:	compile()
Code with Finding:	class Jikes { /** * Execute the compiler */ public boolean compile() throws IOException { List args = new ArrayList(); // command line name args.add("jikes"); // indicate Emacs output mode must be used args.add("+E"); // avoid warnings // Option nowarn with one hyphen only args.add("-nowarn"); int exitValue; ByteArrayOutputStream tmpErr = new ByteArrayOutputStream(OUTPUT_BUFFER_SIZE); try { Process p = Runtime.getRuntime().exec(toStringArray(fillArguments(args))); BufferedInputStream compilerErr = new BufferedInputStream(p.getErrorStream()); StreamPumper errPumper = new StreamPumper(compilerErr, tmpErr); errPumper.start(); p.waitFor(); exitValue = p.exitValue(); // Wait until the complete error stream has been read errPumper.join(); compilerErr.close(); p.destroy(); tmpErr.close(); this.errors = new ByteArrayInputStream(tmpErr.toByteArray()); } catch (InterruptedException somethingHappened) { log.debug("Jikes.compile():SomethingHappened", somethingHappened); return false; } // Jikes returns 0 even when there are some types of errors. // Check if any error output as well // Return should be OK when both exitValue and // tmpErr.size() are 0 ?! return ((exitValue == 0) && (tmpErr.size() == 0)); } }

Metadata

Hit	Rank	Desc	Type	Violations
?	10	SECCI: This usage of java/lang/Runtime.exec([Ljava/lang/String;)Ljava/lang/Process; can be vulnerable to Command Injection	COMMAND_INJECTION