I have a lot of issue with CWE 117 in Veracode with my Java project.
I tried to fix it without code by using log configuration.
I add the dependency
<!-- https://mvnrepository.com/artifact/org.owasp/security-logging-logback -->
<dependency>
<groupId>org.owasp</groupId>
<artifactId>security-logging-logback</artifactId>
<version>1.1.7</version>
</dependency>
I add the conversion
<!-- Define the CRLFConverter -->
<conversionRule conversionWord="crlf" converterClass="org.owasp.security.logging.mask.CRLFConverter" />
I add the pattern in my layout
%crlf(%.-500msg)
I made the change in the logback.xml file in the resource folder.
I run another scan but the issues are still there.
Any idea why this is not fixing the CWE?
Thanks,
Nicolas
I'm using a tika parsers in my project.
I'm using three classes from this package:
org.apache.tika.Tika;
org.apache.tika.parser.txt.CharsetDetector;
org.apache.tika.parser.txt.CharsetMatch;
Last time I rised an version from Tika 1.0 to Tika 1.20.
Then it started to throwing warnings like:
WARN org.apache.tika.parser.SQLite3Parser : org.xerial's sqlite-jdbc is not loaded.
Please provide the jar on your classpath to parse sqlite files.
See tika-parsers/pom.xml for the correct version.
I don't need these dependencies in my app so I tried to avoid it in following ways:
0. Created an tika-config.xml file
<?xml version="1.0" encoding="UTF-8"?>
<properties>
<service-loader initializableProblemHandler="ignore"/>
</properties>
Added to application.yaml tika.config property with relative and not-relative path to tika-config.xml file. Didn't worked.
Added an TIKA_CONFIG enviroment variable. Also didn't worked.
Is there any other solution that can I try to get rid of these warnings?
the reason you have this warning is because the sqlite is no longer embeded with tika jar
https://cwiki.apache.org/confluence/display/tika/SQLite%20Parser
try exluding sql with this, or add sqlite dependency
<?xml version="1.0" encoding="UTF-8"?>
<properties>
<parsers>
<parser class="org.apache.tika.parser.DefaultParser">
<mime-exclude>application/sql</mime-exclude>
</parser>
</parsers>
</properties>
if you want to add sqlite dependency
add this to your pom.xml
<dependency>
<groupId>org.xerial</groupId>
<artifactId>sqlite-jdbc</artifactId>
<version>3.8.10.1</version>
</dependency>
I would like to add some GWT (Google web toolkit) functionality to my existing web application built with maven (servlets, jsps etc). I have read some tutorials about GWT and managed to successfully write some basic examples but I can't seem to understand how to integrate it with my existing project. All the tutorials that I found focus on building this application from scratch (without Maven) or by crating new project with GWT archetype (with Maven).
How do I proceed with existing application (webapp archetype)? I tried adding the path do GWT SDK to the project and created basic HelloWorld class (I created separate package structire just for GWT) following THIS tutorial.
What I don't understand is how to setup everything correctly and where to place the configuration files? Is the config file supposed to be in the root folder of the project (next to pom.xml)? Should it be named the same as my project is named or based on the class specified as entry point?
Basically, my current structure looks like this:
src/main/java/wa2/gwt/clients/CarRental.java
src/main/webapp/CarRental.html (same directory as my JSPs)
src/resousrce/wa2/gwt/CarRental.gwt.xml (same directory as pom.xml) - let's say that my project is called "CarRental"
This obviously does not work. Did I forgot some configuration? Are the locations wrong? Thanks for any help!
EDIT: I changed the structure of the project and added the maven dependencies. It seems that GWT is recognized now. However, it is still not running any GWT code when accessing the html page.
This is my silly test with CarRental.html (src/main/webapp/CarRental.html):
<html>
<head>
<title>CarRental</title>
<script language="javascript" src="carrental/carrental.nocache.js">
</script>
</head>
<body>
<h1>Hello World</h1>
<p>Welcome to first GWT application</p>
</body>
</html>
The CarRental.java (src/main/java/wa2.gwt.clients.CarRental.java):
package wa2.gwt.clients;
import com.google.gwt.core.client.EntryPoint;
import com.google.gwt.user.client.Window;
public class CarRental implements EntryPoint {
public void onModuleLoad() {
Window.alert("Hello, World!");
}
}
Am I still missing something? I am accessing the html file by clicking it and executing run as > run on server (the webapp is deployed to my Tomcat server) or alternatively just typing the URL on localhost.
I have a Maven/GWT app with the following structure:
approot/pom.xml
approot/src/main/resources
approot/src/main/java/org/mydomain/MyApplication.gwt.xml
approot/src/main/java/org/mydomain/client/...
approot/src/main/java/org/mydomain/others/...
All the GWT Java code is in the client package, as deined in the gwt.xml file like this:
<!DOCTYPE module PUBLIC "-//Google Inc.//DTD Google Web Toolkit 1.6.4//EN" "http://google-web-toolkit.googlecode.com/svn/tags/1.6.4/distro-source/core/src/gwt-module.dtd">
<module rename-to='resources'>
<inherits name='com.google.gwt.user.User'/>
<inherits name="com.google.gwt.resources.Resources" />
<inherits name="com.google.gwt.uibinder.UiBinder"/>
<inherits name="some.other.Dependency" />
<source path="client" />
<entry-point class='org.mydomain.client.Main'/>
</module>
Here, the source element specifies that all Java in the client package (and any sub-packages) is to be processed by the GWT compiler and converted into JavaScript. All other packages are server-side and are not converted. If you have no server-side Java, then you'll only have the client package.
You'll need the GWT dependencies. Here's the minimum, there are others:
<dependency>
<groupId>com.google.gwt</groupId>
<artifactId>gwt-user</artifactId>
<version>2.5.1</version>
<scope>provided</scope>
</dependency>
It is also important to include the GWT maven plugin, so the GWT compiler will run during a Maven build. Configure the plugin in your <plugins> section of your pom.xml. Here's an example:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>gwt-maven-plugin</artifactId>
<version>2.5.1</version>
<executions>
<execution>
<phase>prepare-package</phase>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>
I have a problem that is driving me nuts for three days.
I was deployed spring-eap6-quickstart code according to tutorial on the OpenShift account. I'm configured debug options and I'm synchronized eclipse workspace with OpehShift server - everything on the server is working properly, but in Eclipse I got an error that I can not eliminate.
I have this error:
cvc-complex-type.2.4.a: Invalid content was found starting with element 'deployment'. One of '{ear-subdeployments-isolated, deployment, sub-deployment, module}' is expected. jboss-deployment-structure.xml /spring-eap6-quickstart/src/main/webapp/WEB-INF line 2
That indicates error on deployment tag.
My jboss-deployment structure xml is:
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.0">
<deployment>
<dependencies>
<module name="com.h2database.h2"/>
<module name="org.codehaus.jackson.jackson-core-asl"/>
<module name="org.codehaus.jackson.jackson-mapper-asl"/>
<module name="org.slf4j"/>
</dependencies>
</deployment>
</jboss-deployment-structure>
When I changed deployment structure to:
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:2.0">
this change in eclipse corrects the error, but then the application does not work on OpenShift server.
I realize that the problem is in the setup, but I do not know how to overcome problem. Did anyone knows what I have to do? Please help. Thank You.
Your xml is absolutely valid when using urn:jboss:deployment-structure:1.0. Unfortunately there are errors in the jbossas deployment-structure scheme and thus Eclipse will complain:
https://issues.jboss.org/browse/JBIDE-15311
Bumping the version of the referred scheme to 2.0 fixes it in Eclipse by referring an inexistent scheme, 2.0 does not exist yet. Thus OpenShift will then fail. There's currently 1.0, 1.1 and 1.2. The upcoming 2.0 should fix the scheme and thus have Eclipse validating properly. But we're not there yet unfortunately. I suggest that you simply turn the validation off, either all or only the scheme validation: Window->Preferences->Validation:
update your xml to define the namespace, ie:
<?xml version="1.0" encoding="UTF-8"?>
<jds:jboss-deployment-structure xmlns:jds="urn:jboss:deployment-structure:1.0">
<deployment>
<dependencies>
<module name="org.dom4j" />
</dependencies>
</deployment>
</jds:jboss-deployment-structure>
While running junit test in eclipse I am getting this Exception:
java.lang.NoClassDefFoundError: org/hamcrest/SelfDescribing
I've added junit.jar library file.
I've tried different versions of junit.jar: 4.4, 4.8, etc.
How do I fix this Exception?
Add hamcrest-all-X.X.jar to your classpath.
Latest version as of Feb 2015 is 1.3:
http://code.google.com/p/hamcrest/downloads/detail?name=hamcrest-all-1.3.jar&can=2&q=
According to the JUnit GitHub team website (https://github.com/junit-team/junit/wiki/Download-and-Install), junit.jar and hamcrest-core.jar are both needed in the classpath when using JUnit 4.11.
Here is the Maven dependency block for including junit and hamcrest.
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.1.2</version>
<scope>test</scope>
</dependency>
<!-- Needed by junit -->
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-all</artifactId>
<version>1.3</version>
<scope>test</scope>
</dependency>
A few steps you have to follow:
Right click on the project.
Choose Build Path Then from its menu choose Add Libraries.
Choose JUnit then click Next.
Choose JUnit4 then Finish.
Works for me: IntelliJ IDEA 13.1.1, JUnit4, Java 6
I changed the file in project path: [PROJECT_NAME].iml
Replaced:
<library>
<CLASSES>
<root url="jar://$APPLICATION_HOME_DIR$/lib/junit-4.11.jar!/" />
</CLASSES>
<JAVADOC />
<SOURCES />
</library>
By:
<library name="JUnit4">
<CLASSES>
<root url="jar://$APPLICATION_HOME_DIR$/lib/junit-4.11.jar!/" />
<root url="jar://$APPLICATION_HOME_DIR$/lib/hamcrest-core-1.3.jar!/" />
<root url="jar://$APPLICATION_HOME_DIR$/lib/hamcrest-library-1.3.jar!/" />
</CLASSES>
<JAVADOC />
<SOURCES />
</library>
So the final .iml file is:
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
<sourceFolder url="file://$MODULE_DIR$/tests" isTestSource="true" />
</content>
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
<orderEntry type="module-library">
<library name="JUnit4">
<CLASSES>
<root url="jar://$APPLICATION_HOME_DIR$/lib/junit-4.11.jar!/" />
<root url="jar://$APPLICATION_HOME_DIR$/lib/hamcrest-core-1.3.jar!/" />
<root url="jar://$APPLICATION_HOME_DIR$/lib/hamcrest-library-1.3.jar!/" />
</CLASSES>
<JAVADOC />
<SOURCES />
</library>
</orderEntry>
</component>
</module>
P.S.: save the file and don't let to IntelliJ Idea reload it. Just once.
You need junit-dep.jar because the junit.jar has a copy of old Hamcrest classes.
Just in case there's anyone here using netbeans and has the same problem, all you have to do is
Right click on TestLibraries
Click on Add Library
Select JUnit and click add library
Repeat the process but this time click on Hamcrest and the click add library
This should solve the problem
This problem is because of your classpath miss hamcrest-core-1.3.jar. To resolve this add hamcrest-core-1.3.jar as you add junit-4.XX.jar into your classpath.
At first, I encounter this problem too, but after I refer to the official site and add hamcrest-core-1.3.jar into classpath with command line, it works properly finally.
javac -d ../../../../bin/ -cp ~/libs/junit-4.12.jar:/home/limxtop/projects/algorithms/bin MaxHeapTest.java
java -cp ../../../../bin/:/home/limxtop/libs/junit-4.12.jar:/home/limxtop/libs/hamcrest-core-1.3.jar org.junit.runner.JUnitCore com.limxtop.heap.MaxHeapTest
You need to add the hamcrest-core JAR to the classpath as described here: https://github.com/junit-team/junit4/wiki/Download-and-Install
As a general rule, always make sure hamcrest is before any other testing libraries on the classpath, as many such libraries include hamcrest classes and may therefore conflict with the hamcrest version you're using. This will resolve most problems of the type you're describing.
the simplest way of solving the problem to begin with is copying latest version of hamcrest-code.jar into your CLASSPATH that is the file you store other .jar files needed for compilation and running of your application.
that could be e.g.: C:/ant/lib
It sounds like a classpath issue, so there are a few different ways to go about it. Where does org/hamcret/SelfDescribing come from? Is that your class or in a different jar?
Try going to your project Build Path and on the Libraries tab, add a Library. You should be able to choose JUnit to your project. This is a little bit different than just having the JUnit jar file In your project.
In your Run Configuration for the JUnit test, check the Classpath. You could probably fix this by adding making sure your Classpath can see that SelfDescribing class there. The Run option in Eclipse has a different set of options for the JUnit options.
If this problem arise in a RCP project it can be because JUnit has been explicitly imported.
Check the editor for your plugin.xml under Dependencies tab, remove the org.junit from the Imported Packages and add org.junit to the Required Plug-ins.
The problem is when you set up eclipse to point to JRE instead of JDK. JRE has junit4.jar in the lib/ext folder, but not hamcrest.jar :) So the solution is to check installed JREs in Eclipse, remove the existing one and create a new one pointing to your JDK.
This happens when you run Ant via command line. The implicit user dependencies are added in the classpath at the end and take precedence over the project-added classpath. Run Ant with -nouserlib flag. The implicit dependencies would be excluded from the classpath.
There is a better answer to solve this problem.
add dependency
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-all</artifactId>
<version>1.3</version>
<scope>test</scope>
</dependency>
The hamcrest-core-1.3.jar available on maven repository is deprecated.
Download working hamcrest-core-1.3.jar from official Junit4 github link .
If you want to download from maven repository, use latest hamcrest-XX.jar.
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<version>2.2</version>
<scope>test</scope>
</dependency>
I had the same problem, the solution is to add in build path/plugin the jar org.hamcrest.core_1xx, you can find it in eclipse/plugins.
A few steps you have to follow:
Right click on the project.
Choose Build Path & then from its menu choose Add Libraries.
Choose JUnit then click Next.
Choose JUnit4 then Finish.
This works for me...
"java.lang.SecurityException: class" org.hamcrest.Matchers "'s signer information does not match signer information of other classes in the same package"
Do it:
Right-click on your package
click on Build Path -> Configure Build Path
Click on the Libraries tab
Remove JUnit
Apply and close
Ready.
Try adding the jar files manually or try with force update with the latest hamcrest.jar