Re: [Codenarc-developer] FW: [ codenarc-Feature Requests-3283605 ] new rule: avoid Direct Connectio
Brought to you by:
chrismair
Menu
▾
▴
Re: [Codenarc-developer] FW: [ codenarc-Feature Requests-3283605 ] new rule: avoid Direct Connection Management
|
From: Hamlet D'A. <ham...@gm...> - 2011-04-11 05:13:34
|
It was a rule ported from the Klocwork project. They call all their rules "security" rules. If you use a non-pooled DirectConnection then I suppose you are more at-risk for denial of service. Maybe? We can move it anywhere we want though. On Mon, Apr 11, 2011 at 1:32 AM, Chris Mair <chr...@ea...> wrote: > Hamlet, > > I love the new DirectConnectionManagement rule. Great idea. What is the reasoning for making that a "security" rule? > > Chris > -----Original Message----- > From: SourceForge.net [mailto:no...@so...] > Sent: Sunday, April 10, 2011 10:38 AM > To: chr...@ea... > Subject: [ codenarc-Feature Requests-3283605 ] new rule: avoid Direct Connection Management > > Feature Requests item #3283605, was opened at 2011-04-10 09:37 Message generated for change (Comment added) made by hamletdrc You can respond by visiting: > https://sourceforge.net/tracker/?func=detail&atid=1126575&aid=3283605&group_id=250145 > > Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. > Category: None > Group: None >>Status: Closed > Priority: 5 > Private: No > Submitted By: Hamlet D'Arcy (hamletdrc) >>Assigned to: Hamlet D'Arcy (hamletdrc) > Summary: new rule: avoid Direct Connection Management > > Initial Comment: > * DirectConnectionManagement Rule > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > <New in CodeNarc 0.14> > The J2EE standard requires that applications use the container's resource management facilities to obtain connections > to resources. Every major web application container provides pooled database connection management as part of its > resource management framework. Duplicating this functionality in an application is difficult and error prone, which > is part of the reason it is forbidden under the J2EE standard. > > For more information see: https://www.fortify.com/vulncat/en/vulncat/java/j2ee_badpractices_getconnection.html > > Example of violations: > > ------------------------------------------------------------------------------- > DriverManager.getConnection() > java.sql.DriverManager.getConnection() > ------------------------------------------------------------------------------- > > > ---------------------------------------------------------------------- > >>Comment By: Hamlet D'Arcy (hamletdrc) > Date: 2011-04-10 09:38 > > Message: > fixed in 0.14 > > ---------------------------------------------------------------------- > > You can respond by visiting: > https://sourceforge.net/tracker/?func=detail&atid=1126575&aid=3283605&group_id=250145 > > > ------------------------------------------------------------------------------ > Xperia(TM) PLAY > It's a major breakthrough. An authentic gaming > smartphone on the nation's most reliable network. > And it wants your games. > http://p.sf.net/sfu/verizon-sfdev > _______________________________________________ > Codenarc-developer mailing list > Cod...@li... > https://lists.sourceforge.net/lists/listinfo/codenarc-developer > -- Hamlet D'Arcy ham...@gm... |
