ConstantPasswordDetector: StringIndexOutOfBoundsException: String index out of range: -3
nkavian opened this issue · comments
Environment
Component | Version |
---|---|
Maven | 3.8.1 |
Java | 1.8.0_241 |
SpotBugs | 4.3.0 |
FindSecBugs | 1.11.0 |
Problem
[INFO] Fork Value is true
[java] The following errors occurred during analysis:
[java] Exception analyzing com.my.package.MyClass using detector com.h3xstream.findsecbugs.password.ConstantPasswordDetector
[java] java.lang.StringIndexOutOfBoundsException: String index out of range: -3
[java] At java.lang.String.substring(String.java:1931)
[java] At com.h3xstream.findsecbugs.password.ConstantPasswordDetector.isSuspiciousName(ConstantPasswordDetector.java:123)
[java] At com.h3xstream.findsecbugs.password.ConstantPasswordDetector.visitAfter(ConstantPasswordDetector.java:109)
[java] At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:403)
[java] At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:213)
[java] At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
[java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
[java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
[java] At java.util.concurrent.FutureTask.run(FutureTask.java:266)
[java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
[java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238)
[java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
[java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
[java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
[java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
Code
It's unknown which line in my unit test file is causing this in your detector. Looking at the detector at this line, the fullFieldName
is shorter than the classNameLength
, so the difference becomes a -3 length.
Here is the String implementation for substring, which triggers the 2nd exception, not the first:
public String substring(int beginIndex) {
if (beginIndex < 0) {
throw new StringIndexOutOfBoundsException(beginIndex);
}
int subLen = value.length - beginIndex;
if (subLen < 0) {
throw new StringIndexOutOfBoundsException(subLen);
}
return (beginIndex == 0) ? this : new String(value, beginIndex, subLen);
}
@nkavian Can you provide a sample to reproduce the case or example where the classname is shorter than a full field name?
I wanted to share sample code in my original post, but I couldn't narrow down what causes the issue in just this 1 file. The file has too many dependencies to be able to share anything meaningful, and it's not open sourced.
If you have a debug jar, I'd be happy to run it and capture the output.