We Keep Coding

Path traversal vulnerabilities not found at Scala code

I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins.
The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala https://github.com/find-sec-bugs/find-sec-bugs
I have installed the plugin as the documentation says, and tried a few scans but nothing related to vulnerabilities in scala is coming up.
So, in order to figure out if the code was really good or there was a misconfiguration on my SonarQube settings, I went to http://find-sec-bugs.github.io/bugs.htm, I took one of the examples (Potential Path Traversal), inserted the example code and I ran the scanner again. It was not found.
The rule (Security - Potential Path Traversal (file read)) is activated in the Quality Profile, and despite it is a Java profile, it is assigned to the project, since the code in the mentioned example is Scala.
I noticed that all the rules coming from find-sec-bugs are java ones, so I'm wondering if they don't work on scala or there is something else I can do to make it work.
Thanks in advance, and let me know if you need any extra information, I'd be glad to provide you.

Looks like the main reason for that to happen is that Scala bug patterns are explicitly excluded for some reasons:
Their are plenty of limitation with the SonarQube architecture regarding the multi-language support.
It is closely tie to the sonar-source plugin design.
Language can't have the same extension (https://jira.sonarsource.com/browse/MMF-672)
Repository can't contains rule that apply to multiple languages. (If you would have Scala only code, the Java core rules would not be enable unless you have one Java file present)
Sensor are couple to the language definition (depends on the most popular plugin that declares it).
etc, etc..
Source: https://github.com/spotbugs/sonar-findbugs/issues/108#issuecomment-305909652
All the exclusions can be seen here: https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e
Particularly, for Scala:
static exclusions = ['CUSTOM_INJECTION',
'SCALA_SENSITIVE_DATA_EXPOSURE',
'SCALA_PLAY_SSRF',
'SCALA_XSS_TWIRL',
'SCALA_XSS_MVC_API',
'SCALA_PATH_TRAVERSAL_IN',
'SCALA_COMMAND_INJECTION',
"SCALA_SQL_INJECTION_SLICK",
"SCALA_SQL_INJECTION_ANORM",
"PREDICTABLE_RANDOM_SCALA"]

OpenJDK and com.sun.net

I am looking at using HttpsConfigurator, HttpsServer, and HttpContext in the com.sun.net package. Additionally, part of my project requirement is to use OpenJDK.
I am coding in Eclipse, which will not auto import anything from the com.sun.net package, because it is considered 'forbidden'. After enabling forbidden packages, I can get everything working, building and running. My question, what is considered safe to use in OpenJDK? I am under the impression that it is just the java.* and javax.* packages.
I downloaded the OpenJDK 7 source, and I see that com.sun.net is part of the source, which implies that my assumption might be incorrect. I haven't had any luck googling yet, and I was hoping one the experts here can fill in the missing pieces.
In recap, what is considered safe to use in OpenJDK? Why would Eclipse label com.sun.net as 'forbidden'?
Thanks!

Countless documents -- books, articles, tutorials, official JDK documentation -- have explained that the com.sun.* packages are implementation details, subject to change or removal at any time; they are not intended for user programs. They are not portable, not reliably present, and possibly not as robust as actual API classes. In general, if the JDK documentation bundle contains Javadoc for it, it's intended for your use; otherwise not.

Java: exception when casting to itself(?)

Im working with Oracle WebLogic, Netbeans 6.9.1.
I have the following lines of code:
Query query=entityManager.createNamedQuery("Items.findById").setParameter("id", Integer.parseInt((String) request.getParameter("id")));
Items it=(Items) query.getSingleResult();
and they throw an exception:
java.lang.ClassCastException: entity.Items cannot be cast to entity.Items
Even if that seem impossible, i saw similar question on SO: here
Author havent published the solution but one of participants made a good asumption about different class loaders.
Meanwhile if i use getResultList and then work with it in JSP, it works fine. But i cant make casting work in servlet code.
How can i fix this in weblogic?

It doesn't solve your problem specifically, but if you're using WebLogic Server 10.3.x or thereabouts, there is a web application provided as part of that distribution that you can use to troubleshooting classloading issues.
You can read more about it here: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13706/classloading.htm#WLPRG495
It should be compatible with earlier versions of WebLogic Server, so you could use that in conjunction with the proposed workarounds to get to a solution.

See this similiar question with a proposed workaround.

This indeed looks like a classloading problem.
This earlier answer of mine explains how to verify this assumption.
Unfortunately, classloading problems are difficult and painful. There is no easy fix, only to try to understand what classloaders are loading what classes in which order, and trying to play around with your classloaders, classes and jars to eliminate the problem. Also, analyse the most recent changes in your app before this error appeared - these can provide the key to understanding the root cause.
I am not familiar with the classloading scheme in WebLogic, so unfortunately I can't give you any more specific advice.

NetBeans refactor class: java.lang.NoClassDefFoundError

I just came across an error when using NetBeans, and I wanted to post my findings (possible this is old news). Perhaps this will save some people the headache of debugging a similar problem that I just encountered. I don't think I'm abusing anything here... stack overflow's SEO is pretty good :)
I refactored a class in NetBeans (JavaFX project), and from that point on I got a "java.lang.NoClassDefFoundError" for that particular refactored class.
I fixed the error by simply doing a "Clean and Build Project." This apparently deleted whatever cache file or erroneous file/class reference. I don't think this is a Netbeans bug... hoping it was just one of those "flukey" moments.
Cheers!

I have those issues from time to time when I write new code (or create new code). This is because I use the 'build' function instead of 'clean & build'.
Most of the time, the proper set of class is compiled (or recompiled), but there are situations where newly compiled classes are not compatible with already compiled classes. That's when I get java.lang.NoClassDefFoundError. Not a big deal. Just need to clean and recompile everything.

TargetInvocationException when calling performFinish() on any subclass of NewItemWizard in Eclipse JDT UI plugins

I'm posting this on behalf of the 30 or so projects that seem to be suffering from this problem without any resolution.
Basically the problem boils down to, a subclass of org.eclipse.jdt.internal.ui.wizards.NewElementWizard (which is the "Wizard" that controls the creation of new JDT elements like projects, packages, classes, etc -- this problem seems to happen no matter what reason you're subclassing for) overloads performFinish() and calls super.performFinish() as part of that call. So far so good, but for some reason if this happens on an empty workspace (which is often the case for new projects), the super.performFinish() call fails with an exception similar to the following:
java.lang.reflect.InvocationTargetException
at org.eclipse.jface.operation.ModalContext.run(ModalContext.java:350)
at org.eclipse.jface.wizard.WizardDialog.run(WizardDialog.java:851)
at org.eclipse.jdt.internal.ui.wizards.NewElementWizard.performFinish(NewElementWizard.java:133)
at com.canoo.wizard.newproject.NewULCProjectWizard.performFinish(NewULCProjectWizard.java:118)
at org.eclipse.jface.wizard.WizardDialog.finishPressed(WizardDialog.java:680)
at org.eclipse.jface.wizard.WizardDialog.buttonPressed(WizardDialog.java:355)
at org.eclipse.jface.dialogs.Dialog$3.widgetSelected(Dialog.java:660)
at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:90)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:66)
or something similar to that -- the error is strikingly similar across dozens of different projects that I've found in the process of Google'ing about for this error, whether the subclass of the NewItemWizard happens to be a Project Wizard, a Class Wizard, whatever.
Some of the people reporting this problem later post that it was caused by a "version mismatch" but, maddeningly, they never give any details as to what versions were mistmatching with what -- and I've tried my code on Linux, Windows, and OS X so I doubt it's some very version-or-platform-specific nuance.
Lastly, there does not seem to be anything in the Eclipse bugzilla even tangentially related to this problem.
Has anyone run into this before, since it seems so ubiquitous? Any help would be greatly appreciated!

InvocationTargetException is a checked exception that wraps an exception thrown by an invoked method or constructor
Every case I have found report some kind of incompatibility between Eclipse and a module:
VE (Visual Editor) with this thread, or that one, or this GTK64 SWT issue.
bug 161621 (enum is a Keyword for Java5 and cannot be used as a Enum name), where the NewElement Wizard didn't reject enum as a class name on a 1.5 project.
In other words, this kind of exception is often the symptom of another issue.
The enum issue is a good example of such an incompatibility, but each time it can be a different problem related to the specific operations or configurations of the project.