Tag: static-analysis

How exactly can someone without source code access exploit a non-final class that has a constructor which invokes overridable functions?

I’m trying to understand how exactly can someone that doesn’t already have access to the source code exploit a non-final class that has a constructor which invokes overridable functions (functions not marked final). This question comes from the fact that after scanning my source code with a Source Code Analyzer (Fortify), it showed a few findings about “Code Correctness: Constructor

Soot – Get JimpleBody from a CFG

code-analysis control-flow-graph java soot static-analysis

I’d like to get UnitGraph from a Java Class. I load it by ClassFile and get the method_info of main(). Then I create a CFG and try to convert it into a UnitGraph. My method is to get JimpleBody of the CFG and then create a UnitGraph. However, I can’t get JimpleBody by invoking cfg.jimplify(…) since it throws the following

Is this IntelliJ inspection warning a false positive?

intellij-idea java static-analysis

I’m looking at ProducerPerformance.java from https://github.com/apache/kafka. Looking at this part of the file: There is an inspection saying that “Condition i < payload.length is always false.” I don’t see how it could always be false. recordSize is an Integer coming from a command-line parameter. Is there something I’m not seeing here? Answer This warning happened with IntelliJ IDEA 2020.*. The