在使用Fortify扫描我的代码后,我收到了“不安全的JNI(输入验证和表示,语义)”问题。我曾参考Fortify的建议并在网站上搜索了一些解决方案,但我无法解决问题。
我遵循Fortify在此website中推荐的合规解决方案。 我甚至使用Fortify来扫描网站上推荐的代码,并得到同样的问题。
我的代码如下所示:
package org.apache.flume.interceptor;
import java.util.List;
import java.util.Map;
import org.apache.flume.Context;
import org.apache.flume.Event;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Interceptor class that appends topic rotation period header to all events.
*
* Properties:<p>
*
* regex: regex to match topics
*
* value: Value to use in header insertion.
* (default is "value")<p>
*
* Sample config:<p>
*
* <code>
* agent.sources.r1.channels = c1<p>
* agent.sources.r1.type = SEQ<p>
* agent.sources.r1.interceptors = i1<p>
* agent.sources.r1.interceptors.i1.type = org.apache.flume.interceptor.TopicRotationHeaderInterceptor<p>
* agent.sources.r1.interceptors.i1.regex = stat_.+<p>
* agent.sources.r1.interceptors.i1.value = hourly<p>
* </code>
*
*/
public class TopicRotationHeaderInterceptor implements Interceptor {
private static final Logger logger = LoggerFactory.getLogger(TopicRotationHeaderInterceptor.class);
private String value;
private String defaultValue;
private Pattern matchRegex;
/**
* Only {@link TopicRotationHeaderInterceptor.Builder} can build me
*/
private TopicRotationHeaderInterceptor(Pattern matchRegex, String value, String defaultValue) {
this.matchRegex = matchRegex;
this.value = value;
this.defaultValue = defaultValue;
}
@Override
public void initialize() {
// no-op
}
/**
* Modifies events in-place.
*/
@Override
public Event intercept(Event event) {
Map<String, String> headers = event.getHeaders();
final String topic = (String)headers.get(Constants.TOPIC_HEADER);
String resultValue = defaultValue;
if (matchRegex != null) {
final Matcher matcher = matchRegex.matcher(topic);
if (matcher.matches()) {
resultValue = value;
}
}
headers.put(Constants.HEADER, resultValue);
return event;
}
/**
* Delegates to {@link #intercept(Event)} in a loop.
* @param events
* @return
*/
@Override
public List<Event> intercept(List<Event> events) {
for (Event event : events) {
intercept(event);
}
return events;
}
@Override
public void close() {
// no-op
}
/**
* Builder which builds new instance of the TopicRotationHeaderInterceptor.
*/
public static class Builder implements Interceptor.Builder {
private String value;
private String defaultValue;
private String regexStr;
private Pattern matchRegex;
@Override
public void configure(Context context) {
regexStr = context.getString(Constants.REGEX, Constants.REGEX_DEFAULT);
matchRegex = Pattern.compile(regexStr);
value = context.getString(Constants.VALUE, Constants.VALUE_DEFAULT);
defaultValue = context.getString(Constants.DEFAULT_VALUE, Constants.DEFAULT_VALUE_DEFAULT);
}
@Override
public Interceptor build() {
return new TopicRotationHeaderInterceptor(matchRegex, value, defaultValue);
}
}
public static class Constants {
public static final String REGEX = "regex";
public static final String REGEX_DEFAULT = ".+";
public static final String VALUE = "value";
public static final String VALUE_DEFAULT = "daily";
public static final String DEFAULT_VALUE = "default";
public static final String DEFAULT_VALUE_DEFAULT = "daily";
public static final String HEADER = "rotation";
public static final String TOPIC_HEADER = "topic";
}
}
}
我真的需要一些帮助!
答案 0 :(得分:0)
在您的原生方法中,您将它们声明为public:
public native FileDescriptor open(...);
public native void close();
您在问题中链接到的网站表示,要解决不安全的JNI问题,必须将native方法标记为private,这样才能达到{{1}方法是通过清除输入参数的native包装器方法。