1. Home
  2. Development
  3. RE: Fortify Scan Issue on Service Builder Interface and Base Model Impl

RE: Fortify Scan Issue on Service Builder Interface and Base Model Impl

Jamie Sammons, modified 4 Years ago.
Fortify Scan Issue on Service Builder Interface and Base Model Impl
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hi, 

We ran a fortify scan and we got scan result as follows Object Model Violation: Erroneous clone() Method  on the base model that was generated by service build. Base on the documentation in source code it stated that the that should nt be change and exis as a container.

servuice builder:

   @Override
    public Object clone() {
    
    antImpl mantImpl = new antImpl();    
      antImpl.setUuid(getUuid());
     antImplsetEmailAddress(getEmailAddress());
     antImpl.setCompanyId(getCompanyId());
     antImpl.setUserId(getUserId());
     antImpl.setUserName(getUserName());
     antImpl.setCreateDate(getCreateDate());
     antImpl.setModifiedDate(getModifiedDate());
     antImpl.setStatus(isStatus());
     antImpl.setApproved(isApproved());
     antImpl.setFirstName(getFirstName());
     antImpl.setLastName(getLastName());
     antImpl.resetOriginalValues());

return antImpl;
        
    }

 

Foritfy, recommendation is as follows:

Always obtain the new object by calling super.clone(). The java.lang.Object implementation of clone() will always return an object of the correct type.

public class FancyKibitzer extends Kibitzer
implements Cloneable {
public Object clone() throws CloneNotSupportedException {
Object returnMe = super.clone();
...
}
}

But I dont believe we can alter the ModelImpl clases. Can anyone advise how to resolve this fortify scan issue since we are not to modify the generated clases?  I tried to cast the object by callling super.clone() 

Thanks

Kevin

 

service builder
Kevin Matthews, modified 4 Years ago.
RE: Fortify Scan Issue on Service Builder Interface and Base Model Impl
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

I have submitted a false postive challege for this fortify issue. The challenge is that the class subclass a base claas that implments the interface in which the interfcae extends Cloneable so no need to call super.clone() since non of the classes does not implement Cloneable interface.

Kevin Matthews, modified 4 Years ago.
RE: Fortify Scan Issue on Service Builder Interface and Base Model Impl
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hello, has the liferay service builder been scan for security vulenrability issue such as Object Model Violation: Erroneous clone() Method. on the <enitity>ModelImpl class?

Security Scan recomendation : Always obtain the new object by calling super.clone(). The java.lang.Object implementation of clone() will always return an object of the correct type.