Software Engineering

Synchronized Singleton

Posted on

Double-checked locking has been proven to be incorrect and flawed (as least in Java). Do a search or look at Wikipedia’s entry for the exact reason.

First and foremost is program correctness. If your code is not thread-safe (in a multi-threaded environment) then it’s broken. Correctness comes first before performance optimization.

To be correct you’ll have to synchronize the whole getInstance method

public static synchronized Singleton getInstance() {
   if (instance==null) ...
}

or statically initialize it

private static final Singleton INSTANCE = new Singleton();

Maven in-project repository

Posted on

source: http://blog.dub.podval.org/2010/01/maven-in-project-repository.html

Why in-project dependencies?

Maven handles dependencies of the project very well. It finds the artifacts in the configured repositories, retrieves their POMs and resolves transitive dependencies.

In some cases, artifacts are not available in well-known public repositories. For instance:

  • artifact is proprietary
  • nobody bothered packaging the artifact (e.g., Saxon9)
  • artifact is available, but its sources are not

The Nexus solution

One solution to such problems is to run an instance of (Nexus) repository manager, upload the missing artifacts there and configure it in you project’s POM. (Actually, a repository manager should be used even when all artifacts are available in public repositories, but that is a different story :)).

But what if this is not an option? What if – for political or technical reasons – you really need to carry some dependencies with your project? How do you do it?

The “system scope” attempt

It is possible to describe in-project dependencies using “system” scope and URL that references a jar co-located with the project. Unfortunately, system-scoped dependencies break the transitive dependency resolution of Maven. (Also, if your in-project dependency is needed only for tests, there is no way to specify a “test” scope for it…)

The in-project repository

To embed a Maven repository in the project:
Create a subdirectory “lib” in the project directory.
Define this subdirectory as a repository in the project’s POM:


<repository>
    <id>lib</id>
    <name>lib</name>
    <releases>
        <enabled>true</enabled>
        <checksumPolicy>ignore</checksumPolicy>
    </releases>
    <snapshots>
        <enabled>false</enabled>
    </snapshots>
    <url>file://${project.basedir}/lib</url>
</repository>

(Above assumes that you want to turn off the SHA1 checksum checking for your in-project repository.)

For an artifact with groupId x.y.z, content of the “lib” subdirectory should be:

lib
|– x

      |– y
          |– z
|– ${artifactId}
                  |– ${version}
                      |– ${artifactId}-${version}.pom
                      |– ${artifactId}-${version}.pom.sha1
                      |– ${artifactId}-${version}.jar
                      |– ${artifactId}-${version}.jar.sha1

POMs for in-project dependency artifacts are not, strictly speaking, necessary. But if you do not have them, Maven will attempt to retrieve the POMs from the other repositories (including central) for each build.

SHA1 checksums are not necessary either – if you indicate in the repository definition (see below) that they should be ignored.

This structure can be created manually – or using Maven itself, thus reducing the risk of typos (thank you +vmp for the idea and +Jeremy for the generatePom tip!):

Install the artifact in the local repository with
mvn install:install-file -Dfile=myArtifact.jar -DgroupId=x.y.z -DartifactId=${artifactId} -Dversion=${version} -Dpackaging=jar -DgeneratePom=true

and then copy resulting files from the local repository into the in-project one.

Obsolete “legacy” layout

It is somewhat simpler to use the Maven1 repository layout. That means that under lib directory there are directories for each groupId that you need:

lib
|– ${groupId}
|– poms
|– ${artifactId}-${version}.pom
|– jars
|– ${artifactId}-${version}.jar
|– java-sources
|– ${artifactId}-${version}-sources.jar

Sub-directory “java-sources” is needed only if you want to publish the sources.

In the repository definition, add:

...
<repository>
   <layout>legacy</layout>
</repository>

With Maven 3, “legacy” layout is going away, so the default layout has to be used.

Modules

For multi-module projects, a “lib” repository declared in the parent POM is inherited by each module. Artifacts are being looked up in the “lib” folder under each module. Where to put arftifacts depends on the build order: the first module that needs an artifact has to contain it in the “lib” folder; figuring this out is tedious – and empty “lib” folders left around by the build are not pretty 🙂

One approach to deal with that is to declare the “lib” repository in a separate module dedicated to the in-project repository. That module contains all the artifacts in its “lib” folder and declares them as dependencies, so that the local Maven repository is populated during the build of the module.

The modules that actually use an artifact carried in the in-project repository can declare a dependency on the “lib” module, ensuring that the needed artifact will be present in the local repository prior to the module’s build. Unfortunately, *all* of the in-project artifacts will transitively become the module’s dependencies.

Or: leave the “lib” module out of the dependencies of the rest of the modules, and ensure that the local repository is populated by running a build of that module manually (once on the empty system and every time the in-project dependencies change).

Mirrors

For this to work when using a mirror, in-project artifacts have to be excluded from mirroring. One way to do it is: in the mirror definition’s “mirrorOf” element, put “external:*” instead of (to inclusive) “*”. (Thanks for the tip, anonymous commenter!)

Maven: Command to update repository after adding dependency to POM

Posted on

  • mvn install (or mvn package) will always work. You can use mvn compile to download compile time dependencies or mvn test for compile time and test dependencies but I prefer something that always works.
  • If you want to only download dependencies without doing anything else, then it’s mvn dependency:resolve. Or mvn dependency:get -Dartifact=groupId:artifactId:version for a single dependency.

Bit Bucket – init repository

Posted on

Bitbucket has a bit imprecise documentation about pushing an existing code to their repo. If you have an existing directory without git control, and would like to push it to bitbucket, you may get the following error:

No refs in common and none specified; doing nothing.
Perhaps you should specify a branch such as 'master'.
Everything up-to-date

Here is how to solve it.

# go to the directory containing your existing project
cd /your/project
# initialize git
git init
# add "www" directory"
git add www
# commit it locally
git commit -m "initial commit"
# add it to bitbucket repository
git remote add origin https://username@bitbucket.org/xxxxx/sitename.git
# finally, this one will push it to bitbucket
git push -u origin --all

How to override equals and hashCode and What is the effective way to do it?

Posted on Updated on

Before we begin, let’s read something from java Documentation

equals() (javadoc) must define an equality relation (it must be reflexive, symmetric, and transitive). In addition, it must be consistent (if the objects are not modified, then it must keep returning the same value). Furthermore, o.equals(null) must always return false.

hashCode() (javadoc) must also be consistent (if the object is not modified in terms of equals(), it must keep returning the same value).

The relation between the two methods is:

Whenever a.equals(b), then a.hashCode() must be same as b.hashCode().
In practice:

If you override one, then you should override the other.

Use the same set of fields that you use to compute equals() to compute hashCode().

Luckily there are the excellent helper classes EqualsBuilder and HashCodeBuilder from the Apache Commons Lang library. An example:

public class Employee {

private String name;

private int age;

// …

public int hashCode() {

return new HashCodeBuilder(17, 31). // two randomly chosen prime numbers

// if deriving: appendSuper(super.hashCode()).

append(name).

append(age).

toHashCode();

}

public boolean equals(Object obj) {

if (!(obj instanceof Employee))

return false;

if (obj == this)

return true;

Employee rhs = (Employee) obj;

return new EqualsBuilder().

// if deriving: appendSuper(super.equals(obj)).

append(name, rhs.name).

append(age, rhs.age).

isEquals();

}

}

Also remember:

When using a hash-based Collection or Map such as HashSet, LinkedHashSet, HashMap, Hashtable, or WeakHashMap, make sure that the hashCode() of the key objects that you put into the collection never changes while the object is in the collection. The bulletproof way to ensure this is to make your keys immutable, which has also other benefits.

How to sort a List of Bean in java

Posted on

Let say we have a List object declared as the following:

class Bean {

private String name;

private Integer identityNo;

public String getName() {

return name;

}

public void setName(String name) {

this.name = name;

}

public Integer getIdentityNo() {

return identityNo;

}

public void setIdentityNo(Integer identityNo) {

this.identityNo = identityNo;

}

}

and then in the main class we have:

List<Bean> listBean = new ArrayList<Bean>();

How do we sort listBean ?

There are 2 ways to sort listBean using a standard Java library:

1. Implements Comparable in the class Bean and then call Collections.sort :

class Bean implements Comparable<Bean> {

@Override

public int compareTo(Bean otherObject) {

return getIdentityNo().compareTo(otherObject.getIdentityNo());

}

}

Collections.sort(listBean);

2. Using Collection only:

Collections.sort(listBean, new Comparator<Bean>() {

@Override

public int compare(Bean b1, Bean b2)

{

return b1.getIdentityNo().compareTo(b2.getIdentityNo());

}

});

Personally I would prefer to use the 2nd method.

CWE/SANS TOP 25 Most Dangerous Software Errors

Posted on

What Errors Are Included in the Top 25 Software Errors?

Version 3.0 Updated June 27, 2011

The Top 25 Software Errors are listed below in three categories:

The New 25 Most Dangerous Programming Errors

The Scoring System

The Risk Management System

Click on the CWE ID in any of the listings and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:

  • Ranking of each Top 25 entry,
  • Links to the full CWE entry data,
  • Data fields for weakness prevalence and consequences,
  • Remediation cost,
  • Ease of detection,
  • Code examples,
  • Detection Methods,
  • Attack frequency and attacker awareness
  • Related CWE entries, and
  • Related patterns of attack for this weakness.

Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

Archive

Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

CWE ID Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)

Risky Resource Management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

CWE ID Name
CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound

Porous Defenses

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

CWE ID Name
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-759 Use of a One-Way Hash without a Salt

Resources to Help Eliminate The Top 25 Software Errors

    1. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
      SANS Top 25 Software Errors Site
      CWE Top 25 Software Errors Site

      MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

      SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.

      Email spa@sans.org for details. And see The SANS Software Security Institute Certification Page for the GSSP Blueprints.

    2. SAFECode – The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.

      Fundamental Practices for Secure Software Development 2nd Edition
      http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf

      Overview of Software Integrity Controls
      http://www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf

      Framework for Software Supply Chain Integrity
      http://www.safecode.org/publications/SAFECode_Supply_Chain0709.pdf

      Fundamental Practices for Secure Software Development
      http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

      Software Assurance: An Overview of Current Industry Best Practices
      http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf

    3. Software Assurance Community Resources Site and DHS web sitesAs part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.
    4. Nearly a dozen software companies offer automated tools that test programs for these errors.
    5. New York State has produced draft procurement standards to allow companies to buy software with security baked in.

      If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.

      Draft New York State procurement language will be posted at SANS Application Security Contract.

For additional information on any of these:
SANS: Mason Brown, mbrown@sans.org
MITRE: Bob Martin, ramartin@mitre.org
MITRE: Steve Christey, coley@mitre.org

Contributors to the “CWE/SANS Top 25 Most Dangerous Software Errors”:

  • Mark J. Cox Red Hat Inc.
  • Carsten Eiram Secunia (Denmark)
  • Pascal Meunier CERIAS, Purdue University
  • Razak Ellafi & Olivier Bonsignour CAST Software
  • David Maxwell NetBSD
  • Cassio Goldschmidt & Mahesh Saptarshi Symantec Corporation
  • Chris Eng Veracode, Inc.
  • Paul Anderson Grammatech Inc.
  • Masato Terada Information-Technology Promotion Agency (IPA) (Japan)
  • Bernie Wong IBM
  • Dennis Seymour Ellumen, Inc.
  • Kent Landfield McAfee
  • Hart Rossman SAIC
  • Jeremy Epstein SRI International
  • Matt Bishop UC Davis
  • Adam Hahn & Sean Barnum MITRE
  • Jeremiah Grossman White Hat Security
  • Kenneth van Wyk KRvW Associates
  • Bruce Lowenthal Oracle Corporation
  • Jacob West Fortify Software, an HP Company
  • Frank Kim ThinkSec
  • Christian Heinrich (Australia)
  • Ketan Vyas Tata Consultancy Services (TCS)
  • Joe Baum Motorola Solutions
  • Matthew Coles, Aaron Katz & Nazira Omuralieva RSA, the Security Division of EMC
  • National Security Agency (NSA) Information Assurance Division
  • Department of Homeland Security (DHS) National Cyber Security Division

The following individuals and organizations aided in the development of the Top 25 through their input to the CWSS/CWRAF

CWSS / CWRAF

  • Bruce Lowenthal Oracle
  • Damir (Gaus) Rajnovic Cisco
  • Stephen Chasko
  • Chris Eng and Chris Wysopal Veracode
  • Casper Jones
  • Edward Luck and Martin Tan Dimension Data (Australia)
  • James Jardine Jardine Software
  • Jon Zucker Cenzic
  • Jason Liu Northrop Grumman
  • Ory Segal IBM
  • Mahi Dontamsetti DTCC
  • Hart Rossman SAIC
  • OWASP
  • EC-Council

How Important Are the Top 25 Software Errors?

We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

“Just wanted to commend the depth of the CWE/SANS Top 25. The code examples are particularly excellent. I have asked all my developers to read one of these each day for the next 25 days. I’m taking my own advice as well, and even though I’m still reading some of the “easy” ones (like SQL injection), I still find that I am learning new things about old topics.”

— Mark E. Haase, OpenFISMA Project Manager, Endeavor Systems, Inc.

“Your document (2009 CWE/SANS Top 25 Most Dangerous Software Errors) is very useful. I would like to publish it on our intranet, for illustrating threats and vulnerabilities about coding.”

— colonel Jean-Michel HOUBRE, from the french MOD.

“We included the top25 reference in a request for bid last year. Project began in December and expect the project to be complete in October 2010. We are hopeful to have a much more secure and better application due to the reference and utilization of the SANS/MITRE Top 25.”

— Richard Lemons, WV Department of Health and Human Resources

“In the collaborated environment and ever increasing business requirements to integrate solutions, insecure applications are an easy target. The business today understands how much damage can be cause to business, revenue and customer confidence due to these issues. To ensure that our deliveries meet / surpass customer expectations on security, the CWE/SANS Top 25 Most Dangerous Software Errors is extensively leveraged in our software security assurance process.”

— Ketan Vyas, Head Application Security Initiative, Tata Consultancy Services

“I’ve read “2009 CWE/SANS Top 25 Most Dangerous Software Errors” article and found it very useful. I would like to translate it into Russian for our software testing community. Of course, link to original article will be stored.”

— Alexander Kozyrev

“The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products. If you’re involved with software development at your organization and are looking to improve your product security posture, you need to read this.”

— Robert Auger, Co Founder of The Web Application Security Consortium

“The CWE/SANS Top 25 list provides a great starting point for developers who want to write more secure code. The majority of the flaw types of the most severe vulnerabilities that Red Hat fixed in 2009 are discussed in this document.”

— Mark J. Cox, Director, Security Response, Red Hat.

“The 2010 CWE/SANS Top 25 Software Errors provides valuable guidance to organizations engaged in the development or deployment of software. This list helps organizations focus on the most dangerous threats so that they can get the most out of their vulnerability reduction effort. The list can also be used as a framework to define short term and longer term programs for the elimination or mitigation of security vulnerabilities. Furthermore, it provides easy to comprehend description of the classes of vulnerabilities and high-level recommendations for mitigating or avoiding them altogether. This list is definitely a must-read for anyone who wishes to develop reasonably secure code.”

— Bruce Lowenthal, Director Security Alert, Oracle Corp.

“It’s great to see the CWE/SANS Top 25 list continue to be maintained and mature. Relentlessly spreading the word about the most common security defects in programming is a vital need. The state of security in our software would without a doubt be much improved if everyone who touches software development reads and thoroughly understands this. Kudos.”

— Kenneth R. van Wyk, KRvW Associates, LLC

source:http://www.sans.org/top25-software-errors/