SV.SOCKETS
This warning is reported when an application is using sockets.
Vulnerability and risk
Socket usage should be avoided in many cases. For example, the EJB standard contains the following guidelines: An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use socket for multicast. Other applications (applets, servlets, and so on) might have serious security problems if sockets are used.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Use framework method calls instead of using sockets directly.
Example 1
public class SV_SOCKETS_Sample_1 extends Applet {
static final int PORT = 7776;
public void init() {
super.init();
try {
final ServerSocket serv = new ServerSocket(PORT);
Runnable rr = new Runnable() {
public void run() {
try {
while (true) {
Socket sock = serv.accept();
BufferedReader r = new BufferedReader(
new InputStreamReader(sock
.getInputStream()));
PrintWriter w = new PrintWriter(sock
.getOutputStream(), false); // no autoFlush
w.write("Hello");
w.flush();
r.close();
w.close();
sock.close();
}
} catch (IOException e) {
e.printStackTrace();
}
}
};
new Thread(rr).start();
} catch (IOException e1) {
e1.printStackTrace();
}
}
//...
public void paint(Graphics g) {
}
}SV.SOCKETS is reported for line 22: Using sockets directly should be avoided in many cases (e.g. in Applets, EJBs). This might cause security problems
