Fix fortify issue with pooling extractor class

The pooling extractor class was using reflection to extract
values from private fields.  It has been modified to only extract
from public fields or to use public getXxx() methods instead.

Change-Id: I3aafe9ebfcd41d0e71dc3529030597609b704f53
Issue-ID: POLICY-906
Signed-off-by: Jim Hahn <jrh3@att.com>

diff --git a/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/ClassExtractors.java b/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/ClassExtractors.java
index 782511f..97e9633 100644 (file)
--- a/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/ClassExtractors.java
+++ b/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/ClassExtractors.java
@@ -39,8 +39,10 @@ import org.slf4j.LoggerFactory;
  * <code>&lt;a.prefix>.&lt;class.name> = ${event.reqid}</code>
  * </pre>
  * 
- * If it doesn't find a property for the class, then it looks for a property for
- * that class' super class or interfaces. Extractors are compiled and cached.
+ * <p>For any given field name (e.g., "reqid"), it first looks for a public "getXxx()"
+ * method to extract the specified field. If that fails, then it looks for a public field
+ * by the given name. If that also fails, and the object is a <i>Map</i> subclass, then it
+ * simply uses the "get(field-name)" method to extract the data from the map.
  */
 public class ClassExtractors {
 
@@ -441,27 +443,16 @@ public class ClassExtractors {
             }
 
             try {
-                return clazz.getDeclaredField(name);
+                return clazz.getField(name);
 
             } catch (NoSuchFieldException expected) {
                 // no field by this name - try super class & interfaces
                 logger.debug("no field {} in {}", name, clazz.getName(), expected);
+                return null;
 
             } catch (SecurityException e) {
                 throw new ExtractorException("inaccessible field " + clazz + "." + name, e);
             }
-
-
-            Field field;
-
-            // see if the superclass has an extractor
-            if ((field = getClassField(clazz.getSuperclass(), name)) != null) {
-                return field;
-            }
-
-            // not necessary to check the interfaces
-
-            return field;
         }
     }
 }

diff --git a/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/FieldExtractor.java b/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/FieldExtractor.java
index 132b8ed..d394795 100644 (file)
--- a/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/FieldExtractor.java
+++ b/feature-pooling-dmaap/src/main/java/org/onap/policy/drools/pooling/extractor/FieldExtractor.java
@@ -42,8 +42,6 @@ public class FieldExtractor implements Extractor {
      */
     public FieldExtractor(Field field) {
         this.field = field;
-
-        field.setAccessible(true);
     }
 
     @Override

diff --git a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTest.java b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTest.java
index e924643..e6269a9 100644 (file)
--- a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTest.java
+++ b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTest.java
@@ -351,19 +351,19 @@ public class ClassExtractorsTest {
          * This will not be used because getIntValue() will override it.
          */
         @SuppressWarnings("unused")
-        private int intValue = INT_VALUE2;
+        public final int intValue = INT_VALUE2;
 
         /**
          * Used to verify retrieval via a field name.
          */
         @SuppressWarnings("unused")
-        private String strValue = VALUE;
+        public final String strValue = VALUE;
 
         /**
          * Used to verify retrieval within maps.
          */
         @SuppressWarnings("unused")
-        private Map<String, Object> mapValue = null;
+        public Map<String, Object> mapValue = null;
 
         /**
          * {@code True} if {@link #getVoidValue()} was invoked, {@code false}
@@ -394,7 +394,7 @@ public class ClassExtractorsTest {
      * Used to verify multi-component retrieval.
      */
     private static class Container {
-        private Simple simpleValue = new Simple();
+        public Simple simpleValue = new Simple();
 
         @SuppressWarnings("unused")
         public Simple getData() {
@@ -416,7 +416,7 @@ public class ClassExtractorsTest {
     private static class Super implements WithString {
 
         @SuppressWarnings("unused")
-        private int intValue = INT_VALUE;
+        public final int intValue = INT_VALUE;
 
         @Override
         public String getStrValue() {
@@ -430,11 +430,11 @@ public class ClassExtractorsTest {
     private static class Sub extends Super {
 
         @SuppressWarnings("unused")
-        private Simple simple = new Simple();
+        public final Simple simple = new Simple();
 
         /**
          * Used to verify multi-component retrieval.
          */
-        private Container cont = new Container();
+        public final Container cont = new Container();
     }
 }

diff --git a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport.java b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport.java
index be8d6c2..98b679d 100644 (file)
--- a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport.java
+++ b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport.java
@@ -34,7 +34,7 @@ public class ClassExtractorsTestSupport {
         super();
     }
 
-    protected ClassExtractorsTestSupport2 getNested() {
+    public ClassExtractorsTestSupport2 getNested() {
         return nested;
     }
 }

diff --git a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport2.java b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport2.java
index 6941d03..dddd251 100644 (file)
--- a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport2.java
+++ b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/ClassExtractorsTestSupport2.java
@@ -27,6 +27,5 @@ public class ClassExtractorsTestSupport2 {
 
     public static final int NESTED_VALUE = 30;
     
-    @SuppressWarnings("unused")
-    private int theValue = NESTED_VALUE;
+    public final int theValue = NESTED_VALUE;
 }

diff --git a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/FieldExtractorTest.java b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/FieldExtractorTest.java
index 6fc2e20..9794bff 100644 (file)
--- a/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/FieldExtractorTest.java
+++ b/feature-pooling-dmaap/src/test/java/org/onap/policy/drools/pooling/extractor/FieldExtractorTest.java
@@ -69,9 +69,9 @@ public class FieldExtractorTest {
 
     private static class MyClass {
         @SuppressWarnings("unused")
-        private String value = VALUE;
+        public String value = VALUE;
 
         @SuppressWarnings("unused")
-        private int value2 = INT_VALUE;
+        public int value2 = INT_VALUE;
     }
 }