{"id":1652,"date":"2020-06-03T04:04:11","date_gmt":"2020-06-03T04:04:11","guid":{"rendered":"https:\/\/blog.embold.io\/?p=1652"},"modified":"2020-06-10T12:37:44","modified_gmt":"2020-06-10T12:37:44","slug":"embold-put-the-cwa-through-its-paces-heres-what-we-found","status":"publish","type":"post","link":"https:\/\/blog.embold.io\/es\/embold-put-the-cwa-through-its-paces-heres-what-we-found\/","title":{"rendered":"Embold put the CWA through its paces, here\u2019s what we found!!"},"content":{"rendered":"\n<p align=\"justify\">Coronavirus, <strong>COVID-19,<\/strong> has permeated throughout the world affecting millions. The pandemic has caused a serious impact not only on people\u2019s daily lives and economic development of entire countries but also on international trade and businesses in general.  Various governments have developed contact tracing apps as a preventive measure. It is thought to be an essential public health tool for controlling infectious disease outbreaks.  This app helps track the chain of contact and notifies its users when they have come in contact with infected individuals or are in danger of contracting this virus.  The German Government&#8217;s tool &#8211; Corona-Warn-App (CWA), is now open source and we took this opportunity to analyse it.<\/p>\n\n\n\n<p align=\"\u201djustify\u201d\">We scanned the backend component of CWA via <em>Embold\u2019s Static Analysis<\/em> platform and did a quick run-through of the findings.<br><strong>Component scanned: <\/strong> cwa-server (<a href=\"https:\/\/github.com\/corona-warn-app\/cwa-server.git\">https:\/\/github.com\/corona-warn-app\/cwa-server.git<\/a>)<br><strong>Commit ID: <\/strong>822150b1b22645ba071a6f6576d50614dc01b34b<br><strong>Implementation language:<\/strong> Java<\/strong><\/p>\n\n\n\n<h4>Overview<\/h4>\n\n\n\n<p align=\"justify\">First off, the system quality looks good from an overall perspective. Embold analyses systems from 4 dimensions <\/p>\n\n\n\n<ul><li>Design Quality,<\/li><li>Code Quality,<\/li><li>Implementation Metrics, and<\/li><li>Code Duplication. <\/li><\/ul>\n\n\n\n<p align=\"justify\">The issues found in each of these dimensions are hashed into an overall rating on a scale from -5 to + 5 and this score is assigned to every code component (class, module, system, etc.). This then becomes the Embold Score (on a scale of -5 to +5) at a system level.<\/p>\n\n\n\n<h3>System Overview<\/h3>\n\n\n\n<ul><li><strong>Overall Rating<\/strong>:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"516\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/SystemOverview1.png\" alt=\"\" class=\"wp-image-1680\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/SystemOverview1.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/SystemOverview1-768x422.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/SystemOverview1-585x321.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/figure>\n\n\n\n<p align=\"justify\">The overall Embold score of the cwa-server is a healthy 4.34.<br>The individual scores (including design, metrics, duplication, and code issues) are also good,  and no hotspots were detected.<\/p>\n\n\n\n<p>The same is reflected in the system <strong>heatmap<\/strong> (class SubmissionController, although not a hotspot, is a relatively large class in the system)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"427\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Heatmap.png\" alt=\"\" class=\"wp-image-1682\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Heatmap.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Heatmap-768x349.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Heatmap-585x266.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/figure>\n\n\n\n<p align=\"justify\">However, the<strong> Quality Gate <\/strong> of the system failed due to 2 critical code issues. These may impact the <strong>security<\/strong> and <strong>resource<\/strong> <strong>utilization<\/strong> of the system.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"433\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/QualityGate.png\" alt=\"\" class=\"wp-image-1683\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/QualityGate.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/QualityGate-768x354.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/QualityGate-585x270.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/figure>\n\n\n\n<p align=\"justify\"><strong>Code Issues:<\/strong><br>This section lists the critical code issues detected.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"272\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues.png\" alt=\"\" class=\"wp-image-1685\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues-768x222.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues-585x169.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/figure>\n\n\n\n<p>We found two critical issues<img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"212\" class=\"wp-image-1686\" style=\"width: 3000px\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/criticalissues.png\" alt=\"\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/criticalissues.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/criticalissues-768x173.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/criticalissues-585x132.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/p>\n\n\n\n<p>Let&#8217;s examine these in detail:<\/p>\n\n\n\n<ul><li><strong>DisabledSpringSecurityCSRF<\/strong>: <img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"504\" class=\"wp-image-1688\" style=\"width: 3000px\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/CodeIssues_Detail.png\" alt=\"\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/CodeIssues_Detail.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/CodeIssues_Detail-768x412.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/CodeIssues_Detail-585x314.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/li><\/ul>\n\n\n\n<p align=\"justify\">\n\nClass <strong>app.coronawarn.server.services.submission.config.SecurityConfig <\/strong>disables csrf in the configure() method, which can potentially make it possible to introduce a CSRF attack. Our recommendation is to not disable it, as Spring Security enables it by default. But In the CWA use case, authentication or sessions are not applied, so this may not present a real threat, but nonetheless we recommend CSRF is not disabled.\n\n<\/p>\n\n\n\n<ul><li><strong>PossibleThreadLeakInExecutorService:<\/strong><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"445\" class=\"wp-image-1692\" style=\"width: 3000px\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues_Detail2-1.png\" alt=\"\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues_Detail2-1.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues_Detail2-1-768x364.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Code-issues_Detail2-1-585x277.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/li><\/ul>\n\n\n\n<p align=\"justify\"> Class SubmissionController creates a scheduledExecutor of the ScheduledExecutorService. It is important to call shutdown() or shutdownNow() of the ScheduledExecutorService at shutdown or when it is no longer needed. The class SubmissionController does not call the shutdown() or shutdownNow() methods, leading to a resource leak. <\/br> Our recommendation is to make sure the shutdown() happens gracefully via a shutdown callback or other equivalent approach to ensure no resource leak happens.<\/br>\nThis issue was discussed here: <a rel=\"noreferrer noopener\" aria-label=\"github cwa-server issue 433\" href=\"https:\/\/github.com\/corona-warn-app\/cwa-server\/issues\/433\" target=\"_blank\">https:\/\/github.com\/corona-warn-app\/cwa-server\/issues\/433<\/a> and although the SubmissionController is a singleton in this case (and hence the issue was not fixed), we do recommend it should shut down the ScheduledExecutorService during app exit.<\/p><\/br><p align=\"justify\"><strong>Design Analysis<\/strong>:<br>In its current state, no major design anti-patterns were found. However, we recommend the following classes should be observed over time as they may turn into God Classes when more functionality is added.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"939\" height=\"156\" src=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/DesignAnalysis.png\" alt=\"\" class=\"wp-image-1689\" srcset=\"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/DesignAnalysis.png 939w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/DesignAnalysis-768x128.png 768w, https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/DesignAnalysis-585x97.png 585w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/figure>\n\n\n\n<p align=\"justify\">These classes have a relatively low metrics score (that means more lines of code, functionality, abstractions represented here). As new logic is added over time, they may start showing traits such as lack of separation of concerns, many dependencies, etc. and may start getting difficult to maintain and become defect prone. Hence, we recommend that these classes should be monitored.<\/p>\n\n\n\n<p align=\"justify\">For more information, you can refer to our website here at <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"http:\/\/www.embold.io\" target=\"_blank\">www.embold.io<\/a> and documentation at <a rel=\"noreferrer noopener\" aria-label=\"docs.embold.io (opens in a new tab)\" href=\"https:\/\/docs.embold.io\" target=\"_blank\">docs.embold.io<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Coronavirus, COVID-19, has permeated throughout the world affecting millions. The pandemic has caused a serious impact not only on people\u2019s daily lives and economic development of entire countries but also&hellip;<\/p>\n","protected":false},"author":10,"featured_media":1694,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"better_featured_image":{"id":1694,"alt_text":"","caption":"","description":"","media_type":"image","media_details":{"width":3000,"height":2000,"file":"2020\/06\/Covid-19-blog-2.jpg","sizes":{"thumbnail":{"file":"Covid-19-blog-2-150x150.jpg","width":150,"height":150,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-150x150.jpg"},"medium_large":{"file":"Covid-19-blog-2-768x512.jpg","width":768,"height":512,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-768x512.jpg"},"penci-full-thumb":{"file":"Covid-19-blog-2-1170x780.jpg","width":1170,"height":780,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-1170x780.jpg"},"penci-slider-thumb":{"file":"Covid-19-blog-2-1170x663.jpg","width":1170,"height":663,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-1170x663.jpg"},"penci-magazine-slider":{"file":"Covid-19-blog-2-780x516.jpg","width":780,"height":516,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-780x516.jpg"},"penci-slider-full-thumb":{"file":"Covid-19-blog-2-1920x800.jpg","width":1920,"height":800,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-1920x800.jpg"},"penci-single-full":{"file":"Covid-19-blog-2-1920x1280.jpg","width":1920,"height":1280,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-1920x1280.jpg"},"penci-thumb":{"file":"Covid-19-blog-2-585x390.jpg","width":585,"height":390,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-585x390.jpg"},"penci-masonry-thumb":{"file":"Covid-19-blog-2-585x390.jpg","width":585,"height":390,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-585x390.jpg"},"penci-thumb-square":{"file":"Covid-19-blog-2-585x585.jpg","width":585,"height":585,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-585x585.jpg"},"penci-thumb-vertical":{"file":"Covid-19-blog-2-480x650.jpg","width":480,"height":650,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-480x650.jpg"},"penci-thumb-small":{"file":"Covid-19-blog-2-263x175.jpg","width":263,"height":175,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-263x175.jpg"},"jr_insta_square":{"file":"Covid-19-blog-2-640x640.jpg","width":640,"height":640,"mime-type":"image\/jpeg","source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2-640x640.jpg"}},"image_meta":{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0","keywords":[]}},"post":1652,"source_url":"https:\/\/blog.embold.io\/wp-content\/uploads\/sites\/2\/2020\/06\/Covid-19-blog-2.jpg"},"translation":{"provider":"WPGlobus","version":"2.10.8","language":"es","enabled_languages":["en","es","de","fr","ru"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"es":{"title":false,"content":false,"excerpt":false},"de":{"title":false,"content":false,"excerpt":false},"fr":{"title":false,"content":false,"excerpt":false},"ru":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/posts\/1652"}],"collection":[{"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/comments?post=1652"}],"version-history":[{"count":30,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/posts\/1652\/revisions"}],"predecessor-version":[{"id":1705,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/posts\/1652\/revisions\/1705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/media\/1694"}],"wp:attachment":[{"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/media?parent=1652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/categories?post=1652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.embold.io\/es\/wp-json\/wp\/v2\/tags?post=1652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}