This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:

• Supports for JDK 17
• Important fixes regarding signatures' files (Bug with generic )

In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup() method risks. #670 for more info.

What's Changed

• Version changes by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/615
• Add support for Vert.x web Oauth2 + CSRF handlers by @pmlopes in https://github.com/find-sec-bugs/find-sec-bugs/pull/621
• Add new detector for MODIFICATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
• Add new detector for NORMALIZATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/633
• Fix solution for XXE with TransformerFactory by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/641
• Quick fix for NormalizationAfterValidation by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/643
• Remove verbose logging from test case by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/644
• Add Paths.get(Uri) as source for Path traversal by @deepsan in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
• New detector FindDangerousPermissionCombination for new bug type DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/652
• Fix the examples in the documentation of DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/654
• Fallback when classNameLength is too long #651 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/653
• Update data in script generator by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/658
• Update test dependencies by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/659
• ReDOS detection for the Pattern annotation #426 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/660
• Fix unescape tag #661 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/662
• Correctly parse method signatures with generic types by @scottsteen in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
• Fixing LDAP/JNDI sink method signature by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/670
• updated links to plugins on website by @winne42 in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
• Add JDK17 support by @jlstephens89 in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

New Contributors

• @baloghadamsoftware made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
• @deepsan made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
• @scottsteen made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
• @winne42 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
• @jlstephens89 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

Full Changelog: https://github.com/find-sec-bugs/find-sec-bugs/compare/version-1.11.0...version-1.12.0

>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip

>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip

In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.

New detectors

A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium). For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages). Vert.x SQL api are now supported. Finally, Hardcoded passwords in JSch library are now detected.

Java unsafe deserialization

Deserialization detectors now support ObjectInput and ObjectInputStream. Thanks to @nichollt for the idea.

HTTP Parameter Pollution (URL Injection)

For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.

StringSubstitutor

StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.

SpotBugs 4.0.0

This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.

Full Changelog

Implemented enhancements:

• Scanning Kotlin doesnt work with gradle-plugin #598
• HTTP parameter pollution False positive with URIBuilder (HTTPClient) #586
• Improper handling of Unicode transformations #577
• Add support for sort with -V in findsecbugs.sh #570
• Java deserialization vulnerability not being discovered #563
• False positive spring jdbctemplate SQL Injection #538
• Detect hardcoded password for SSH private key #536
• New Sink : Groovy Script Injection #483

Fixed bugs:

• EmptyStackException error #546
• RuntimeException when processing static method #541
• "Error: missing bug code for keySECEMA " in FindSecBugs 1.10.0 #526
• Incompatibility with SpotBugs 4.0.0 #525
• Missing commons-codec library #602

Closed issues:

• Restore Codecov integration #608
• Restore Travis-CI on build on Pull Request #574
• src/test/java/testcode/serial/ObjectDeserializationFalsePositive2.java:[10,8] error: no suitable constructor found for ASN1InputStream(no arguments) #557
• How to remove “taint” for custom tld function? #555
• java.lang.OutOfMemoryError: GC overhead limit exceeded #554
• Enable 'Require HTTPS' on find-sec-bugs.github.io/ #544
• False positive for unsafe comparison of hash that are susceptible to timing attack #558
• SQL injection false positive when the source is an array. #529
• String-value coming from an Enum causes SQL_INJECTION_JPA #491

Merged pull requests:

• Enable CodeQL Security Scan #610 (VinodAnandan)
• Attempt to export JaCoCo coverage file #608 #609 (h3xstream)
• Remove dependency to commons-codec #602 #607 (h3xstream)
• Add solution to LDAP Injection #599 (Marx314)
• Minor documentation and fixes #594 (h3xstream)
• Change to GH Action #593 (h3xstream)
• Less verbose output for test cases #592 (h3xstream)
• Fix verify build in Github Action #591 (h3xstream)
• A couple of fixes for Github Action #590 (h3xstream)
• GitHub Action - Test for #588 #589 (h3xstream)
• Test case to reproduce Enum in injection #491 #583 (h3xstream)
• Test case to reproduce #529 #582 (h3xstream)
• Add test case OOB Local variable assertion for #556 #581 (h3xstream)
• Attempt to reduce potential false positive #577 #580 (h3xstream)
• Change --version-list to -V #573 (h3xstream)
• Remove Nullable annotation not available in OpenJDK according to build #569 (h3xstream)
• Missing class for #563 (Fix build) #568 (h3xstream)
• Update Jquery to 3.5.1 (Make dependabot happy) #567 (h3xstream)
• Update Japanese messages #532 (orihalcon128)
• Introduce a properties file to avoid repeating the versions #530 (h3xstream)
• Fix links in the messages #528 (h3xstream)
• New samples with StringSubstitutor were added #538 #604 (h3xstream)
• Implement support for UriBuilder (HttpClient) #586 #587 (h3xstream)
• Few additions for 1.11.0 #579 (h3xstream)
• Initial version of a Vert.x Sql Client detector #576 (pmlopes)
• New detector for Jsch addition #572 (h3xstream)
• Add support for ObjectInput.readObject() for deserialization vuln #563 #566 (h3xstream)
• Add exception for the keyword share #558 #565 (h3xstream)
• SCRIPT_ENGINE_INJECTION and TEMPLATE_INJECTION_VELOCITY: typo/grammar fix #561 (boyarsky)
• 541 RuntimeException when processing static method #552 (topolik)
• Add example for sql_injection_spring_jdbc with annotation #551 (Marx314)

> md5sum findsecbugs-cli-1.11.0.zip
241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip

> sha1sum findsecbugs-cli-1.11.0.zip
910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip

This minor update is there to introduce a fix : https://github.com/find-sec-bugs/find-sec-bugs/issues/526

A new detector Pebble template injection is also added. Thanks to @sa160690.

Messages from many detectors were also updated. Multiple broken links or out-dated links were corrected. https://github.com/find-sec-bugs/find-sec-bugs/pull/528

> sha1sum findsecbugs-cli-1.10.1.zip
fad67bc6c31032dd3cf7419c1f4abe2376658757 *findsecbugs-cli-1.10.1.zip

> md5sum findsecbugs-cli-1.10.1.zip
1eecbef120b61e0ce4870c38fe28fccd *findsecbugs-cli-1.10.1.zip

New bug detectors (or important improvements)

• Mass-assignment when using JPA or JDO entities
• Leakage from entity when using JPA or JDO entities
• Permissive CORS header allowing all origin (New coverage for Spring CorsRegistry)
• Overly permissive file permissions (code doing equivalent operation to chmod 777)
• Insecure SAML configuration affecting provider using OpenSAML API

This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.

A status update was published about Find Security Bugs arrival in the OWASP family.

version-1.10.0 (2019-10-17)

Full Changelog

Implemented enhancements:

• Fix code coverage badge + CI task #507
• Detect if authorisation is missing from a RequestMapping #473
• Support com/google/common/escape/Escaper as sanitizer #504
• http://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE #482
• Remove hard-coded "metadata" in FindBugsLauncher#buildFakePluginJar #479
• Add PathTraversalSinks for java/nio/file/Files API #476
• PATH_TRAVERSAL_IN detection #470
• Weak Permissions (chmod 777) #438
• Insecure SAML configuration in Spring #369
• Add configurable metadataFolder in FindBugsLauncher #480 (Kidlike)
• Add permissive CORS detector for CorsRegistration in Springboot #472 (Anemone95)

Fixed bugs:

• Integration with Ant Script #493
• Failed when build find-sec-bugs myself #379
• findsecbugs.sh has windows line breaks #516
• Unsupported class file major version 56 #512
• SpringEntityLeakDetector throw s NPE #477
• local-variable-index-rewrite-bug #475 (topolik)

Closed issues:

• Unwrapping an encrypted key with non-random IV shouldn't trigger STATIC_IV #517
• False-positive in URLCONNECTION_SSRF_FD #505
• SQL Injection false positive with MessageFormat.format() #498
• Spring Entity Leak Detector for collections #495
• JSP Include with constant URL #481

Merged pull requests:

• Replace finally block with try resource sections. (Refactoring) #519 (h3xstream)
• Improve test coverage #515 (h3xstream)
• Update SpotBugs to 3.1.12 #513 (h3xstream)
• change package to "com.h3xstream.findsecbugs.xml" #510 (jie-lin)
• SSRF detector moved to the injection package #509 (h3xstream)
• Attempt to incorporate CodeCov with JaCocCo #507 #508 (h3xstream)
• jsp:include with constant path // SAML ignore comments set to false #499 (h3xstream)
• Rename findbugs-test-util to findsecbugs-test-util #497 (h3xstream)
• Small changes to documentation #494 (h3xstream)
• Fix typo in HTTPONLY_COOKIE description #492 (kulinacs)
• 190430-taint-method-propagation-II #490 (topolik)
• Unable to detect injections on older versions of Hibernate #489 (mkotyk)
• Fix typography on Spring Entity Leak description #485 (ArnaudLec)
• Fix NPE when interface has spring mvc annotations #478 (bananayong)
• Update SpotBugs dependency + others deps #471 (h3xstream)
• New submodule for JSP samples #469 (h3xstream)
• New module for Java samples #468 (h3xstream)
• Preparing the next dev version #467 (h3xstream)
• Release 1.9.0 #466 (h3xstream)
• Change STATIC_IV detector to properly handle key wrapping/unwrapping modes #518 (nigredo-tori)
• Supporting com/google/common/escape/Escaper as sanitizer #511 (thiyagu-7)
• Add support for separator #470 #506 (h3xstream)
• Overly permissive file permission #438 #502 (h3xstream)
• Handle MessageFormat.format properly when tracking variables #498 #501 (h3xstream)
• Improvement to information leakage and mass assignment detection #496 (h3xstream)

The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.

For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.

An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit

PS: I know that wasps (OWASP mascot) are not the same as bees. 😆

New contributors for this release

(In order of contribution date)

• shirinnikita
• ManWhoLaughs
• thypon
• karanb192
• ThrawnCA
• JoshCunninghame
• mario-areias
• jbleduigou

Full Changelog

Implemented enhancements:

• New Rule: Detect Information Exposure through printStackTrace() #356
• detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
• Detect if entity objects are being returned by controllers in Spring #454
• Apache XML RPC setEnabledForExtensions(true) #418
• False Positive XSS in Expression Language ${pageContext.request.contextPath} #399
• False positive XSS when using OWASP taglib #353
• Detect Commons lang Random utilities #243
• New Rule: Use of setEscapeModelStrings in Wicket project #201
• Extended PredictiveRandomDetector #437 (ManWhoLaughs)

Fixed bugs:

• Possible bug in DeserializationGadgetDetectorTest #408
• [Error] Resource not found: java/lang/Object.class (Java 9) #365
• detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
• 1.8.0 findsecbugs.sh script errors #460
• Version mismatch in the findsecbugs-cli sh script. #445
• Test coverage for command injection for Kotlin #428
• ECIES integrity false positive #417
• Error while executing finsecbugs.sh on ubuntu #367
• False positive: ASN1InputStream identify as ObjectInputStream #170

Closed issues:

• The following classes needed for analysis were missing for method names #440
• false positive for CRLF_INJECTION_LOGS #425
• Migrate from BCEL Constants interface to Const class #413
• No class directories configured for FindBugs analysis error #412
• Kotlin arrayOf considered safe #432
• False Positive - JSTL Core accessing exported scoped variable storing the status of the iteration. #404

Merged pull requests:

• Restructuring the sub-modules #465 (h3xstream)
• Remove graph module #449 (h3xstream)
• Update to use findsecbugs-plugin 1.8.0 #436 (jbleduigou)
• Added Kotlin support for CRLF detector #430 (mario-areias)
• Kotlin file path traversal sink signatures #427 (JoshCunninghame)
• Added test coverage for command injection for kotlin string and func apis #423 (JoshCunninghame)
• Kotlin deserialisation gadget #422 (JoshCunninghame)
• Unsafe jackson object deserialisation kotlin module #421 (JoshCunninghame)
• Unsafe object deserialisation kotlin module #420 (JoshCunninghame)
• Kotlin hardcode password equals #419 (JoshCunninghame)
• Added KotlinHardcodePasswordInMap detector and created new module for… #416 (JoshCunninghame)
• Update the CLI packaging #415 (h3xstream)
• Replace deprecated BCEL Constants interface with Const class, #413 #414 (ThrawnCA)
• Add prism code highlight for the micro-website. #464 (h3xstream)
• Update descriptions #463 (h3xstream)
• Add references to Wicket XSS #462 (h3xstream)
• Added Entity Leak Detector #457 (karanb192)
• XSS using Wicket component #453 (h3xstream)
• Fix the FP generated by ECIES usage #417 #452 (h3xstream)
• JSTL expression white listing #451 (h3xstream)
• Fix #432 #450 (h3xstream)
• Fix Kotlin handling of the String being build with the Appendable class #448 (h3xstream)
• Improve and generalize the CLI unix launcher #447 (thypon)
• Fix TravisCI for JDK version 10 #444 (h3xstream)
• Improve XSLT RCE resolution #443 (h3xstream)
• Extended PredictiveRandomDetector (added new test) #441 (ManWhoLaughs)
• Apache XML RPC setEnabledForExtensions(true) #439 (shirinnikita)

> sha1sum findsecbugs-cli-1.9.0.zip
27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip

> md5sum findsecbugs-cli-1.9.0.zip
cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip

> sha1sum findsecbugs-cli-1.9.0-fix1.zip
f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip

> md5sum findsecbugs-cli-1.9.0-fix1.zip
795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip

> md5sum findsecbugs-cli-1.9.0-fix2.zip
0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2.zip

> sha1sum findsecbugs-cli-1.9.0-fix2.zip
998437752ebfbed1cace3c9d73cc4644fb3f1545 *findsecbugs-cli-1.9.0-fix2.zip

While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.

Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)

Many built-in Java XML API susceptible to XXE were added to existing detectors. #138

Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.

Thanks to the numerous contributors who have pushed changes that were integrate in this version:

• mario-areias
• bradflood
• mzcu
• xanderhades
• HansolChoe
• woung717
• orihalcon128
• RichardBradley
• javabeanz
• VinodAnandan
• MaxNad
• topolik
• (I hope I am not forgetting anyone.)

Full Changelog

Implemented enhancements:

• Detect SpelView (Spel Injection) #400
• False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
• Kotlin support for hardcode password with Intrinsics.areEqual\(\) #387
• SMTP Header Injection #374
• FileItem.getName() as a new source for XSS_SERVLET? #358
• Detect hardcode password and hash based on variable name #342
• Identify XSS cause by ServletOutputStream.print() #341
• (Internal) Enable assertions during building and/or using find-sec-bugs #338
• Add Paths.get() as source for Path traversal #324
• Reduce false positive for Path traversal #291
• CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
• [Documentation] - Add Table of Contents to Bug Patterns page #160
• More XXE coverage #138
• New implementation of CORS detector #313 #361 (bradflood)
• fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
• Optional API and improvement to crypto detector #350 (h3xstream)
• Added some XXE Coverage for TransformerFactory #349 (MaxNad)
• Add Java8 nio API for path traversal #324 #325 (h3xstream)

Fixed bugs:

• Path traversal: Flase positive with static final variable #382
• NullPointerException in GoogleApiKeyDetector.visitClassContext #364
• Images on Gradle Configuration documentation page show 'Please update your account' #337
• PermissiveCORSDetector throws NPE #313
• CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240

Closed issues:

• Crash with spotbugs 3.1.4 #406
• Adding New Sinks #378
• Add a new bug check "X-Frame-Options Header Not Set" #371
• Invalid configuration for java/io/File#createTempFile in java-net.txt #328

Merged pull requests:

• Added tests for Object deserialisation for kotlin code #410 (mario-areias)
• Added deserialisation gadget test for kotlin #409 (mario-areias)
• Added test for Jackson deserialization detector in Kotlin #407 (mario-areias)
• Created Kotlin version for HardcodedPasswordEqualsDetector class - fix #387 #405 (mario-areias)
• Struts Validation detector simplified #402 (h3xstream)
• Detect SpelView #400 #401 (h3xstream)
• OWASP Taglib #398 (bradflood)
• Testcases for SLF4J #396 (h3xstream)
• Added support for SAXTransformerFactory #394 (h3xstream)
• Add detectors for more XXE coverage #138 #392 (h3xstream)
• Make Java 9 build mandatory for Travis-CI #389 (h3xstream)
• Graph improvements for field read/write and return value tracking #388 (h3xstream)
• Improve RSA weak keysize detection #386 (mzcu)
• Add test case for path traversal with source from final field #382 #384 (h3xstream)
• Fixed typos in website #380 (xanderhades)
• New condition that fix #364 #377 (h3xstream)
• Add reference to OWASP Security Logging #240 #376 (h3xstream)
• SMTP Header Injection #374 #375 (h3xstream)
• Experimental plugin that build graph from bytecode #370 (h3xstream)
• Add ErrorMessageExposureDetector #356 #360 (HansolChoe)
• FileItem.getName() as a new source for XSS_SERVLET #359 (woung717)
• Update the website template #351 (h3xstream)
• Renew Japanese messages. #348 (orihalcon128)
• Improvement to bug descriptions (Public Website) #347 (RichardBradley)
• Detect hardcode password and hash based on variable name #343 (h3xstream)
• Enable assertions during building and/or using find-sec-bugs #338 #339 (javabeanz)
• SpotBugs - 3.1.0-RC5 #334 (VinodAnandan)
• Test for TaintMethodConfigWithArgumentsAndLocation with examples #333 (topolik)
• Updated the CLI to 1.7.1 #331 (MaxNad)
• Fix java/io/File#createTempFile #328 #330 (topolik)
• Add coverage for Apache Commons Text API #327 (h3xstream)
• Reduce false positive for Path traversal #291 #326 (h3xstream)

74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip

SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.

What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.

Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12. Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.

Implemented enhancements:

• OGNL injection #312
• Generalize configuration properties with hard coded password #292
• New rule: detect https connections with weak SSL / TLS protocol #283

Closed issues:

• URL decode create false-negative #322
• CRLF_INJECTION_LOGS documentation typo #299
• Run coveralls after each build #287

Merged pull requests:

• Fix URL decode create false-negative #322 #323 (h3xstream)
• fixed out of date dependencies #321 (javabeanz)
• SSRF and LFI using RequestDispatcher and URLConnection #319 (topolik)
• Better fix of the Play 2.5.x SSRF detection (issue #307) #317 (MaxNad)
• Few changes to messages.xml #316 (h3xstream)
• OGNL injection + Android SQL injection + Migration from FindBugs to SpotBugs #309 (h3xstream)
• Added the Play 2.5.x SSRF detection - Fixed issue #307 #308 (MaxNad)
• Implement an unsafe jackson databind deserialization detector. #306 (dbaxa)
• Fixed copy-paste slip-up in Scala code example #305 (ln2v)
• Validate taint config class and method names as java identifiers #304 (topolik)
• Test and quality improvements #301 (h3xstream)
• Fix typo in documentation (fixes #299) #300 (gredler)
• Fix typo in documentation #296 (dreis2211)
• New detector HardcodePasswordInMapDetector #292 #293 (h3xstream)
• Gradle build to generate the CLI version of FSB #290 (h3xstream)
• Spring Unvalidated Redirect Detector #289 (johnhawes)
• Fixed typos I encountered #288 (obilodeau)
• Version 1.6.0 to 1.7.0 #286 (h3xstream)
• Implement detector for weak SSL/TLS protocols #285 (xsun12)

Hashes:

dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip

Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.

The new detectors are covering a wide range of vulnerability types. See the changelog below.

In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.

version-1.6.0 (2017-03-15)

Full Changelog

Implemented enhancements:

• Unexpected deserialization with RestEasy/Jersey #198
• Turbine SQL Injection #238
• Detect hardcoded password in unknown API #231
• Malicious deserialization from LDAP entry #228
• (Dev internal) Validate the configuration files automatically #158
• Turbine SQL injections #253 (h3xstream)
• Adding overly permissive CORS policy detector #248 (plr0man)
• LDAP improvements #278 (h3xstream)
• Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
• Add File Disclosure Injection detector #265 (plr0man)
• Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
• Add JavaBeans Property Injection detector #263 (plr0man)
• Add Insecure SMTP SSL detector #259 (plr0man)
• SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
• Add Url rewriting detector #252 (plr0man)
• UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
• Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)

Fixed bugs:

• Out of bounds mutables in ... (Assertion trigged) #275
• Force encoding to UTF-8 on windows when generating micro-website #232
• Freemarker description fix #230
• Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)

Closed issues:

• Find-sec-bugs maven plugin failed to execute #274
• False negatives in detection of bad modes of operation #270
• findbugs not working with Sonarqube 6.1 #235
• Update JSP compiler #279

Merged pull requests:

• Remove duplicated word in README #282 (jwilk)
• Update JSP compiler #281 (h3xstream)
• Fix #275 #277 (h3xstream)
• Add Format String Manipulation Injection Detector #266 (plr0man)
• Travis improvements: batch mode and verify phase #262 (ptamarit)
• Add AWS Query Injection detector #260 (plr0man)
• Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
• Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
• Persistent cookie detector #251 (plr0man)
• Anonymous LDAP Bind detector #250 (plr0man)
• Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
• Adding ThreadLocalRandom detection #246 (plr0man)
• Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
• Update plugins #279 #280 (h3xstream)
• Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
• (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)

A couple huge improvements are bundled in this release including:

• Better Scala support with a couple new detectors (thanks to @MaxNad )
  • New Rule: Scala Path Traversal
  • New Rule: Sensitive data exposure in cookies
  • New Rule: XSS detection in Play Framework
  • .. and many other improvements
• Huge set of small fixes and improvements (thanks to @topolik from Liferay) #214
• New Rule: XXE with XMLStreamReader
• New Rule: Template injection with Velocity and Freemarker
• New Rule: XSS detection in Porlet

These are the major new detectors but, as usual, many false positive patterns are now supported and avoided.

Quick note on the version notation: The previous releases were made on minor version (1.4.1-1.4.6) even though they include major improvements. It was never really a big concern because no major issue required to be fixed. This may have brought some confusion to some users. The release plan is still to keep going forward and not maintain older versions. There should be no benifit to keep using an old version.

version-1.5.0 (2016-10-06)

Full Changelog

Implemented enhancements:

• Detect template usage (template injection) #227
• Reduce the number of FP related to Trust Boundary Violation #226
• XSS in Portlet #216
• How to set findsecbugs.taint.customconfigfile through gradle? #215
• Identify weak XML parser properties that could lead to XXE #209
• Scala : XSS in twirl template #207
• Scala: XSS in Play controller #206
• XML parsing vulnerable to XXE (XMLReader) shortage #191
• Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
• Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
• XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
• Taint analysis bug fixes and improvements #214 (topolik)
• Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
• XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
• CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)

Fixed bugs:

• FP: sending local broadcasts via LocalBroadcastManager #224
• False positive: ResourceBundle in JSP #213
• Out of bounds mutables in static myclass$.()V #199
• Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
• Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)

Closed issues:

• not to report null-porter dereference if there is code already throws RuntimeError #197
• Release version 1.4.6 #195
• Release 1.4.5 #159
• Fix mix-content on micro-website #229

Merged pull requests:

• Custom config file method refactoring #218 (topolik)
• Accept environment variables spelled with underscores #217 (kuhnmi)

Special thanks to David Formanek for the significant contributions. He submits his thesis on taint analysis two weeks ago while this version was being released. A special thanks to Y Soft in believing in the idea of contributing to a community project.

Better taint analysis The most important improvement of this release is the introduction of a tagging system in the taint analysis engine. This change was introduced by @formanek. It will now support the detection of escaping function for various contexts XSS, SQL injection, etc.

Custom Signatures The configuration of custom signatures was updated to a new format. If you were using this feature make sure to transform your configuration to this new format. More information is available on the Wiki.

Japanese Messages The Japanese messages are now officially deprecated. There are a lot of missing descriptions for the Japanese language.

New Detectors A new set of rules was added to find XSLT vulnerability. Security researchers will also be happy to find an automate deserialization gadget detector.

version-1.4.6 (2016-06-02)

Full Changelog

Implemented enhancements:

• Detect deserialization gadgets #189
• CustomInjection issues #172
• New Rule : XSLT processing detection #168
• Update owasp.txt #188 (s-tikhomirov)
• Correct japanese messages formatting #185 (marcosbento)
• Support for sanitization using replace methods in String #171 (formanek)
• Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
• Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
• Fix typo in taint-config/java-lang.txt #157 (apasel422)

Fixed bugs:

• find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
• Memory leak in the tests #193
• Test failure : Invalid VNA after location #192
• java.util.ConcurrentModificationException during analysis #184
• CustomInjection issues #172
• FindSecBugs plugin crash in Intellij #167
• Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)

Closed issues:

• No plugin support for findbugs4sbt #181
• Fixing the build #180
• Standalone execution #179
• Make the test less verbose #194

Many bug patterns have been added for this release (see Full Changelog below).

During this milestone, few important documentation additions were made:

• Creation of the project demos repository
  • Android demo (Gradle)
  • Java with JSP demo (Maven)
  • Scala with Play Framework demo (SBT)
• Writing your own detector
• Creating a injection-based detector
• Tutorial for Jenkins configuration for Android and Java projects (@mcwww) :
• Many description of old bug patterns were also refactored.

The support for Scala specific bug patterns is starting slowly. We are looking for feedback from the community and potentially bug patterns ideas.

Full Changelog

Implemented enhancements:

• Play framework demo #154
• New Rule : Scala Command injection #153
• New Rule : Unvalidated redirect in Play Framework #152
• New Rule : Additional coverage for predictable random generator in Scala #151
• New Rule: Detect weak HostnameVerifier #150
• Migrate the old XSS detector to the new TaintDetector mecanism #149
• Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
• (Dev internal) DSL for more intuitive method matching #147
• New Rule : Missing HttpOnly flag on cookie #144
• New Rule : Trust Boundary Violation #133
• Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
• New Rule : EL Expression Injection #130
• New Rule : XSS detector using the taint detector approach #129
• (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
• New Rule : Seam Logger usage could lead to remote code execution #56
• New Rule: Detect SSL disabler (Java + Scala implementation) #34

Fixed bugs:

• Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
• Hard coded keys false positive when loading bytes from FileInputStream #126
• Description for weak digest need an update #119
• Error scanning Scala code in IntelliJ #112

Merged pull requests:

• Change description of cryptography plus bad grammar #146 (mcwww)
• Change to description #145 (mcwww)
• Correct SonarQube product name #142 (agabrys)
• Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
• Properly handle paths to files #136 (jsotuyod)
• Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)

This release includes 7 new detectors, improvements to injections rules, improvements to taint analysis and a new standalone command line tools.

7 new detectors

• Detector for java object deserialization (Created by @minlex)
• Detector for external control of configuration (Created by @formanek)
• Detector for CRLF injection in logs (Created by @formanek)
• Detector for HTTP response splitting (Created by @formanek)
• Detect dynamic JSP Includes
• Detect Spring Eval JSP taglib
• JSTL out escapeXml=false

Standalone client The standalone CLI is a new packaging of existing features. For more information about the usage of the new tool visit the wiki page.

Full Changelog

Implemented enhancements:

• Path traversal and Xpath injection detectors should use taint analysis #97
• Detector for external control of configuration (CWE-15) #124
• Detector for CRLF injection in logs (CWE-117) #123
• Detector for HTTP response splitting #121
• Improvements for JSP support #110
• Missing taint sinks for LDAP Injection #105
• New rule : Detect dynamic JSP Includes #104
• Standalone command line tool to scan jars with or without the source #100
• Better support for collections #99
• Consider inheritance for method summaries #98
• Refactor injection detectors #96
• New Rule : Detect Spring Eval JSP taglib #55
• New Rule : JSTL out escapeXml=false #114

Fixed bugs:

• Path traversal false positives #113

Closed issues:

• mvn compile failing after adding findsecbugs-plugin #128
• Add methods for weak message digest #120
• How can I mark / exclude false positives? #116
• Missing taint sinks for Spring SQL injection #109
• Method arguments are not tainted if their derived summary is stored #106
• Push release 1.4.3 to upstream projects #101

Merged pull requests:

• Add detector for java object deserialization #127 (minlex)

The 1.4.3 can be summarized into less false positive and better coverage. Building on top of the new taint analysis engine introduce in the previous release, bugs fixes and enhancement were made to support more code patterns.

From 1.4.2 to 1.4.3, the false positive are moving from "Low" priority to hidden. If you are seeing sensible that are not flagged, you open an issue about it.

David Formanek of Y Soft is responsible of most (if not all) the taint analysis major improvements.

Full Changelog

Implemented enhancements:

• All Runtime.exec methods should be taint sinks #92
• Add coverage for LDAP injection #89
• Improve the detection of weak message digest #88
• Improve the detection in the use of old ciphers #87
• Insecure cookie #86
• Spring JDBC API #74
• JDBC api coverage #73
• False positive on Static IV when using Cipher.getIv() #62

Fixed bugs:

• Parametric taint state not changed when used as an argument of an unknown method #90
• Bad method summaries derived for complex flow #85
• Invalid taint modifications of local variables, when loaded from method summary #84
• Taint not transfered in chained call of StringBuilder.append #83
• Too many iterations bug #82
• Issue with constructor with List and array as parameter (Command injection detection) #80
• Fix DES detection #79
• EntityManager createQuery trips SECSQLIJPA even with safe usage #76
• The IV generation should only be verified for the encryption mode #64

Merged pull requests:

• Fixed incomplete candidate method for LDAP injections #94 (formanek)
• Added command injection sinks and CWE identifiers #93 (formanek)
• Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)

This new release introduce absolutely no new detector. Nonetheless, it include major contributions from David Formanek of Y Soft regarding the new taint analysis. FindSecBugs now take advantage of FindBugs taint analysis engine.

What does it means for the user? This means that less false positive will be raise regarding injection vulnerabilities. We highly encourage users to update to this version to take advantage of these improvements. It should not remove any vulnerability that was found before. Open an issue if you see performance problems or side effects regarding those changes.

Thanks again to David who made this release possible.

Full Changelog

Implemented enhancements:

• Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

Fixed bugs:

• Remove slash from XXE short message #68

Merged pull requests:

• Refactoring of classes for taint analysis #71 (formanek)
• Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
• Taint sources locations added to bug reports #69 (formanek)
• Separated hard coded password and key reporting #67 (formanek)
• Taint sources and improved taint transfer #66 (formanek)
• Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
• Allow analyze to set classpath entries #60 (mbmihura)
• website: corrected typos #59 (obilodeau)

Summary

This version introduce mostly adjustments to minor components including the logging, bug descriptions and online documentation.

Nonetheless, many new detectors found their way into this release. David Formánek has contributed a very interesting set of signatures to detect hardcoded password and cryptographic keys (#46). 34 new APIs are covered with this single contribution. If you have any problem with the new detector, fill an issue with problematic code sample. Even-thought it is an important addition, the contribution is well covered by the tests and should not cause any problems.

Another detector targeting hardcoded password was added. It identify OAuth secret that are static in Spring applications. (#57)

Full Changelog

Implemented enhancements:

• Detector hard coded Spring OAuth secret key #57
• Add CWE references to messages (few missing) #52
• Create a japanese page on the micro-website for the bug patterns #50
• NetBeans tutorial #45
• Update the documentation for Sonar Qube #44

Fixed bugs:

• XXE - reader False Positive #47
• Fix URLs in messages.xml #43
• CustomInjectionSource.properties not found #42

Closed issues:

• Create a tutorial for IntelliJ IDE #51

Merged pull requests:

• ECB and no integrity detection + tests #53 (formanek)
• Update messages_ja.xml #49 (naokikimura)
• Detector for hard coded passwords and cryptographic keys #46 (formanek)

Summary

This version introduce a new set of detectors targeted at Android mobile application. These detectors should not create any false positive on backend web application.

Few additions were made to the injections detectors. See the changelog detail below for more details.

The plugin is now tested against FindBugs 3.0.0.

Full Changelog

Implemented enhancements:

• Upgrade to findbugs 3.0.0 or higher. #37
• New Android Security detectors #39
  • External File Access (Android)
  • Broadcast (Android)
  • World Writable File (Android)
  • WebView with Geolocation Activated (Android)
  • WebView with Javascript Interface (Android)
• Move command injection to the main injection detector mecanism #33

Merged pull requests:

• Create messages_ja.xml #38 (naokikimura)
• Enable additional signatures to detector of injection #36 (naokikimura)

Summary

This release introduce no new detector. It include few bug fixes. The most important change is that injections are now rated to High severity.

Full Changelog

Implemented enhancements:

• Add supports for the new URL specification for bug reference #35
• Higher priority for injections #32
• Remove ESAPI references in messages #31

Fixed bugs:

• MethodUnprofitableException throwing could be suppressed #29
• CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24

Merged pull requests:

• Copy all files in metadata folder #30 (jsotuyod)

Summary

This release improved the most risky API: XML Parsing and SQL query.

The messages associated to the discoveries will also more targeted.

Full Changelog

Implemented enhancements:

• XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
• XXE - Avoid false positive when secure features are set. #26
• JDO Query - Potential Injections #23
• JDO PersistenceManager - Potential Injections #22
• Hibernate Restrictions API - Potential Injections #21