Find Security Bugs is the SpotBugs plugin for security audits of Java web applications

Overview

OWASP Find Security Bugs

Java CI with SpotBugs codecov Maven Central Slack Channel

Find Security Bugs is the SpotBugs plugin for security audits of Java web applications.

Website : http://find-sec-bugs.github.io/

Main developers

Notable contributions

Project Sponsors

The development of Find Security Bugs is supported by GoSecure since 2016. The support includes the development of new detectors and the research for new vulnerability classes.

GoSecure Logo

Screenshots

Eclipse

Eclipse

IntelliJ / Android Studio

IntelliJ

SonarQube

SonarQube

License

This software is release under LGPL.

Comments
  • EntityManager createQuery trips SECSQLIJPA even with safe usage

    EntityManager createQuery trips SECSQLIJPA even with safe usage

    Using the createQuery and createNativeQuery methods of a JPA EntityManager trips the SECSQLIJPA detector even if there are no tainted inputs.

    This class trips the detector for me:

    package findbugs.sample;
    
    import javax.persistence.EntityManager;
    import javax.persistence.PersistenceContext;
    import javax.persistence.Query;
    
    public class TestInjectionWithConstantString {
    
        @PersistenceContext
        private EntityManager entityManager;
    
        public void queryWithConstantString() {
            entityManager.createQuery("foo");
            entityManager.createNativeQuery("foo");
        }
    
    }
    
    bug 
    opened by ThrawnCA 23
  • Unsafe instructions iteration

    Unsafe instructions iteration

    Hi,

    I've tried to integrate your plugin to the EAP findbugs tests in jenkins but then I've got into some troubles. When I run the tests without the find-sec-bugs plugin, it ends with a couple of warnings but when I run it with the plugin then I get 42 analysis errors and a really long stack trace.

    I run the tests inside the Jenkins and I use the Findbugs in the version 2.0.1. Find-sec-bugs is in the version 1.2.1. Are there any version compability notes? Are these version compatible?

    I also didn't find any settings recommendation. I've just put your plugin inside the Findbugs plugin directory. Does it need any additionally settings?

    Here is the stack: https://drive.google.com/file/d/0ByAl3ieZYVnXRWZsbHB6UWFYaGM/view?usp=sharing

    Nov 03, 2014 5:20:56 AM edu.umd.cs.findbugs.TextUIBugReporter reportAnalysisError
    SEVERE: Oops
    edu.umd.cs.findbugs.ba.DataflowAnalysisException: Accessing TOP or BOTTOM frame!
        at edu.umd.cs.findbugs.ba.Frame.getStackValue(Frame.java:235)
        at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.visitPUTFIELD(IsNullValueFrameModelingVisitor.java:323)
        at org.apache.bcel.generic.PUTFIELD.accept(PUTFIELD.java:79)
        at edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84)
        at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.analyzeInstruction(IsNullValueFrameModelingVisitor.java:104)
        at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:326)
        at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:71)
    [...]
    

    Do you have any suggestions how to solve this?

    Regards, Lukas Kubik

    bug question 
    opened by lkubik 18
  • Android SQL Injection

    Android SQL Injection

    Hello,

    I am trying to detect SQL Injection in an Android application. Sample code: In MainActivity:

    	@Override
    	protected void onCreate(Bundle savedInstanceState) {
    	[...]
    		mDbManager = new DbManager(this);
    		btn.setOnClickListener(new OnClickListener() {
    			@Override
    			public void onClick(View v) {
    				if (mDbManager.isCorrect(login.getText().toString(), pass
    						.getText().toString())) {
    					[...]
    

    In DbManager (extends SQLiteOpenHelper):

    	public boolean isCorrect(String login, String pass) {
    	        String sql = "user = '" + login + "' AND pass = '" + HashFncHelper.calcMd5(pass) + "'";
    	        Cursor c = db.query(TABLE_NAME, null, sql, null, null, null, null);
    	        return c.moveToFirst();
    	}
    

    We can inject SQL, which is easily observed by entering the following login: ' or 1=1 -- and authorization is bypassed. I did it on emulator.

    So I try to detect it with Find Security Bugs CLI. I changed the script ./findsecbugs.sh: java -Dfindsecbugs.taint.customconfigfile=android-sql-injection-sinks.txt -cp findbugs/\* edu.umd.cs.findbugs.LaunchAppropriateUI -pluginList plugins/findsecbugs-plugin-1.4.6.jar:plugins/noUpdateChecks.jar -include include.xml $@ And now I try this command: ./findsecbugs.sh -effort:max -longBugCodes -auxclasspath ~/Android/Sdk/platforms/android-23/ ~/app/ and the file android-sql-injection-sinks.txt looks as such: android/database/sqlite/SQLiteDatabase.query(Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Landroid/database/sqlite/Cursor;:0,1,2,4,6

    But it is not working. Find Security Bugs doesn’t find that bug. Why?

    Link to the Android API: https://developer.android.com/reference/android/database/sqlite/SQLiteDatabase.html Functions: query, queryWithFactory, rawQuery, rawQueryWithFactory I would like to test at least the selection argument in those functions.

    bug enhancement question 
    opened by dawidppp 15
  • Implement a base detector to track specific calls (#211)

    Implement a base detector to track specific calls (#211)

    This pull request is based on the enhancement proposition in #204.

    The BasicInstanceTrackingDetector can be used to track specific Invoke calls on object instances.

    When this detector is extended, you just have to specify the object instanciation instruction, the tracked calls and the reporting behavior. The detector allows you to track multiple instanciation instructions and calls (For instance Cookie. and Library.CreateCookie) could be used to track an object creation).

    I also changed the CookieFlagsDetector to test this new Abstract detector and added some more tests cases that the old version could not correctly identify.

    This Abstract detector is based solely on the cookie flags use case. Do not hesitate to ask for changes or to suggest improvements.

    enhancement 
    opened by MaxNad 14
  • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications

    CRLF injection CWE-117 does not detect request body parameters for jax-rs applications

    Consider this code:

    @Path("/")
    @POST
    public Response postStuff(DataClass data) {
           logger.info("Got {}", data.stuff);
           return Response.ok().build();
    }
    

    This is still vulnerable to CRLF injection, but is not detected.

    bug enhancement false-negative 
    opened by OskarKjellin 13
  • Can't resolve

    Can't resolve "Scala Play Server-Side Request Forgery (SSRF)"

    I'm getting a Scala Play Server-Side Request Forgery (SSRF) issue on my Scala project, and I can't figure out how to resolve the issue.

    We have a method that looks very much like the one in the report:

    def doGet(value:String) = Action {
       WS.url(value).get().map { response =>
           Ok(response.body)
       }
    }
    

    Solution/Countermeasures:

    • Don't accept request destinations from users
    • Accept a destination key, and use it to look up the target (legal) destination
    • White list URLs (if possible)
    • Validate that the beginning of the URL is part of a white list

    However, no matter what I do with the value parameter (I've tried quite a few things), I keep getting the error. Even if I hard-code the url (WS.url("https://www.google.com").get()) the error still comes up.

    How should I whitelist and/or validate the URL, as suggested in the countermeasures?

    bug question 
    opened by jqno 11
  • New detector for potential XML injection

    New detector for potential XML injection

    The new detector detects cases where an unsafe string is injected into an XML string. See: https://wiki.sei.cmu.edu/confluence/display/java/IDS16-J.+Prevent+XML+Injection

    opened by baloghadamsoftware 10
  • No detection of XSS vulnerabilities in JAX-RS methods

    No detection of XSS vulnerabilities in JAX-RS methods

    We are comparing SonarQube with Find Bugs (and the Find Security Bugs rules) against a commercial competitor.

    The commercial competitor flags all typical JAX-RS REST methods with user input as potential XSS vulnerabilities, e,.g.:

    @GET
    @Path("/{id}")
    public SomeEntity getOne(@Context RequestContext ctx, @PathParam("id") String id) {
     return dao.findExistingById(ctx, id);
    }
    

    with errors like

    Method getOne() at line 51 of SomeEntityResource.java gets user input for the id element. 
    This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method getOne() at line 51 of SomeEntityResource.java. This may enable a Cross-Site-Scripting Attack
    

    None of the Find Security Bugs rules flagged any of the JAX-RS resources with similar vulnerabilities.

    Should some JAX-RS specific rules be added?

    P.S. ALL the rules classified as "vulnerabilities" have been activated in SonarQube and we are running with the quality profile of "Find Bugs Security Audit".

    invalid question 
    opened by jacek99 10
  • New detector for SEI-CERT rule SEC02-J: Do not base security checks on untrusted sources

    New detector for SEI-CERT rule SEC02-J: Do not base security checks on untrusted sources

    A new detector the checks whether the same non-final method of a non-final class that comes from a user was called before the privileged action and inside it. Since neither the class, nor the method is final the user provided class may override this method to behave in an unexpected, bypassing security checks.

    opened by baloghadamsoftware 9
  • Detect if entity objects are being returned by controllers in Spring

    Detect if entity objects are being returned by controllers in Spring

    In Spring, developers often tend to return the entity object as response in controllers which may reveal sensitive information from the DB which wasn't really needed. Instead DTO (Data transfer object) should be returned.

    enhancement 
    opened by karanb192 9
  • find security bugs does not scan groovy files

    find security bugs does not scan groovy files

    In our project, we use both groovy and java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code.

    The security bugs from groovy classes are not reported by the plugin. Java classes are properly scanned. Following link clearly says the plugin works with groovy.

    https://github.com/h3xstream/find-sec-bugs

    For this testing, I copied the following vulnerable code from the below link, compiled the source code, and ran the scan on that.

    http://h3xstream.github.io/find-sec-bugs/bugs.htm

    String generateSecretToken() {
        Random r = new Random();
        return Long.toHexString(r.nextLong());
    }
    

    Additional Note:

    Used the FindBugs UI to scan the project. It uses the find-sec-bugs plugin and others. FindBugs UI properly scans both the groovy and java source code. The problem is with find-sec-bugs plugin. This plugin scans only the java code and it ignores the security bugs available in the groovy code.

    Related stackoverflow link:

    http://stackoverflow.com/questions/33116152/find-security-bugs-does-not-scan-groovy-files?noredirect=1#comment54388739_33116152

    question 
    opened by Nara-Rama 9
  • missing bug code for keySECXXEVAL

    missing bug code for keySECXXEVAL

    Following error was thrown during my analysis:

    missing bug code for keySECXXEVAL

    I think short bug code is missing in messages.xml

    <BugCode abbrev="SECXXEVAL">XML validation vulnerable to XXE</BugCode>
    
    opened by skirge 0
  • Erroneous

    Erroneous "`java.lang.ClassNotFoundException`: Exception while looking for class" errors

    Environment

    | Component | Version | | ------------------ | ------- | | Maven | 3.8.6 | | Java | 11.0.16 | | SpotBugs | 4.7.2 | | FindSecBugs | 1.12.0 |

    Steps to reproduce

    1. Ensure Java 11 and Maven 3.8.6 are installed.
    2. Run git clone https://github.com/jenkins/jenkins.git && cd jenkins
    3. Run mvn clean verify -DskipTests -Dspotbugs.debug -Dspotbugs.trace '-Dspotbugs.jvmArgs=-Dorg.slf4j.simpleLogger.defaultLogLevel=debug'

    Expected results

    Note: These are the actual results when running SpotBugs core without Find Security Bugs.

    No "Missing class" errors should appear in the output, and no "The following classes needed for analysis were missing" message should be printed after running SpotBugs.

    Actual results

    Lots of "Missing class" exceptions are logged, for example:

         [java] [main] DEBUG edu.umd.cs.findbugs.AbstractBugReporter - Missing class
         [java] java.lang.ClassNotFoundException: Exception while looking for class makeConcatWithConstants
         [java]     at edu.umd.cs.findbugs.AnalysisCacheToRepositoryAdapter.loadClass(AnalysisCacheToRepositoryAdapter.java:94)
         [java]     at org.apache.bcel.Repository.lookupClass(Repository.java:65)
         [java]     at com.h3xstream.findsecbugs.injection.BasicInjectionDetector.getInjectionPoint(BasicInjectionDetector.java:79)
         [java]     at com.h3xstream.findsecbugs.injection.AbstractInjectionDetector.analyzeLocation(AbstractInjectionDetector.java:82)
         [java]     at com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:126)
         [java]     at com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79)
         [java]     at edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
         [java]     at edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
         [java]     at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
         [java]     at edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
         [java]     at java.base/java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:242)
         [java]     at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
         [java]     at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
         [java]     at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
         [java]     at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
         [java] Caused by: edu.umd.cs.findbugs.classfile.MissingClassException: Resource not found: makeConcatWithConstants.class
         [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:60)
         [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:42)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:261)
         [java]     at edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:61)
         [java]     at edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:261)
         [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.getXClass(Hierarchy2.java:282)
         [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.getXClassFromDottedClassName(Hierarchy2.java:278)
         [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.findInvocationLeastUpperBound(Hierarchy2.java:146)
         [java]     at edu.umd.cs.findbugs.ba.Hierarchy2.findDeclaredExceptions(Hierarchy2.java:490)
         [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeThrownExceptionTypes(TypeAnalysis.java:910)
         [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeBlockExceptionSet(TypeAnalysis.java:731)
         [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.computeThrownExceptionTypes(TypeAnalysis.java:474)
         [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.transfer(TypeAnalysis.java:417)
         [java]     at edu.umd.cs.findbugs.ba.type.TypeAnalysis.transfer(TypeAnalysis.java:86)
         [java]     at edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378)
         [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory.analyze(TypeDataflowFactory.java:83)
         [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory.analyze(TypeDataflowFactory.java:43)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321)
         [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.CFGFactory.analyze(CFGFactory.java:160)
         [java]     at edu.umd.cs.findbugs.classfile.engine.bcel.CFGFactory.analyze(CFGFactory.java:65)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368)
         [java]     at edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321)
         [java]     at edu.umd.cs.findbugs.ba.ClassContext.getMethodAnalysis(ClassContext.java:1010)
         [java]     at edu.umd.cs.findbugs.ba.ClassContext.getMethodAnalysisNoDataflowAnalysisException(ClassContext.java:995)
         [java]     at edu.umd.cs.findbugs.ba.ClassContext.getCFG(ClassContext.java:301)
         [java]     at edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue.analyzeMethod(FindUseOfNonSerializableValue.java:143)
         [java]     at edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue.visitClassContext(FindUseOfNonSerializableValue.java:95)
         [java]     ... 9 more
         [java] Caused by: edu.umd.cs.findbugs.classfile.ResourceNotFoundException: Resource not found: makeConcatWithConstants.class
         [java]     at edu.umd.cs.findbugs.classfile.impl.ClassPathImpl.lookupResource(ClassPathImpl.java:162)
         [java]     at edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine.analyze(ClassDataAnalysisEngine.java:53)
         [java]     ... 37 more
    

    At the end of the SpotBugs invocation the following is printed:

         [java] Pass 2: Analyzing classes (2397 / 2397) - 100% completeDone with analysis
         [java] Analysis completed
         [java] The following classes needed for analysis were missing:
         [java]   makeConcatWithConstants
         [java]   accept
         [java]   apply
         [java]   test
         [java]   reportException
         [java]   save
         [java]   get
         [java]   call
         [java]   getString
         [java]   resolve
         [java]   check
         [java]   shouldRetry
         [java]   hash
         [java]   iterator
         [java]   compare
         [java]   execute
         [java]   run
         [java]   generateResponse
         [java]   weight
         [java]   applyAsInt
         [java]   visit
         [java]   loadUserByUsername
         [java]   authenticate
         [java]   uncaughtException
         [java]   isAllowed
         [java]   applyAsLong
    
    

    Note

    These errors do not occur with SpotBugs core, only when running Find Security Bugs.

    In all cases these look like method names, not class names, pointing to a bug in Find Security Bugs.

    opened by basil 0
  • Verbose source line locations report

    Verbose source line locations report

    Hi,

    In some cases it is useful to get all the byte code offsets find-sec-bugs aware of related to a single source code line, for example when one would like to get context to a specific location in a line.

    We added a config flag that once set will skip the code that responsible for keeping only one SourceLineAnnotation per line.

    opened by oxeye-gal 1
  • Adding workaround for JDK > 8 invokedynamic tainting

    Adding workaround for JDK > 8 invokedynamic tainting

    Hi,

    We @oxeye created a possible workaround for this previously discussed issue:

    https://github.com/find-sec-bugs/find-sec-bugs/issues/575

    We are not 100% sure that this is the optimal solution for this issue, so we would love to get your feedback on this so we can address your observations.

    We also noticed that you have set the target version for fixing this issue for the next version (1.13 scheduled for December), is it still the due date?

    Thanks

    opened by oxeye-gal 1
  • Add CWE Taxonomy to SARIF Report

    Add CWE Taxonomy to SARIF Report

    Description

    The SARIF reports generated by FindSecurityBugs do not contain the Common Weakness Enumeration (CWE) taxonomy from MITRE.

    Adding the CWE Taxonomies into SARIF reports would make the SARIF report easier to understand for security practitioners already familiar with CWE.

    SARIF does support taxonomies in reports. For example, SARIF reports from the GoSec tool contain the MITRE CWE taxonomy.

    enhancement 
    opened by Jeeppler 5
Releases(version-1.12.0)
  • version-1.12.0(Apr 11, 2022)

    This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:

    • Supports for JDK 17
    • Important fixes regarding signatures' files (Bug with generic )

    In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup() method risks. #670 for more info.


    What's Changed

    • Version changes by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/615
    • Add support for Vert.x web Oauth2 + CSRF handlers by @pmlopes in https://github.com/find-sec-bugs/find-sec-bugs/pull/621
    • Add new detector for MODIFICATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
    • Add new detector for NORMALIZATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/633
    • Fix solution for XXE with TransformerFactory by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/641
    • Quick fix for NormalizationAfterValidation by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/643
    • Remove verbose logging from test case by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/644
    • Add Paths.get(Uri) as source for Path traversal by @deepsan in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
    • New detector FindDangerousPermissionCombination for new bug type DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/652
    • Fix the examples in the documentation of DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/654
    • Fallback when classNameLength is too long #651 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/653
    • Update data in script generator by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/658
    • Update test dependencies by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/659
    • ReDOS detection for the Pattern annotation #426 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/660
    • Fix unescape tag #661 by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/662
    • Correctly parse method signatures with generic types by @scottsteen in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
    • Fixing LDAP/JNDI sink method signature by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/670
    • updated links to plugins on website by @winne42 in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
    • Add JDK17 support by @jlstephens89 in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

    New Contributors

    • @baloghadamsoftware made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
    • @deepsan made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
    • @scottsteen made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
    • @winne42 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
    • @jlstephens89 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

    Full Changelog: https://github.com/find-sec-bugs/find-sec-bugs/compare/version-1.11.0...version-1.12.0

    >md5sum findsecbugs-cli-1.12.0.zip
    3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip
    
    >sha1sum findsecbugs-cli-1.12.0.zip
    cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip
    
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.12.0.zip(11.10 MB)
  • version-1.11.0(Nov 4, 2020)

    In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.

    New detectors

    A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium). For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages). Vert.x SQL api are now supported. Finally, Hardcoded passwords in JSch library are now detected.

    Java unsafe deserialization

    Deserialization detectors now support ObjectInput and ObjectInputStream. Thanks to @nichollt for the idea.

    HTTP Parameter Pollution (URL Injection)

    For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.

    StringSubstitutor

    StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.

    SpotBugs 4.0.0

    This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.


    Full Changelog

    Implemented enhancements:

    • Scanning Kotlin doesnt work with gradle-plugin #598
    • HTTP parameter pollution False positive with URIBuilder (HTTPClient) #586
    • Improper handling of Unicode transformations #577
    • Add support for sort with -V in findsecbugs.sh #570
    • Java deserialization vulnerability not being discovered #563
    • False positive spring jdbctemplate SQL Injection #538
    • Detect hardcoded password for SSH private key #536
    • New Sink : Groovy Script Injection #483

    Fixed bugs:

    • EmptyStackException error #546
    • RuntimeException when processing static method #541
    • "Error: missing bug code for keySECEMA " in FindSecBugs 1.10.0 #526
    • Incompatibility with SpotBugs 4.0.0 #525
    • Missing commons-codec library #602

    Closed issues:

    • Restore Codecov integration #608
    • Restore Travis-CI on build on Pull Request #574
    • src/test/java/testcode/serial/ObjectDeserializationFalsePositive2.java:[10,8] error: no suitable constructor found for ASN1InputStream(no arguments) #557
    • How to remove “taint” for custom tld function? #555
    • java.lang.OutOfMemoryError: GC overhead limit exceeded #554
    • Enable 'Require HTTPS' on find-sec-bugs.github.io/ #544
    • False positive for unsafe comparison of hash that are susceptible to timing attack #558
    • SQL injection false positive when the source is an array. #529
    • String-value coming from an Enum causes SQL_INJECTION_JPA #491

    Merged pull requests:

    > md5sum findsecbugs-cli-1.11.0.zip
    241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip
    
    > sha1sum findsecbugs-cli-1.11.0.zip
    910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip
    
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.11.0.zip(10.82 MB)
  • version-1.10.1(Oct 29, 2019)

    This minor update is there to introduce a fix : https://github.com/find-sec-bugs/find-sec-bugs/issues/526

    A new detector Pebble template injection is also added. Thanks to @sa160690.

    Messages from many detectors were also updated. Multiple broken links or out-dated links were corrected. https://github.com/find-sec-bugs/find-sec-bugs/pull/528

    > sha1sum findsecbugs-cli-1.10.1.zip
    fad67bc6c31032dd3cf7419c1f4abe2376658757 *findsecbugs-cli-1.10.1.zip
    
    > md5sum findsecbugs-cli-1.10.1.zip
    1eecbef120b61e0ce4870c38fe28fccd *findsecbugs-cli-1.10.1.zip
    
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.10.1.zip(5.16 MB)
  • version-1.10.0(Oct 17, 2019)

    New bug detectors (or important improvements)

    • Mass-assignment when using JPA or JDO entities
    • Leakage from entity when using JPA or JDO entities
    • Permissive CORS header allowing all origin (New coverage for Spring CorsRegistry)
    • Overly permissive file permissions (code doing equivalent operation to chmod 777)
    • Insecure SAML configuration affecting provider using OpenSAML API

    This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.

    A status update was published about Find Security Bugs arrival in the OWASP family.

    version-1.10.0 (2019-10-17)

    Full Changelog

    Implemented enhancements:

    • Fix code coverage badge + CI task #507
    • Detect if authorisation is missing from a RequestMapping #473
    • Support com/google/common/escape/Escaper as sanitizer #504
    • http://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE #482
    • Remove hard-coded "metadata" in FindBugsLauncher#buildFakePluginJar #479
    • Add PathTraversalSinks for java/nio/file/Files API #476
    • PATH_TRAVERSAL_IN detection #470
    • Weak Permissions (chmod 777) #438
    • Insecure SAML configuration in Spring #369
    • Add configurable metadataFolder in FindBugsLauncher #480 (Kidlike)
    • Add permissive CORS detector for CorsRegistration in Springboot #472 (Anemone95)

    Fixed bugs:

    • Integration with Ant Script #493
    • Failed when build find-sec-bugs myself #379
    • findsecbugs.sh has windows line breaks #516
    • Unsupported class file major version 56 #512
    • SpringEntityLeakDetector throw s NPE #477
    • local-variable-index-rewrite-bug #475 (topolik)

    Closed issues:

    • Unwrapping an encrypted key with non-random IV shouldn't trigger STATIC_IV #517
    • False-positive in URLCONNECTION_SSRF_FD #505
    • SQL Injection false positive with MessageFormat.format() #498
    • Spring Entity Leak Detector for collections #495
    • JSP Include with constant URL #481

    Merged pull requests:

    Source code(tar.gz)
    Source code(zip)
  • version-1.9.0(Mar 28, 2019)

    The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.

    For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.

    An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit

    PS: I know that wasps (OWASP mascot) are not the same as bees. 😆

    New contributors for this release

    (In order of contribution date)


    Full Changelog

    Implemented enhancements:

    • New Rule: Detect Information Exposure through printStackTrace() #356
    • detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
    • Detect if entity objects are being returned by controllers in Spring #454
    • Apache XML RPC setEnabledForExtensions(true) #418
    • False Positive XSS in Expression Language ${pageContext.request.contextPath} #399
    • False positive XSS when using OWASP taglib #353
    • Detect Commons lang Random utilities #243
    • New Rule: Use of setEscapeModelStrings in Wicket project #201
    • Extended PredictiveRandomDetector #437 (ManWhoLaughs)

    Fixed bugs:

    • Possible bug in DeserializationGadgetDetectorTest #408
    • [Error] Resource not found: java/lang/Object.class (Java 9) #365
    • detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
    • 1.8.0 findsecbugs.sh script errors #460
    • Version mismatch in the findsecbugs-cli sh script. #445
    • Test coverage for command injection for Kotlin #428
    • ECIES integrity false positive #417
    • Error while executing finsecbugs.sh on ubuntu #367
    • False positive: ASN1InputStream identify as ObjectInputStream #170

    Closed issues:

    • The following classes needed for analysis were missing for method names #440
    • false positive for CRLF_INJECTION_LOGS #425
    • Migrate from BCEL Constants interface to Const class #413
    • No class directories configured for FindBugs analysis error #412
    • Kotlin arrayOf considered safe #432
    • False Positive - JSTL Core accessing exported scoped variable storing the status of the iteration. #404

    Merged pull requests:

    > sha1sum findsecbugs-cli-1.9.0.zip
    27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip
    
    > md5sum findsecbugs-cli-1.9.0.zip
    cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip
    
    > sha1sum findsecbugs-cli-1.9.0-fix1.zip
    f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip
    
    > md5sum findsecbugs-cli-1.9.0-fix1.zip
    795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip
    
    > md5sum findsecbugs-cli-1.9.0-fix2.zip
    0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2.zip
    
    > sha1sum findsecbugs-cli-1.9.0-fix2.zip
    998437752ebfbed1cace3c9d73cc4644fb3f1545 *findsecbugs-cli-1.9.0-fix2.zip
    
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.9.0-fix2.zip(5.14 MB)
  • version-1.8.0(Jun 28, 2018)

    While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.

    Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)

    Many built-in Java XML API susceptible to XXE were added to existing detectors. #138

    Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.

    Thanks to the numerous contributors who have pushed changes that were integrate in this version:

    Full Changelog


    Implemented enhancements:

    • Detect SpelView (Spel Injection) #400
    • False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
    • Kotlin support for hardcode password with Intrinsics.areEqual\(\) #387
    • SMTP Header Injection #374
    • FileItem.getName() as a new source for XSS_SERVLET? #358
    • Detect hardcode password and hash based on variable name #342
    • Identify XSS cause by ServletOutputStream.print() #341
    • (Internal) Enable assertions during building and/or using find-sec-bugs #338
    • Add Paths.get() as source for Path traversal #324
    • Reduce false positive for Path traversal #291
    • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
    • [Documentation] - Add Table of Contents to Bug Patterns page #160
    • More XXE coverage #138
    • New implementation of CORS detector #313 #361 (bradflood)
    • fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
    • Optional API and improvement to crypto detector #350 (h3xstream)
    • Added some XXE Coverage for TransformerFactory #349 (MaxNad)
    • Add Java8 nio API for path traversal #324 #325 (h3xstream)

    Fixed bugs:

    • Path traversal: Flase positive with static final variable #382
    • NullPointerException in GoogleApiKeyDetector.visitClassContext #364
    • Images on Gradle Configuration documentation page show 'Please update your account' #337
    • PermissiveCORSDetector throws NPE #313
    • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240

    Closed issues:

    • Crash with spotbugs 3.1.4 #406
    • Adding New Sinks #378
    • Add a new bug check "X-Frame-Options Header Not Set" #371
    • Invalid configuration for java/io/File#createTempFile in java-net.txt #328

    Merged pull requests:

    74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip

    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.8.0.zip(5.19 MB)
  • version-1.7.1(Aug 9, 2017)

    SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.

    What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.

    Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12. Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.


    Implemented enhancements:

    • OGNL injection #312
    • Generalize configuration properties with hard coded password #292
    • New rule: detect https connections with weak SSL / TLS protocol #283

    Closed issues:

    • URL decode create false-negative #322
    • CRLF_INJECTION_LOGS documentation typo #299
    • Run coveralls after each build #287

    Merged pull requests:

    • Fix URL decode create false-negative #322 #323 (h3xstream)
    • fixed out of date dependencies #321 (javabeanz)
    • SSRF and LFI using RequestDispatcher and URLConnection #319 (topolik)
    • Better fix of the Play 2.5.x SSRF detection (issue #307) #317 (MaxNad)
    • Few changes to messages.xml #316 (h3xstream)
    • OGNL injection + Android SQL injection + Migration from FindBugs to SpotBugs #309 (h3xstream)
    • Added the Play 2.5.x SSRF detection - Fixed issue #307 #308 (MaxNad)
    • Implement an unsafe jackson databind deserialization detector. #306 (dbaxa)
    • Fixed copy-paste slip-up in Scala code example #305 (ln2v)
    • Validate taint config class and method names as java identifiers #304 (topolik)
    • Test and quality improvements #301 (h3xstream)
    • Fix typo in documentation (fixes #299) #300 (gredler)
    • Fix typo in documentation #296 (dreis2211)
    • New detector HardcodePasswordInMapDetector #292 #293 (h3xstream)
    • Gradle build to generate the CLI version of FSB #290 (h3xstream)
    • Spring Unvalidated Redirect Detector #289 (johnhawes)
    • Fixed typos I encountered #288 (obilodeau)
    • Version 1.6.0 to 1.7.0 #286 (h3xstream)
    • Implement detector for weak SSL/TLS protocols #285 (xsun12)

    Hashes:

    dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip

    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.7.1.zip(5.59 MB)
  • version-1.6.0(Mar 20, 2017)

    Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.

    The new detectors are covering a wide range of vulnerability types. See the changelog below.

    In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.

    version-1.6.0 (2017-03-15)

    Full Changelog

    Implemented enhancements:

    • Unexpected deserialization with RestEasy/Jersey #198
    • Turbine SQL Injection #238
    • Detect hardcoded password in unknown API #231
    • Malicious deserialization from LDAP entry #228
    • (Dev internal) Validate the configuration files automatically #158
    • Turbine SQL injections #253 (h3xstream)
    • Adding overly permissive CORS policy detector #248 (plr0man)
    • LDAP improvements #278 (h3xstream)
    • Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
    • Add File Disclosure Injection detector #265 (plr0man)
    • Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
    • Add JavaBeans Property Injection detector #263 (plr0man)
    • Add Insecure SMTP SSL detector #259 (plr0man)
    • SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
    • Add Url rewriting detector #252 (plr0man)
    • UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
    • Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)

    Fixed bugs:

    • Out of bounds mutables in ... (Assertion trigged) #275
    • Force encoding to UTF-8 on windows when generating micro-website #232
    • Freemarker description fix #230
    • Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)

    Closed issues:

    • Find-sec-bugs maven plugin failed to execute #274
    • False negatives in detection of bad modes of operation #270
    • findbugs not working with Sonarqube 6.1 #235
    • Update JSP compiler #279

    Merged pull requests:

    • Remove duplicated word in README #282 (jwilk)
    • Update JSP compiler #281 (h3xstream)
    • Fix #275 #277 (h3xstream)
    • Add Format String Manipulation Injection Detector #266 (plr0man)
    • Travis improvements: batch mode and verify phase #262 (ptamarit)
    • Add AWS Query Injection detector #260 (plr0man)
    • Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
    • Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
    • Persistent cookie detector #251 (plr0man)
    • Anonymous LDAP Bind detector #250 (plr0man)
    • Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
    • Adding ThreadLocalRandom detection #246 (plr0man)
    • Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
    • Update plugins #279 #280 (h3xstream)
    • Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
    • (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.6.0.zip(5.63 MB)
  • version-1.5.0(Oct 6, 2016)

    A couple huge improvements are bundled in this release including:

    • Better Scala support with a couple new detectors (thanks to @MaxNad )
      • New Rule: Scala Path Traversal
      • New Rule: Sensitive data exposure in cookies
      • New Rule: XSS detection in Play Framework
      • .. and many other improvements
    • Huge set of small fixes and improvements (thanks to @topolik from Liferay) #214
    • New Rule: XXE with XMLStreamReader
    • New Rule: Template injection with Velocity and Freemarker
    • New Rule: XSS detection in Porlet

    These are the major new detectors but, as usual, many false positive patterns are now supported and avoided.

    Quick note on the version notation: The previous releases were made on minor version (1.4.1-1.4.6) even though they include major improvements. It was never really a big concern because no major issue required to be fixed. This may have brought some confusion to some users. The release plan is still to keep going forward and not maintain older versions. There should be no benifit to keep using an old version.

    version-1.5.0 (2016-10-06)

    Full Changelog

    Implemented enhancements:

    • Detect template usage (template injection) #227
    • Reduce the number of FP related to Trust Boundary Violation #226
    • XSS in Portlet #216
    • How to set findsecbugs.taint.customconfigfile through gradle? #215
    • Identify weak XML parser properties that could lead to XXE #209
    • Scala : XSS in twirl template #207
    • Scala: XSS in Play controller #206
    • XML parsing vulnerable to XXE (XMLReader) shortage #191
    • Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
    • Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
    • XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
    • Taint analysis bug fixes and improvements #214 (topolik)
    • Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
    • XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
    • CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)

    Fixed bugs:

    • FP: sending local broadcasts via LocalBroadcastManager #224
    • False positive: ResourceBundle in JSP #213
    • Out of bounds mutables in static myclass$.()V #199
    • Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
    • Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)

    Closed issues:

    • not to report null-porter dereference if there is code already throws RuntimeError #197
    • Release version 1.4.6 #195
    • Release 1.4.5 #159
    • Fix mix-content on micro-website #229

    Merged pull requests:

    • Custom config file method refactoring #218 (topolik)
    • Accept environment variables spelled with underscores #217 (kuhnmi)
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.5.0.zip(7.29 MB)
  • version-1.4.6(Jun 2, 2016)

    Special thanks to David Formanek for the significant contributions. He submits his thesis on taint analysis two weeks ago while this version was being released. A special thanks to Y Soft in believing in the idea of contributing to a community project.

    Better taint analysis The most important improvement of this release is the introduction of a tagging system in the taint analysis engine. This change was introduced by @formanek. It will now support the detection of escaping function for various contexts XSS, SQL injection, etc.

    Custom Signatures The configuration of custom signatures was updated to a new format. If you were using this feature make sure to transform your configuration to this new format. More information is available on the Wiki.

    Japanese Messages The Japanese messages are now officially deprecated. There are a lot of missing descriptions for the Japanese language.

    New Detectors A new set of rules was added to find XSLT vulnerability. Security researchers will also be happy to find an automate deserialization gadget detector.

    version-1.4.6 (2016-06-02)

    Full Changelog

    Implemented enhancements:

    • Detect deserialization gadgets #189
    • CustomInjection issues #172
    • New Rule : XSLT processing detection #168
    • Update owasp.txt #188 (s-tikhomirov)
    • Correct japanese messages formatting #185 (marcosbento)
    • Support for sanitization using replace methods in String #171 (formanek)
    • Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
    • Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
    • Fix typo in taint-config/java-lang.txt #157 (apasel422)

    Fixed bugs:

    • find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
    • Memory leak in the tests #193
    • Test failure : Invalid VNA after location #192
    • java.util.ConcurrentModificationException during analysis #184
    • CustomInjection issues #172
    • FindSecBugs plugin crash in Intellij #167
    • Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)

    Closed issues:

    • No plugin support for findbugs4sbt #181
    • Fixing the build #180
    • Standalone execution #179
    • Make the test less verbose #194
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.4.6.zip(7.27 MB)
  • version-1.4.5(Jan 5, 2016)

    Many bug patterns have been added for this release (see Full Changelog below).

    During this milestone, few important documentation additions were made:

    The support for Scala specific bug patterns is starting slowly. We are looking for feedback from the community and potentially bug patterns ideas.


    Full Changelog

    Implemented enhancements:

    • Play framework demo #154
    • New Rule : Scala Command injection #153
    • New Rule : Unvalidated redirect in Play Framework #152
    • New Rule : Additional coverage for predictable random generator in Scala #151
    • New Rule: Detect weak HostnameVerifier #150
    • Migrate the old XSS detector to the new TaintDetector mecanism #149
    • Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
    • (Dev internal) DSL for more intuitive method matching #147
    • New Rule : Missing HttpOnly flag on cookie #144
    • New Rule : Trust Boundary Violation #133
    • Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
    • New Rule : EL Expression Injection #130
    • New Rule : XSS detector using the taint detector approach #129
    • (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
    • New Rule : Seam Logger usage could lead to remote code execution #56
    • New Rule: Detect SSL disabler (Java + Scala implementation) #34

    Fixed bugs:

    • Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
    • Hard coded keys false positive when loading bytes from FileInputStream #126
    • Description for weak digest need an update #119
    • Error scanning Scala code in IntelliJ #112

    Merged pull requests:

    • Change description of cryptography plus bad grammar #146 (mcwww)
    • Change to description #145 (mcwww)
    • Correct SonarQube product name #142 (agabrys)
    • Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
    • Properly handle paths to files #136 (jsotuyod)
    • Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli-1.4.5.zip(7.26 MB)
  • version-1.4.4(Nov 20, 2015)

    This release includes 7 new detectors, improvements to injections rules, improvements to taint analysis and a new standalone command line tools.

    7 new detectors

    • Detector for java object deserialization (Created by @minlex)
    • Detector for external control of configuration (Created by @formanek)
    • Detector for CRLF injection in logs (Created by @formanek)
    • Detector for HTTP response splitting (Created by @formanek)
    • Detect dynamic JSP Includes
    • Detect Spring Eval JSP taglib
    • JSTL out escapeXml=false

    Standalone client The standalone CLI is a new packaging of existing features. For more information about the usage of the new tool visit the wiki page.


    Full Changelog

    Implemented enhancements:

    • Path traversal and Xpath injection detectors should use taint analysis #97
    • Detector for external control of configuration (CWE-15) #124
    • Detector for CRLF injection in logs (CWE-117) #123
    • Detector for HTTP response splitting #121
    • Improvements for JSP support #110
    • Missing taint sinks for LDAP Injection #105
    • New rule : Detect dynamic JSP Includes #104
    • Standalone command line tool to scan jars with or without the source #100
    • Better support for collections #99
    • Consider inheritance for method summaries #98
    • Refactor injection detectors #96
    • New Rule : Detect Spring Eval JSP taglib #55
    • New Rule : JSTL out escapeXml=false #114

    Fixed bugs:

    • Path traversal false positives #113

    Closed issues:

    • mvn compile failing after adding findsecbugs-plugin #128
    • Add methods for weak message digest #120
    • How can I mark / exclude false positives? #116
    • Missing taint sinks for Spring SQL injection #109
    • Method arguments are not tainted if their derived summary is stored #106
    • Push release 1.4.3 to upstream projects #101

    Merged pull requests:

    • Add detector for java object deserialization #127 (minlex)
    Source code(tar.gz)
    Source code(zip)
    findsecbugs-cli.zip(5.08 MB)
  • version-1.4.3(Sep 16, 2015)

    The 1.4.3 can be summarized into less false positive and better coverage. Building on top of the new taint analysis engine introduce in the previous release, bugs fixes and enhancement were made to support more code patterns.

    From 1.4.2 to 1.4.3, the false positive are moving from "Low" priority to hidden. If you are seeing sensible that are not flagged, you open an issue about it.

    David Formanek of Y Soft is responsible of most (if not all) the taint analysis major improvements.


    Full Changelog

    Implemented enhancements:

    • All Runtime.exec methods should be taint sinks #92
    • Add coverage for LDAP injection #89
    • Improve the detection of weak message digest #88
    • Improve the detection in the use of old ciphers #87
    • Insecure cookie #86
    • Spring JDBC API #74
    • JDBC api coverage #73
    • False positive on Static IV when using Cipher.getIv() #62

    Fixed bugs:

    • Parametric taint state not changed when used as an argument of an unknown method #90
    • Bad method summaries derived for complex flow #85
    • Invalid taint modifications of local variables, when loaded from method summary #84
    • Taint not transfered in chained call of StringBuilder.append #83
    • Too many iterations bug #82
    • Issue with constructor with List and array as parameter (Command injection detection) #80
    • Fix DES detection #79
    • EntityManager createQuery trips SECSQLIJPA even with safe usage #76
    • The IV generation should only be verified for the encryption mode #64

    Merged pull requests:

    • Fixed incomplete candidate method for LDAP injections #94 (formanek)
    • Added command injection sinks and CWE identifiers #93 (formanek)
    • Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)
    Source code(tar.gz)
    Source code(zip)
  • version-1.4.2(Aug 18, 2015)

    This new release introduce absolutely no new detector. Nonetheless, it include major contributions from David Formanek of Y Soft regarding the new taint analysis. FindSecBugs now take advantage of FindBugs taint analysis engine.

    What does it means for the user? This means that less false positive will be raise regarding injection vulnerabilities. We highly encourage users to update to this version to take advantage of these improvements. It should not remove any vulnerability that was found before. Open an issue if you see performance problems or side effects regarding those changes.

    Thanks again to David who made this release possible.


    Full Changelog

    Implemented enhancements:

    • Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

    Fixed bugs:

    • Remove slash from XXE short message #68

    Merged pull requests:

    • Refactoring of classes for taint analysis #71 (formanek)
    • Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
    • Taint sources locations added to bug reports #69 (formanek)
    • Separated hard coded password and key reporting #67 (formanek)
    • Taint sources and improved taint transfer #66 (formanek)
    • Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
    • Allow analyze to set classpath entries #60 (mbmihura)
    • website: corrected typos #59 (obilodeau)
    Source code(tar.gz)
    Source code(zip)
  • version-1.4.1(May 30, 2015)

    Summary

    This version introduce mostly adjustments to minor components including the logging, bug descriptions and online documentation.

    Nonetheless, many new detectors found their way into this release. David Formánek has contributed a very interesting set of signatures to detect hardcoded password and cryptographic keys (#46). 34 new APIs are covered with this single contribution. If you have any problem with the new detector, fill an issue with problematic code sample. Even-thought it is an important addition, the contribution is well covered by the tests and should not cause any problems.

    Another detector targeting hardcoded password was added. It identify OAuth secret that are static in Spring applications. (#57)


    Full Changelog

    Implemented enhancements:

    • Detector hard coded Spring OAuth secret key #57
    • Add CWE references to messages (few missing) #52
    • Create a japanese page on the micro-website for the bug patterns #50
    • NetBeans tutorial #45
    • Update the documentation for Sonar Qube #44

    Fixed bugs:

    • XXE - reader False Positive #47
    • Fix URLs in messages.xml #43
    • CustomInjectionSource.properties not found #42

    Closed issues:

    • Create a tutorial for IntelliJ IDE #51

    Merged pull requests:

    Source code(tar.gz)
    Source code(zip)
  • version-1.4.0(Apr 20, 2015)

    Summary

    This version introduce a new set of detectors targeted at Android mobile application. These detectors should not create any false positive on backend web application.

    Few additions were made to the injections detectors. See the changelog detail below for more details.

    The plugin is now tested against FindBugs 3.0.0.


    Full Changelog

    Implemented enhancements:

    Merged pull requests:

    Source code(tar.gz)
    Source code(zip)
  • version-1.3.1(Apr 20, 2015)

    Summary

    This release introduce no new detector. It include few bug fixes. The most important change is that injections are now rated to High severity.


    Full Changelog

    Implemented enhancements:

    • Add supports for the new URL specification for bug reference #35
    • Higher priority for injections #32
    • Remove ESAPI references in messages #31

    Fixed bugs:

    • MethodUnprofitableException throwing could be suppressed #29
    • CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24

    Merged pull requests:

    Source code(tar.gz)
    Source code(zip)
  • version-1.3.0(Apr 20, 2015)

    Summary

    This release improved the most risky API: XML Parsing and SQL query.

    The messages associated to the discoveries will also more targeted.


    Full Changelog

    Implemented enhancements:

    • XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
    • XXE - Avoid false positive when secure features are set. #26
    • JDO Query - Potential Injections #23
    • JDO PersistenceManager - Potential Injections #22
    • Hibernate Restrictions API - Potential Injections #21
    Source code(tar.gz)
    Source code(zip)
Owner
OWASP Find Security Bugs
The SpotBugs plugin for security audits of Java web applications and Android applications
OWASP Find Security Bugs
A program analysis tool to find cryptographic misuse in Java and Android.

A program analysis tool to find cryptographic misuse in Java and Android.

null 92 Dec 15, 2022
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt

AESCrypt-Android Simple API to perform AES encryption on Android with no dependancies. This is the Android counterpart to the AESCrypt library Ruby an

Scott Alexander-Bown 636 Dec 18, 2022
Secure your REST APIs with Spring Security, Resource and Authorization Server from zero to JWT

Secure REST APIs with Spring ./mvnw RTFM YouTube: Spring Security Patterns YouTube: Spring Security 5.5 From Taxi to Takeoff Official Apache Maven doc

Maksim Kostromin 1 Dec 5, 2021
Native Device security checks, Rooted/Jailbroken, Not real device, Developer mode is on, On external drive.

palestine_trusted_device Native Device security checks, Rooted/Jailbroken, Not real device, Developer mode is on, On external drive. Part of Palestine

Palestine Developers 3 Apr 19, 2022
Tiny app to enforce security policies of your device

Sentry Enforce security policies. Tiny app to enforce security policies of your device. It can: limit the maximum number of failed password attempts d

lucky 43 Dec 24, 2022
Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Mobile Security Framework 13.2k Jan 4, 2023
CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!

Easy-as-pie Android Decompiler Why One stop shop I got pretty tired of decompiling Android apps with a bunch of steps that I had to remember all the t

Alex Davis 619 Dec 27, 2022
Android Applications Permission Scanner

An Android Application Scanner built using Java on Android Studio. It basically scans all the applications and lets you know if any application is using your camera or microphone. If it does then it tells you to use that application for some time so that it could track it and let you know if there is any privacy concern

Sameet Asadullah 3 Aug 18, 2022
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

___ ___ / | \ ____ __ __ ______ ____ / ~ \/ _ \| | \/ ___// __ \ \ Y ( <_> )

NCC Group Plc 1.2k Dec 21, 2022
Signal Protocol library for Java/Android

Overview A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments. PreKeys This protocol uses a concept

Signal 1.8k Dec 24, 2022
Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Luca Falsina 418 Dec 29, 2022
TweetNaCl in Java - a port of TweetNaCl-js

TweetNacl in Java: port of tweetnacl-js API/Usage Suggest always use TweetNaclFast implementation Public key authenticated encryption get key pair: Bo

AppNet.Link 40 Nov 10, 2022
Dex to Java decompiler

JADX jadx - Dex to Java decompiler Command line and GUI tools for producing Java source code from Android Dex and Apk files Main features: decompile D

null 32.8k Jan 2, 2023
Analyze any Android/Java based app or game

ClassyShark Introduction ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and

Google 7.2k Jan 3, 2023
A Java ePub reader and parser framework for Android.

FolioReader-Android is an EPUB reader written in Java and Kotlin. Features Custom Fonts Custom Text Size Themes / Day mode / Night mode Text Highlight

FolioReader 2.1k Jan 3, 2023
CRYLOGGER: Detecting Crypto Misuses for Android and Java Apps Dynamically

CRYLOGGER: Detecting Crypto Misuses for Android and Java Apps Dynamically

Luca Piccolboni 139 Dec 12, 2022
Java bytecode obfuscator created by x4e.

Binscure Java bytecode obfuscator created by x4e. Usage First, create a config file, (example config here). When you have a config file, run binscure

null 35 Nov 22, 2022
Appdbg - make it possible to run android dex file in original Java Virtual Machine

Appdbg - make it possible to run android dex file in original Java Virtual Machine

null 137 Dec 20, 2022