The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Special thanks to David Formanek for the significant contributions. He submits his thesis on taint analysis two weeks ago while this version was being released. A special thanks to Y Soft in believing in the idea of contributing to a community project.
Better taint analysis The most important improvement of this release is the introduction of a tagging system in the taint analysis engine. This change was introduced by @formanek. It will now support the detection of escaping function for various contexts XSS, SQL injection, etc.
Custom Signatures The configuration of custom signatures was updated to a new format. If you were using this feature make sure to transform your configuration to this new format. More information is available on the Wiki.
Japanese Messages The Japanese messages are now officially deprecated. There are a lot of missing descriptions for the Japanese language.
New Detectors A new set of rules was added to find XSLT vulnerability. Security researchers will also be happy to find an automate deserialization gadget detector.
Implemented enhancements:
Fixed bugs:
Closed issues:
Many bug patterns have been added for this release (see Full Changelog below).
During this milestone, few important documentation additions were made:
The support for Scala specific bug patterns is starting slowly. We are looking for feedback from the community and potentially bug patterns ideas.
Implemented enhancements:
Fixed bugs:
Merged pull requests:
This release includes 7 new detectors, improvements to injections rules, improvements to taint analysis and a new standalone command line tools.
7 new detectors
Standalone client The standalone CLI is a new packaging of existing features. For more information about the usage of the new tool visit the wiki page.
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
The 1.4.3 can be summarized into less false positive and better coverage. Building on top of the new taint analysis engine introduce in the previous release, bugs fixes and enhancement were made to support more code patterns.
From 1.4.2 to 1.4.3, the false positive are moving from "Low" priority to hidden. If you are seeing sensible that are not flagged, you open an issue about it.
David Formanek of Y Soft is responsible of most (if not all) the taint analysis major improvements.
Implemented enhancements:
Fixed bugs:
Merged pull requests:
This new release introduce absolutely no new detector. Nonetheless, it include major contributions from David Formanek of Y Soft regarding the new taint analysis. FindSecBugs now take advantage of FindBugs taint analysis engine.
What does it means for the user? This means that less false positive will be raise regarding injection vulnerabilities. We highly encourage users to update to this version to take advantage of these improvements. It should not remove any vulnerability that was found before. Open an issue if you see performance problems or side effects regarding those changes.
Thanks again to David who made this release possible.
Implemented enhancements:
Fixed bugs:
Merged pull requests:
This version introduce mostly adjustments to minor components including the logging, bug descriptions and online documentation.
Nonetheless, many new detectors found their way into this release. David Formánek has contributed a very interesting set of signatures to detect hardcoded password and cryptographic keys (#46). 34 new APIs are covered with this single contribution. If you have any problem with the new detector, fill an issue with problematic code sample. Even-thought it is an important addition, the contribution is well covered by the tests and should not cause any problems.
Another detector targeting hardcoded password was added. It identify OAuth secret that are static in Spring applications. (#57)
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
This release introduce no new detector. It include few bug fixes. The most important change is that injections are now rated to High severity.
Implemented enhancements:
Fixed bugs:
Merged pull requests:
This version introduce a new set of detectors targeted at Android mobile application. These detectors should not create any false positive on backend web application.
Few additions were made to the injections detectors. See the changelog detail below for more details.
The plugin is now tested against FindBugs 3.0.0.
Implemented enhancements:
Merged pull requests: