Find Sec Bugs Versions Save

Special thanks to David Formanek for the significant contributions. He submits his thesis on taint analysis two weeks ago while this version was being released. A special thanks to Y Soft in believing in the idea of contributing to a community project.

Better taint analysis The most important improvement of this release is the introduction of a tagging system in the taint analysis engine. This change was introduced by @formanek. It will now support the detection of escaping function for various contexts XSS, SQL injection, etc.

Custom Signatures The configuration of custom signatures was updated to a new format. If you were using this feature make sure to transform your configuration to this new format. More information is available on the Wiki.

Japanese Messages The Japanese messages are now officially deprecated. There are a lot of missing descriptions for the Japanese language.

New Detectors A new set of rules was added to find XSLT vulnerability. Security researchers will also be happy to find an automate deserialization gadget detector.

version-1.4.6 (2016-06-02)

Full Changelog

Implemented enhancements:

• Detect deserialization gadgets #189
• CustomInjection issues #172
• New Rule : XSLT processing detection #168
• Update owasp.txt #188 (s-tikhomirov)
• Correct japanese messages formatting #185 (marcosbento)
• Support for sanitization using replace methods in String #171 (formanek)
• Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
• Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
• Fix typo in taint-config/java-lang.txt #157 (apasel422)

Fixed bugs:

• find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
• Memory leak in the tests #193
• Test failure : Invalid VNA after location #192
• java.util.ConcurrentModificationException during analysis #184
• CustomInjection issues #172
• FindSecBugs plugin crash in Intellij #167
• Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)

Closed issues:

• No plugin support for findbugs4sbt #181
• Fixing the build #180
• Standalone execution #179
• Make the test less verbose #194

Many bug patterns have been added for this release (see Full Changelog below).

During this milestone, few important documentation additions were made:

• Creation of the project demos repository
  • Android demo (Gradle)
  • Java with JSP demo (Maven)
  • Scala with Play Framework demo (SBT)
• Writing your own detector
• Creating a injection-based detector
• Tutorial for Jenkins configuration for Android and Java projects (@mcwww) :
• Many description of old bug patterns were also refactored.

The support for Scala specific bug patterns is starting slowly. We are looking for feedback from the community and potentially bug patterns ideas.

---

Full Changelog

Implemented enhancements:

• Play framework demo #154
• New Rule : Scala Command injection #153
• New Rule : Unvalidated redirect in Play Framework #152
• New Rule : Additional coverage for predictable random generator in Scala #151
• New Rule: Detect weak HostnameVerifier #150
• Migrate the old XSS detector to the new TaintDetector mecanism #149
• Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
• (Dev internal) DSL for more intuitive method matching #147
• New Rule : Missing HttpOnly flag on cookie #144
• New Rule : Trust Boundary Violation #133
• Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
• New Rule : EL Expression Injection #130
• New Rule : XSS detector using the taint detector approach #129
• (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
• New Rule : Seam Logger usage could lead to remote code execution #56
• New Rule: Detect SSL disabler (Java + Scala implementation) #34

Fixed bugs:

• Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
• Hard coded keys false positive when loading bytes from FileInputStream #126
• Description for weak digest need an update #119
• Error scanning Scala code in IntelliJ #112

Merged pull requests:

• Change description of cryptography plus bad grammar #146 (mcwww)
• Change to description #145 (mcwww)
• Correct SonarQube product name #142 (agabrys)
• Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
• Properly handle paths to files #136 (jsotuyod)
• Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)

This release includes 7 new detectors, improvements to injections rules, improvements to taint analysis and a new standalone command line tools.

7 new detectors

• Detector for java object deserialization (Created by @minlex)
• Detector for external control of configuration (Created by @formanek)
• Detector for CRLF injection in logs (Created by @formanek)
• Detector for HTTP response splitting (Created by @formanek)
• Detect dynamic JSP Includes
• Detect Spring Eval JSP taglib
• JSTL out escapeXml=false

Standalone client The standalone CLI is a new packaging of existing features. For more information about the usage of the new tool visit the wiki page.

---

Full Changelog

Implemented enhancements:

• Path traversal and Xpath injection detectors should use taint analysis #97
• Detector for external control of configuration (CWE-15) #124
• Detector for CRLF injection in logs (CWE-117) #123
• Detector for HTTP response splitting #121
• Improvements for JSP support #110
• Missing taint sinks for LDAP Injection #105
• New rule : Detect dynamic JSP Includes #104
• Standalone command line tool to scan jars with or without the source #100
• Better support for collections #99
• Consider inheritance for method summaries #98
• Refactor injection detectors #96
• New Rule : Detect Spring Eval JSP taglib #55
• New Rule : JSTL out escapeXml=false #114

Fixed bugs:

• Path traversal false positives #113

Closed issues:

• mvn compile failing after adding findsecbugs-plugin #128
• Add methods for weak message digest #120
• How can I mark / exclude false positives? #116
• Missing taint sinks for Spring SQL injection #109
• Method arguments are not tainted if their derived summary is stored #106
• Push release 1.4.3 to upstream projects #101

Merged pull requests:

• Add detector for java object deserialization #127 (minlex)

The 1.4.3 can be summarized into less false positive and better coverage. Building on top of the new taint analysis engine introduce in the previous release, bugs fixes and enhancement were made to support more code patterns.

From 1.4.2 to 1.4.3, the false positive are moving from "Low" priority to hidden. If you are seeing sensible that are not flagged, you open an issue about it.

David Formanek of Y Soft is responsible of most (if not all) the taint analysis major improvements.

---

Full Changelog

Implemented enhancements:

• All Runtime.exec methods should be taint sinks #92
• Add coverage for LDAP injection #89
• Improve the detection of weak message digest #88
• Improve the detection in the use of old ciphers #87
• Insecure cookie #86
• Spring JDBC API #74
• JDBC api coverage #73
• False positive on Static IV when using Cipher.getIv() #62

Fixed bugs:

• Parametric taint state not changed when used as an argument of an unknown method #90
• Bad method summaries derived for complex flow #85
• Invalid taint modifications of local variables, when loaded from method summary #84
• Taint not transfered in chained call of StringBuilder.append #83
• Too many iterations bug #82
• Issue with constructor with List and array as parameter (Command injection detection) #80
• Fix DES detection #79
• EntityManager createQuery trips SECSQLIJPA even with safe usage #76
• The IV generation should only be verified for the encryption mode #64

Merged pull requests:

• Fixed incomplete candidate method for LDAP injections #94 (formanek)
• Added command injection sinks and CWE identifiers #93 (formanek)
• Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)

This new release introduce absolutely no new detector. Nonetheless, it include major contributions from David Formanek of Y Soft regarding the new taint analysis. FindSecBugs now take advantage of FindBugs taint analysis engine.

What does it means for the user? This means that less false positive will be raise regarding injection vulnerabilities. We highly encourage users to update to this version to take advantage of these improvements. It should not remove any vulnerability that was found before. Open an issue if you see performance problems or side effects regarding those changes.

Thanks again to David who made this release possible.

---

Full Changelog

Implemented enhancements:

• Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

Fixed bugs:

• Remove slash from XXE short message #68

Merged pull requests:

• Refactoring of classes for taint analysis #71 (formanek)
• Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
• Taint sources locations added to bug reports #69 (formanek)
• Separated hard coded password and key reporting #67 (formanek)
• Taint sources and improved taint transfer #66 (formanek)
• Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
• Allow analyze to set classpath entries #60 (mbmihura)
• website: corrected typos #59 (obilodeau)

Summary

This version introduce mostly adjustments to minor components including the logging, bug descriptions and online documentation.

Nonetheless, many new detectors found their way into this release. David Formánek has contributed a very interesting set of signatures to detect hardcoded password and cryptographic keys (#46). 34 new APIs are covered with this single contribution. If you have any problem with the new detector, fill an issue with problematic code sample. Even-thought it is an important addition, the contribution is well covered by the tests and should not cause any problems.

Another detector targeting hardcoded password was added. It identify OAuth secret that are static in Spring applications. (#57)

---

Full Changelog

Implemented enhancements:

• Detector hard coded Spring OAuth secret key #57
• Add CWE references to messages (few missing) #52
• Create a japanese page on the micro-website for the bug patterns #50
• NetBeans tutorial #45
• Update the documentation for Sonar Qube #44

Fixed bugs:

• XXE - reader False Positive #47
• Fix URLs in messages.xml #43
• CustomInjectionSource.properties not found #42

Closed issues:

• Create a tutorial for IntelliJ IDE #51

Merged pull requests:

• ECB and no integrity detection + tests #53 (formanek)
• Update messages_ja.xml #49 (naokikimura)
• Detector for hard coded passwords and cryptographic keys #46 (formanek)

Summary

This release improved the most risky API: XML Parsing and SQL query.

The messages associated to the discoveries will also more targeted.

---

Full Changelog

Implemented enhancements:

• XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
• XXE - Avoid false positive when secure features are set. #26
• JDO Query - Potential Injections #23
• JDO PersistenceManager - Potential Injections #22
• Hibernate Restrictions API - Potential Injections #21

Summary

This release introduce no new detector. It include few bug fixes. The most important change is that injections are now rated to High severity.

---

Full Changelog

Implemented enhancements:

• Add supports for the new URL specification for bug reference #35
• Higher priority for injections #32
• Remove ESAPI references in messages #31

Fixed bugs:

• MethodUnprofitableException throwing could be suppressed #29
• CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24

Merged pull requests:

• Copy all files in metadata folder #30 (jsotuyod)

Summary

This version introduce a new set of detectors targeted at Android mobile application. These detectors should not create any false positive on backend web application.

Few additions were made to the injections detectors. See the changelog detail below for more details.

The plugin is now tested against FindBugs 3.0.0.

---

Full Changelog

Implemented enhancements:

• Upgrade to findbugs 3.0.0 or higher. #37
• New Android Security detectors #39
  • External File Access (Android)
  • Broadcast (Android)
  • World Writable File (Android)
  • WebView with Geolocation Activated (Android)
  • WebView with Javascript Interface (Android)
• Move command injection to the main injection detector mecanism #33

Merged pull requests:

• Create messages_ja.xml #38 (naokikimura)
• Enable additional signatures to detector of injection #36 (naokikimura)