New bug detectors (or important improvements)
- Mass-assignment when using JPA or JDO entities
- Leakage from entity when using JPA or JDO entities
- Permissive CORS header allowing all origin (New coverage for Spring CorsRegistry)
- Overly permissive file permissions (code doing equivalent operation to chmod 777)
- Insecure SAML configuration affecting provider using OpenSAML API
This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.
A status update was published about Find Security Bugs arrival in the OWASP family.
version-1.10.0 (2019-10-17)
Implemented enhancements:
- Fix code coverage badge + CI task #507
- Detect if authorisation is missing from a RequestMapping #473
- Support com/google/common/escape/Escaper as sanitizer #504
- http://find-sec-bugs.github.io/bugs.htm\#SQL\_INJECTION\_HIBERNATE #482
- Remove hard-coded "metadata" in FindBugsLauncher#buildFakePluginJar #479
- Add PathTraversalSinks for java/nio/file/Files API #476
- PATH_TRAVERSAL_IN detection #470
- Weak Permissions (chmod 777) #438
- Insecure SAML configuration in Spring #369
- Add configurable metadataFolder in FindBugsLauncher #480 (Kidlike)
- Add permissive CORS detector for CorsRegistration in Springboot #472 (Anemone95)
Fixed bugs:
- Integration with Ant Script #493
- Failed when build find-sec-bugs myself #379
- findsecbugs.sh has windows line breaks #516
- Unsupported class file major version 56 #512
- SpringEntityLeakDetector throw s NPE #477
- local-variable-index-rewrite-bug #475 (topolik)
Closed issues:
- Unwrapping an encrypted key with non-random IV shouldn't trigger STATIC_IV #517
- False-positive in URLCONNECTION_SSRF_FD #505
- SQL Injection false positive with MessageFormat.format() #498
- Spring Entity Leak Detector for collections #495
- JSP Include with constant URL #481
Merged pull requests:
- Replace finally block with try resource sections. (Refactoring) #519 (h3xstream)
- Improve test coverage #515 (h3xstream)
- Update SpotBugs to 3.1.12 #513 (h3xstream)
- change package to "com.h3xstream.findsecbugs.xml" #510 (jie-lin)
- SSRF detector moved to the injection package #509 (h3xstream)
- Attempt to incorporate CodeCov with JaCocCo #507 #508 (h3xstream)
- jsp:include with constant path // SAML ignore comments set to false #499 (h3xstream)
- Rename findbugs-test-util to findsecbugs-test-util #497 (h3xstream)
- Small changes to documentation #494 (h3xstream)
- Fix typo in HTTPONLY_COOKIE description #492 (kulinacs)
- 190430-taint-method-propagation-II #490 (topolik)
- Unable to detect injections on older versions of Hibernate #489 (mkotyk)
- Fix typography on Spring Entity Leak description #485 (ArnaudLec)
- Fix NPE when interface has spring mvc annotations #478 (bananayong)
- Update SpotBugs dependency + others deps #471 (h3xstream)
- New submodule for JSP samples #469 (h3xstream)
- New module for Java samples #468 (h3xstream)
- Preparing the next dev version #467 (h3xstream)
- Release 1.9.0 #466 (h3xstream)
- Change STATIC_IV detector to properly handle key wrapping/unwrapping modes #518 (nigredo-tori)
- Supporting com/google/common/escape/Escaper as sanitizer #511 (thiyagu-7)
- Add support for separator #470 #506 (h3xstream)
- Overly permissive file permission #438 #502 (h3xstream)
- Handle MessageFormat.format properly when tracking variables #498 #501 (h3xstream)
- Improvement to information leakage and mass assignment detection #496 (h3xstream)