In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.
New detectors
A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium).
For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages).
Vert.x SQL api are now supported.
Finally, Hardcoded passwords in JSch library are now detected.
Java unsafe deserialization
Deserialization detectors now support ObjectInput
and ObjectInputStream
. Thanks to @nichollt for the idea.
HTTP Parameter Pollution (URL Injection)
For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.
StringSubstitutor
StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.
SpotBugs 4.0.0
This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.
Implemented enhancements:
- Scanning Kotlin doesnt work with gradle-plugin #598
- HTTP parameter pollution False positive with URIBuilder (HTTPClient) #586
- Improper handling of Unicode transformations #577
- Add support for sort with -V in findsecbugs.sh #570
- Java deserialization vulnerability not being discovered #563
- False positive spring jdbctemplate SQL Injection #538
- Detect hardcoded password for SSH private key #536
- New Sink : Groovy Script Injection #483
Fixed bugs:
- EmptyStackException error #546
- RuntimeException when processing static method #541
- "Error: missing bug code for keySECEMA " in FindSecBugs 1.10.0 #526
- Incompatibility with SpotBugs 4.0.0 #525
- Missing commons-codec library #602
Closed issues:
- Restore Codecov integration #608
- Restore Travis-CI on build on Pull Request #574
- src/test/java/testcode/serial/ObjectDeserializationFalsePositive2.java:[10,8] error: no suitable constructor found for ASN1InputStream(no arguments) #557
- How to remove “taint” for custom tld function? #555
- java.lang.OutOfMemoryError: GC overhead limit exceeded #554
- Enable 'Require HTTPS' on find-sec-bugs.github.io/ #544
- False positive for unsafe comparison of hash that are susceptible to timing attack #558
- SQL injection false positive when the source is an array. #529
- String-value coming from an Enum causes SQL_INJECTION_JPA #491
Merged pull requests:
- Enable CodeQL Security Scan #610 (VinodAnandan)
- Attempt to export JaCoCo coverage file #608 #609 (h3xstream)
- Remove dependency to commons-codec #602 #607 (h3xstream)
- Add solution to LDAP Injection #599 (Marx314)
- Minor documentation and fixes #594 (h3xstream)
- Change to GH Action #593 (h3xstream)
- Less verbose output for test cases #592 (h3xstream)
- Fix verify build in Github Action #591 (h3xstream)
- A couple of fixes for Github Action #590 (h3xstream)
- GitHub Action - Test for #588 #589 (h3xstream)
- Test case to reproduce Enum in injection #491 #583 (h3xstream)
- Test case to reproduce #529 #582 (h3xstream)
- Add test case OOB Local variable assertion for #556 #581 (h3xstream)
- Attempt to reduce potential false positive #577 #580 (h3xstream)
- Change --version-list to -V #573 (h3xstream)
- Remove Nullable annotation not available in OpenJDK according to build #569 (h3xstream)
- Missing class for #563 (Fix build) #568 (h3xstream)
- Update Jquery to 3.5.1 (Make dependabot happy) #567 (h3xstream)
- Update Japanese messages #532 (orihalcon128)
- Introduce a properties file to avoid repeating the versions #530 (h3xstream)
- Fix links in the messages #528 (h3xstream)
- New samples with StringSubstitutor were added #538 #604 (h3xstream)
- Implement support for UriBuilder (HttpClient) #586 #587 (h3xstream)
- Few additions for 1.11.0 #579 (h3xstream)
- Initial version of a Vert.x Sql Client detector #576 (pmlopes)
- New detector for Jsch addition #572 (h3xstream)
- Add support for ObjectInput.readObject() for deserialization vuln #563 #566 (h3xstream)
- Add exception for the keyword share #558 #565 (h3xstream)
- SCRIPT_ENGINE_INJECTION and TEMPLATE_INJECTION_VELOCITY: typo/grammar fix #561 (boyarsky)
- 541 RuntimeException when processing static method #552 (topolik)
- Add example for sql_injection_spring_jdbc with annotation #551 (Marx314)
> md5sum findsecbugs-cli-1.11.0.zip
241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip
> sha1sum findsecbugs-cli-1.11.0.zip
910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip