find-sec-bugs/find-sec-bugs version-1.12.0

Version 1.12.0 - Preventing the next Log4Shell

on GitHub

This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:

• Supports for JDK 17
• Important fixes regarding signatures' files (Bug with generic )

In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup() method risks. #670 for more info.

What's Changed

• Version changes by @h3xstream in #615
• Add support for Vert.x web Oauth2 + CSRF handlers by @pmlopes in #621
• Add new detector for MODIFICATION_AFTER_VALIDATION by @baloghadamsoftware in #635
• Add new detector for NORMALIZATION_AFTER_VALIDATION by @baloghadamsoftware in #633
• Fix solution for XXE with TransformerFactory by @h3xstream in #641
• Quick fix for NormalizationAfterValidation by @baloghadamsoftware in #643
• Remove verbose logging from test case by @h3xstream in #644
• Add Paths.get(Uri) as source for Path traversal by @deepsan in #645
• New detector FindDangerousPermissionCombination for new bug type DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in #652
• Fix the examples in the documentation of DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in #654
• Fallback when classNameLength is too long #651 by @h3xstream in #653
• Update data in script generator by @h3xstream in #658
• Update test dependencies by @h3xstream in #659
• ReDOS detection for the Pattern annotation #426 by @h3xstream in #660
• Fix unescape tag #661 by @h3xstream in #662
• Correctly parse method signatures with generic types by @scottsteen in #669
• Fixing LDAP/JNDI sink method signature by @h3xstream in #670
• updated links to plugins on website by @winne42 in #671
• Add JDK17 support by @jlstephens89 in #672

New Contributors

• @baloghadamsoftware made their first contribution in #635
• @deepsan made their first contribution in #645
• @scottsteen made their first contribution in #669
• @winne42 made their first contribution in #671
• @jlstephens89 made their first contribution in #672

Full Changelog: version-1.11.0...version-1.12.0

>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip

>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip