find-sec-bugs/find-sec-bugs version-1.6.0

Version 1.6.0 - Post SHA-1 Era

on GitHub

Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.

The new detectors are covering a wide range of vulnerability types. See the changelog below.

In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.

version-1.6.0 (2017-03-15)

Full Changelog

Implemented enhancements:

• Unexpected deserialization with RestEasy/Jersey #198
• Turbine SQL Injection #238
• Detect hardcoded password in unknown API #231
• Malicious deserialization from LDAP entry #228
• (Dev internal) Validate the configuration files automatically #158
• Turbine SQL injections #253 (h3xstream)
• Adding overly permissive CORS policy detector #248 (plr0man)
• LDAP improvements #278 (h3xstream)
• Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
• Add File Disclosure Injection detector #265 (plr0man)
• Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
• Add JavaBeans Property Injection detector #263 (plr0man)
• Add Insecure SMTP SSL detector #259 (plr0man)
• SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
• Add Url rewriting detector #252 (plr0man)
• UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
• Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)

Fixed bugs:

• Out of bounds mutables in ... (Assertion trigged) #275
• Force encoding to UTF-8 on windows when generating micro-website #232
• Freemarker description fix #230
• Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)

Closed issues:

• Find-sec-bugs maven plugin failed to execute #274
• False negatives in detection of bad modes of operation #270
• findbugs not working with Sonarqube 6.1 #235
• Update JSP compiler #279

Merged pull requests:

• Remove duplicated word in README #282 (jwilk)
• Update JSP compiler #281 (h3xstream)
• Fix #275 #277 (h3xstream)
• Add Format String Manipulation Injection Detector #266 (plr0man)
• Travis improvements: batch mode and verify phase #262 (ptamarit)
• Add AWS Query Injection detector #260 (plr0man)
• Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
• Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
• Persistent cookie detector #251 (plr0man)
• Anonymous LDAP Bind detector #250 (plr0man)
• Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
• Adding ThreadLocalRandom detection #246 (plr0man)
• Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
• Update plugins #279 #280 (h3xstream)
• Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
• (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)