SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.
What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.
Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12.
Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.
Implemented enhancements:
- OGNL injection #312
- Generalize configuration properties with hard coded password #292
- New rule: detect https connections with weak SSL / TLS protocol #283
Closed issues:
- URL decode create false-negative #322
- CRLF_INJECTION_LOGS documentation typo #299
- Run coveralls after each build #287
Merged pull requests:
- Fix URL decode create false-negative #322 #323 (h3xstream)
- fixed out of date dependencies #321 (javabeanz)
- SSRF and LFI using RequestDispatcher and URLConnection #319 (topolik)
- Better fix of the Play 2.5.x SSRF detection (issue #307) #317 (MaxNad)
- Few changes to messages.xml #316 (h3xstream)
- OGNL injection + Android SQL injection + Migration from FindBugs to SpotBugs #309 (h3xstream)
- Added the Play 2.5.x SSRF detection - Fixed issue #307 #308 (MaxNad)
- Implement an unsafe jackson databind deserialization detector. #306 (dbaxa)
- Fixed copy-paste slip-up in Scala code example #305 (ln2v)
- Validate taint config class and method names as java identifiers #304 (topolik)
- Test and quality improvements #301 (h3xstream)
- Fix typo in documentation (fixes #299) #300 (gredler)
- Fix typo in documentation #296 (dreis2211)
- New detector HardcodePasswordInMapDetector #292 #293 (h3xstream)
- Gradle build to generate the CLI version of FSB #290 (h3xstream)
- Spring Unvalidated Redirect Detector #289 (johnhawes)
- Fixed typos I encountered #288 (obilodeau)
- Version 1.6.0 to 1.7.0 #286 (h3xstream)
- Implement detector for weak SSL/TLS protocols #285 (xsun12)
Hashes:
dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip