find-sec-bugs/find-sec-bugs version-1.8.0

Version 1.8.0 - SQL injections are dead ... Long live injections!

on GitHub

While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.

Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)

Many built-in Java XML API susceptible to XXE were added to existing detectors. #138

Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.

Thanks to the numerous contributors who have pushed changes that were integrate in this version:

• mario-areias
• bradflood
• mzcu
• xanderhades
• HansolChoe
• woung717
• orihalcon128
• RichardBradley
• javabeanz
• VinodAnandan
• MaxNad
• topolik
• (I hope I am not forgetting anyone.)

Full Changelog

Implemented enhancements:

• Detect SpelView (Spel Injection) #400
• False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
• Kotlin support for hardcode password with Intrinsics.areEqual\(\) #387
• SMTP Header Injection #374
• FileItem.getName() as a new source for XSS_SERVLET? #358
• Detect hardcode password and hash based on variable name #342
• Identify XSS cause by ServletOutputStream.print() #341
• (Internal) Enable assertions during building and/or using find-sec-bugs #338
• Add Paths.get() as source for Path traversal #324
• Reduce false positive for Path traversal #291
• CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
• [Documentation] - Add Table of Contents to Bug Patterns page #160
• More XXE coverage #138
• New implementation of CORS detector #313 #361 (bradflood)
• fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
• Optional API and improvement to crypto detector #350 (h3xstream)
• Added some XXE Coverage for TransformerFactory #349 (MaxNad)
• Add Java8 nio API for path traversal #324 #325 (h3xstream)

Fixed bugs:

• Path traversal: Flase positive with static final variable #382
• NullPointerException in GoogleApiKeyDetector.visitClassContext #364
• Images on Gradle Configuration documentation page show 'Please update your account' #337
• PermissiveCORSDetector throws NPE #313
• CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240

Closed issues:

• Crash with spotbugs 3.1.4 #406
• Adding New Sinks #378
• Add a new bug check "X-Frame-Options Header Not Set" #371
• Invalid configuration for java/io/File#createTempFile in java-net.txt #328

Merged pull requests:

• Added tests for Object deserialisation for kotlin code #410 (mario-areias)
• Added deserialisation gadget test for kotlin #409 (mario-areias)
• Added test for Jackson deserialization detector in Kotlin #407 (mario-areias)
• Created Kotlin version for HardcodedPasswordEqualsDetector class - fix #387 #405 (mario-areias)
• Struts Validation detector simplified #402 (h3xstream)
• Detect SpelView #400 #401 (h3xstream)
• OWASP Taglib #398 (bradflood)
• Testcases for SLF4J #396 (h3xstream)
• Added support for SAXTransformerFactory #394 (h3xstream)
• Add detectors for more XXE coverage #138 #392 (h3xstream)
• Make Java 9 build mandatory for Travis-CI #389 (h3xstream)
• Graph improvements for field read/write and return value tracking #388 (h3xstream)
• Improve RSA weak keysize detection #386 (mzcu)
• Add test case for path traversal with source from final field #382 #384 (h3xstream)
• Fixed typos in website #380 (xanderhades)
• New condition that fix #364 #377 (h3xstream)
• Add reference to OWASP Security Logging #240 #376 (h3xstream)
• SMTP Header Injection #374 #375 (h3xstream)
• Experimental plugin that build graph from bytecode #370 (h3xstream)
• Add ErrorMessageExposureDetector #356 #360 (HansolChoe)
• FileItem.getName() as a new source for XSS_SERVLET #359 (woung717)
• Update the website template #351 (h3xstream)
• Renew Japanese messages. #348 (orihalcon128)
• Improvement to bug descriptions (Public Website) #347 (RichardBradley)
• Detect hardcode password and hash based on variable name #343 (h3xstream)
• Enable assertions during building and/or using find-sec-bugs #338 #339 (javabeanz)
• SpotBugs - 3.1.0-RC5 #334 (VinodAnandan)
• Test for TaintMethodConfigWithArgumentsAndLocation with examples #333 (topolik)
• Updated the CLI to 1.7.1 #331 (MaxNad)
• Fix java/io/File#createTempFile #328 #330 (topolik)
• Add coverage for Apache Commons Text API #327 (h3xstream)
• Reduce false positive for Path traversal #291 #326 (h3xstream)

74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip