Releases: find-sec-bugs/find-sec-bugs
Version 1.13.0 - Lucky 13
Implemented enhancements:
- Java 21 Support #723
Closed issues:
- SpringEntityLeakDetector crashes with array types #679
- Java 17 not working #678
- Detect usage of Apache BeanUtils.copyProperties as dangerous #601
Merged pull requests:
- Upgrade SpotBugs to 4.8.3 #725 (gtoison)
- Updates to handle string-building taint with invokedynamic concatenation in JDK > 8 #713 (jbindel)
- taint-config files java-lang.txt and scala.txt propagate taint from character types #712 (jbindel)
- Add GCM-SIV to authenticated cipher mode list #710 (mzcu)
- Fix IMPROPER_UNICODE rule description #707 (Vampire)
- Update messages.xml #700 (jasonparallel)
- Fixing typo in docs #699 (kdowbecki)
- Verbose source line locations report #691 (oxeye-gal)
- Adding workaround for JDK > 8 invokedynamic tainting #690 (oxeye-gal)
- JstlExpressionWhiteLister now allows custom regular expressions #686 (jbindel)
- fix: added "cash account" to the safe words, not a SHA password #683 (gtoison)
- Add Detector for XXE in XML SchemaFactory #682 (exceptionfactory)
- Add Detector for XXE in XML Validator #681 (exceptionfactory)
- fix: handle arrays in SignatureParserWithGeneric #680 (gtoison)
- New detector for potential XML injection #663 (baloghadamsoftware)
- Detect usage of Apache BeanUtils as dangerous #601 #629 (marcelel)
Version 1.12.0 - Preventing the next Log4Shell
This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:
- Supports for JDK 17
- Important fixes regarding signatures' files (Bug with generic )
In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup()
method risks. #670 for more info.
What's Changed
- Version changes by @h3xstream in #615
- Add support for Vert.x web Oauth2 + CSRF handlers by @pmlopes in #621
- Add new detector for MODIFICATION_AFTER_VALIDATION by @baloghadamsoftware in #635
- Add new detector for NORMALIZATION_AFTER_VALIDATION by @baloghadamsoftware in #633
- Fix solution for XXE with TransformerFactory by @h3xstream in #641
- Quick fix for NormalizationAfterValidation by @baloghadamsoftware in #643
- Remove verbose logging from test case by @h3xstream in #644
- Add Paths.get(Uri) as source for Path traversal by @deepsan in #645
- New detector FindDangerousPermissionCombination for new bug type DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in #652
- Fix the examples in the documentation of DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in #654
- Fallback when classNameLength is too long #651 by @h3xstream in #653
- Update data in script generator by @h3xstream in #658
- Update test dependencies by @h3xstream in #659
- ReDOS detection for the Pattern annotation #426 by @h3xstream in #660
- Fix unescape tag #661 by @h3xstream in #662
- Correctly parse method signatures with generic types by @scottsteen in #669
- Fixing LDAP/JNDI sink method signature by @h3xstream in #670
- updated links to plugins on website by @winne42 in #671
- Add JDK17 support by @jlstephens89 in #672
New Contributors
- @baloghadamsoftware made their first contribution in #635
- @deepsan made their first contribution in #645
- @scottsteen made their first contribution in #669
- @winne42 made their first contribution in #671
- @jlstephens89 made their first contribution in #672
Full Changelog: version-1.11.0...version-1.12.0
>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip
>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip
Version 1.11.0
In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.
New detectors
A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium).
For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages).
Vert.x SQL api are now supported.
Finally, Hardcoded passwords in JSch library are now detected.
Java unsafe deserialization
Deserialization detectors now support ObjectInput
and ObjectInputStream
. Thanks to @nichollt for the idea.
HTTP Parameter Pollution (URL Injection)
For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.
StringSubstitutor
StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.
SpotBugs 4.0.0
This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.
Implemented enhancements:
- Scanning Kotlin doesnt work with gradle-plugin #598
- HTTP parameter pollution False positive with URIBuilder (HTTPClient) #586
- Improper handling of Unicode transformations #577
- Add support for sort with -V in findsecbugs.sh #570
- Java deserialization vulnerability not being discovered #563
- False positive spring jdbctemplate SQL Injection #538
- Detect hardcoded password for SSH private key #536
- New Sink : Groovy Script Injection #483
Fixed bugs:
- EmptyStackException error #546
- RuntimeException when processing static method #541
- "Error: missing bug code for keySECEMA " in FindSecBugs 1.10.0 #526
- Incompatibility with SpotBugs 4.0.0 #525
- Missing commons-codec library #602
Closed issues:
- Restore Codecov integration #608
- Restore Travis-CI on build on Pull Request #574
- src/test/java/testcode/serial/ObjectDeserializationFalsePositive2.java:[10,8] error: no suitable constructor found for ASN1InputStream(no arguments) #557
- How to remove “taint” for custom tld function? #555
- java.lang.OutOfMemoryError: GC overhead limit exceeded #554
- Enable 'Require HTTPS' on find-sec-bugs.github.io/ #544
- False positive for unsafe comparison of hash that are susceptible to timing attack #558
- SQL injection false positive when the source is an array. #529
- String-value coming from an Enum causes SQL_INJECTION_JPA #491
Merged pull requests:
- Enable CodeQL Security Scan #610 (VinodAnandan)
- Attempt to export JaCoCo coverage file #608 #609 (h3xstream)
- Remove dependency to commons-codec #602 #607 (h3xstream)
- Add solution to LDAP Injection #599 (Marx314)
- Minor documentation and fixes #594 (h3xstream)
- Change to GH Action #593 (h3xstream)
- Less verbose output for test cases #592 (h3xstream)
- Fix verify build in Github Action #591 (h3xstream)
- A couple of fixes for Github Action #590 (h3xstream)
- GitHub Action - Test for #588 #589 (h3xstream)
- Test case to reproduce Enum in injection #491 #583 (h3xstream)
- Test case to reproduce #529 #582 (h3xstream)
- Add test case OOB Local variable assertion for #556 #581 (h3xstream)
- Attempt to reduce potential false positive #577 #580 (h3xstream)
- Change --version-list to -V #573 (h3xstream)
- Remove Nullable annotation not available in OpenJDK according to build #569 (h3xstream)
- Missing class for #563 (Fix build) #568 (h3xstream)
- Update Jquery to 3.5.1 (Make dependabot happy) #567 (h3xstream)
- Update Japanese messages #532 (orihalcon128)
- Introduce a properties file to avoid repeating the versions #530 (h3xstream)
- Fix links in the messages #528 (h3xstream)
- New samples with StringSubstitutor were added #538 #604 (h3xstream)
- Implement support for UriBuilder (HttpClient) #586 #587 (h3xstream)
- Few additions for 1.11.0 #579 (h3xstream)
- Initial version of a Vert.x Sql Client detector #576 (pmlopes)
- New detector for Jsch addition #572 (h3xstream)
- Add support for ObjectInput.readObject() for deserialization vuln #563 #566 (h3xstream)
- Add exception for the keyword share #558 #565 (h3xstream)
- SCRIPT_ENGINE_INJECTION and TEMPLATE_INJECTION_VELOCITY: typo/grammar fix #561 (boyarsky)
- 541 RuntimeException when processing static method #552 (topolik)
- Add example for sql_injection_spring_jdbc with annotation #551 (Marx314)
> md5sum findsecbugs-cli-1.11.0.zip
241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip
> sha1sum findsecbugs-cli-1.11.0.zip
910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip
Version 1.10.1 - HacktoberFIX
This minor update is there to introduce a fix : #526
A new detector Pebble template injection is also added. Thanks to @sa160690.
Messages from many detectors were also updated. Multiple broken links or out-dated links were corrected. #528
> sha1sum findsecbugs-cli-1.10.1.zip
fad67bc6c31032dd3cf7419c1f4abe2376658757 *findsecbugs-cli-1.10.1.zip
> md5sum findsecbugs-cli-1.10.1.zip
1eecbef120b61e0ce4870c38fe28fccd *findsecbugs-cli-1.10.1.zip
Version 1.10.0 - Hacktoberfest release
New bug detectors (or important improvements)
- Mass-assignment when using JPA or JDO entities
- Leakage from entity when using JPA or JDO entities
- Permissive CORS header allowing all origin (New coverage for Spring CorsRegistry)
- Overly permissive file permissions (code doing equivalent operation to chmod 777)
- Insecure SAML configuration affecting provider using OpenSAML API
This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.
A status update was published about Find Security Bugs arrival in the OWASP family.
version-1.10.0 (2019-10-17)
Implemented enhancements:
- Fix code coverage badge + CI task #507
- Detect if authorisation is missing from a RequestMapping #473
- Support com/google/common/escape/Escaper as sanitizer #504
- http://find-sec-bugs.github.io/bugs.htm\#SQL\_INJECTION\_HIBERNATE #482
- Remove hard-coded "metadata" in FindBugsLauncher#buildFakePluginJar #479
- Add PathTraversalSinks for java/nio/file/Files API #476
- PATH_TRAVERSAL_IN detection #470
- Weak Permissions (chmod 777) #438
- Insecure SAML configuration in Spring #369
- Add configurable metadataFolder in FindBugsLauncher #480 (Kidlike)
- Add permissive CORS detector for CorsRegistration in Springboot #472 (Anemone95)
Fixed bugs:
- Integration with Ant Script #493
- Failed when build find-sec-bugs myself #379
- findsecbugs.sh has windows line breaks #516
- Unsupported class file major version 56 #512
- SpringEntityLeakDetector throw s NPE #477
- local-variable-index-rewrite-bug #475 (topolik)
Closed issues:
- Unwrapping an encrypted key with non-random IV shouldn't trigger STATIC_IV #517
- False-positive in URLCONNECTION_SSRF_FD #505
- SQL Injection false positive with MessageFormat.format() #498
- Spring Entity Leak Detector for collections #495
- JSP Include with constant URL #481
Merged pull requests:
- Replace finally block with try resource sections. (Refactoring) #519 (h3xstream)
- Improve test coverage #515 (h3xstream)
- Update SpotBugs to 3.1.12 #513 (h3xstream)
- change package to "com.h3xstream.findsecbugs.xml" #510 (jie-lin)
- SSRF detector moved to the injection package #509 (h3xstream)
- Attempt to incorporate CodeCov with JaCocCo #507 #508 (h3xstream)
- jsp:include with constant path // SAML ignore comments set to false #499 (h3xstream)
- Rename findbugs-test-util to findsecbugs-test-util #497 (h3xstream)
- Small changes to documentation #494 (h3xstream)
- Fix typo in HTTPONLY_COOKIE description #492 (kulinacs)
- 190430-taint-method-propagation-II #490 (topolik)
- Unable to detect injections on older versions of Hibernate #489 (mkotyk)
- Fix typography on Spring Entity Leak description #485 (ArnaudLec)
- Fix NPE when interface has spring mvc annotations #478 (bananayong)
- Update SpotBugs dependency + others deps #471 (h3xstream)
- New submodule for JSP samples #469 (h3xstream)
- New module for Java samples #468 (h3xstream)
- Preparing the next dev version #467 (h3xstream)
- Release 1.9.0 #466 (h3xstream)
- Change STATIC_IV detector to properly handle key wrapping/unwrapping modes #518 (nigredo-tori)
- Supporting com/google/common/escape/Escaper as sanitizer #511 (thiyagu-7)
- Add support for separator #470 #506 (h3xstream)
- Overly permissive file permission #438 #502 (h3xstream)
- Handle MessageFormat.format properly when tracking variables #498 #501 (h3xstream)
- Improvement to information leakage and mass assignment detection #496 (h3xstream)
Version 1.9.0 - To Bee or not to Bee: The first official OWASP release
The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.
For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.
An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit
PS: I know that wasps (OWASP mascot) are not the same as bees. 😆
New contributors for this release
(In order of contribution date)
Implemented enhancements:
- New Rule: Detect Information Exposure through printStackTrace() #356
- detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
- Detect if entity objects are being returned by controllers in Spring #454
- Apache XML RPC setEnabledForExtensions(true) #418
- False Positive XSS in Expression Language ${pageContext.request.contextPath} #399
- False positive XSS when using OWASP taglib #353
- Detect Commons lang Random utilities #243
- New Rule: Use of setEscapeModelStrings in Wicket project #201
- Extended PredictiveRandomDetector #437 (ManWhoLaughs)
Fixed bugs:
- Possible bug in DeserializationGadgetDetectorTest #408
- [Error] Resource not found: java/lang/Object.class (Java 9) #365
- detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
- 1.8.0 findsecbugs.sh script errors #460
- Version mismatch in the findsecbugs-cli sh script. #445
- Test coverage for command injection for Kotlin #428
- ECIES integrity false positive #417
- Error while executing finsecbugs.sh on ubuntu #367
- False positive: ASN1InputStream identify as ObjectInputStream #170
Closed issues:
- The following classes needed for analysis were missing for method names #440
- false positive for CRLF_INJECTION_LOGS #425
- Migrate from BCEL Constants interface to Const class #413
- No class directories configured for FindBugs analysis error #412
- Kotlin arrayOf considered safe #432
- False Positive - JSTL Core accessing exported scoped variable storing the status of the iteration. #404
Merged pull requests:
- Restructuring the sub-modules #465 (h3xstream)
- Remove graph module #449 (h3xstream)
- Update to use findsecbugs-plugin 1.8.0 #436 (jbleduigou)
- Added Kotlin support for CRLF detector #430 (mario-areias)
- Kotlin file path traversal sink signatures #427 (JoshCunninghame)
- Added test coverage for command injection for kotlin string and func apis #423 (JoshCunninghame)
- Kotlin deserialisation gadget #422 (JoshCunninghame)
- Unsafe jackson object deserialisation kotlin module #421 (JoshCunninghame)
- Unsafe object deserialisation kotlin module #420 (JoshCunninghame)
- Kotlin hardcode password equals #419 (JoshCunninghame)
- Added KotlinHardcodePasswordInMap detector and created new module for… #416 (JoshCunninghame)
- Update the CLI packaging #415 (h3xstream)
- Replace deprecated BCEL Constants interface with Const class, #413 #414 (ThrawnCA)
- Add prism code highlight for the micro-website. #464 (h3xstream)
- Update descriptions #463 (h3xstream)
- Add references to Wicket XSS #462 (h3xstream)
- Added Entity Leak Detector #457 (karanb192)
- XSS using Wicket component #453 (h3xstream)
- Fix the FP generated by ECIES usage #417 #452 (h3xstream)
- JSTL expression white listing #451 (h3xstream)
- Fix #432 #450 (h3xstream)
- Fix Kotlin handling of the String being build with the Appendable class #448 (h3xstream)
- Improve and generalize the CLI unix launcher #447 (thypon)
- Fix TravisCI for JDK version 10 #444 (h3xstream)
- Improve XSLT RCE resolution #443 (h3xstream)
- Extended PredictiveRandomDetector (added new test) #441 (ManWhoLaughs)
- Apache XML RPC setEnabledForExtensions(true) #439 (shirinnikita)
> sha1sum findsecbugs-cli-1.9.0.zip
27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip
> md5sum findsecbugs-cli-1.9.0.zip
cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip
> sha1sum findsecbugs-cli-1.9.0-fix1.zip
f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix1.zip
795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix2.zip
0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2....
Version 1.8.0 - SQL injections are dead ... Long live injections!
While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.
Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)
Many built-in Java XML API susceptible to XXE were added to existing detectors. #138
Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.
Thanks to the numerous contributors who have pushed changes that were integrate in this version:
- mario-areias
- bradflood
- mzcu
- xanderhades
- HansolChoe
- woung717
- orihalcon128
- RichardBradley
- javabeanz
- VinodAnandan
- MaxNad
- topolik
- (I hope I am not forgetting anyone.)
Implemented enhancements:
- Detect SpelView (Spel Injection) #400
- False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
- Kotlin support for hardcode password with
Intrinsics.areEqual\(\)
#387 - SMTP Header Injection #374
- FileItem.getName() as a new source for XSS_SERVLET? #358
- Detect hardcode password and hash based on variable name #342
- Identify XSS cause by ServletOutputStream.print() #341
- (Internal) Enable assertions during building and/or using find-sec-bugs #338
- Add Paths.get() as source for Path traversal #324
- Reduce false positive for Path traversal #291
- CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
- [Documentation] - Add Table of Contents to Bug Patterns page #160
- More XXE coverage #138
- New implementation of CORS detector #313 #361 (bradflood)
- fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
- Optional API and improvement to crypto detector #350 (h3xstream)
- Added some XXE Coverage for TransformerFactory #349 (MaxNad)
- Add Java8 nio API for path traversal #324 #325 (h3xstream)
Fixed bugs:
- Path traversal: Flase positive with static final variable #382
- NullPointerException in GoogleApiKeyDetector.visitClassContext #364
- Images on Gradle Configuration documentation page show 'Please update your account' #337
- PermissiveCORSDetector throws NPE #313
- CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
Closed issues:
- Crash with spotbugs 3.1.4 #406
- Adding New Sinks #378
- Add a new bug check "X-Frame-Options Header Not Set" #371
- Invalid configuration for java/io/File#createTempFile in java-net.txt #328
Merged pull requests:
- Added tests for Object deserialisation for kotlin code #410 (mario-areias)
- Added deserialisation gadget test for kotlin #409 (mario-areias)
- Added test for Jackson deserialization detector in Kotlin #407 (mario-areias)
- Created Kotlin version for HardcodedPasswordEqualsDetector class - fix #387 #405 (mario-areias)
- Struts Validation detector simplified #402 (h3xstream)
- Detect SpelView #400 #401 (h3xstream)
- OWASP Taglib #398 (bradflood)
- Testcases for SLF4J #396 (h3xstream)
- Added support for SAXTransformerFactory #394 (h3xstream)
- Add detectors for more XXE coverage #138 #392 (h3xstream)
- Make Java 9 build mandatory for Travis-CI #389 (h3xstream)
- Graph improvements for field read/write and return value tracking #388 (h3xstream)
- Improve RSA weak keysize detection #386 (mzcu)
- Add test case for path traversal with source from final field #382 #384 (h3xstream)
- Fixed typos in website #380 (xanderhades)
- New condition that fix #364 #377 (h3xstream)
- Add reference to OWASP Security Logging #240 #376 (h3xstream)
- SMTP Header Injection #374 #375 (h3xstream)
- Experimental plugin that build graph from bytecode #370 (h3xstream)
- Add ErrorMessageExposureDetector #356 #360 (HansolChoe)
- FileItem.getName() as a new source for XSS_SERVLET #359 (woung717)
- Update the website template #351 (h3xstream)
- Renew Japanese messages. #348 (orihalcon128)
- Improvement to bug descriptions (Public Website) #347 (RichardBradley)
- Detect hardcode password and hash based on variable name #343 (h3xstream)
- Enable assertions during building and/or using find-sec-bugs #338 #339 (javabeanz)
- SpotBugs - 3.1.0-RC5 #334 (VinodAnandan)
- Test for TaintMethodConfigWithArgumentsAndLocation with examples #333 (topolik)
- Updated the CLI to 1.7.1 #331 (MaxNad)
- Fix java/io/File#createTempFile #328 #330 (topolik)
- Add coverage for Apache...
Version 1.7.1 - Introducing SpotBugs (s/Find/Spot/)
SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.
What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.
Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12.
Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.
Implemented enhancements:
- OGNL injection #312
- Generalize configuration properties with hard coded password #292
- New rule: detect https connections with weak SSL / TLS protocol #283
Closed issues:
- URL decode create false-negative #322
- CRLF_INJECTION_LOGS documentation typo #299
- Run coveralls after each build #287
Merged pull requests:
- Fix URL decode create false-negative #322 #323 (h3xstream)
- fixed out of date dependencies #321 (javabeanz)
- SSRF and LFI using RequestDispatcher and URLConnection #319 (topolik)
- Better fix of the Play 2.5.x SSRF detection (issue #307) #317 (MaxNad)
- Few changes to messages.xml #316 (h3xstream)
- OGNL injection + Android SQL injection + Migration from FindBugs to SpotBugs #309 (h3xstream)
- Added the Play 2.5.x SSRF detection - Fixed issue #307 #308 (MaxNad)
- Implement an unsafe jackson databind deserialization detector. #306 (dbaxa)
- Fixed copy-paste slip-up in Scala code example #305 (ln2v)
- Validate taint config class and method names as java identifiers #304 (topolik)
- Test and quality improvements #301 (h3xstream)
- Fix typo in documentation (fixes #299) #300 (gredler)
- Fix typo in documentation #296 (dreis2211)
- New detector HardcodePasswordInMapDetector #292 #293 (h3xstream)
- Gradle build to generate the CLI version of FSB #290 (h3xstream)
- Spring Unvalidated Redirect Detector #289 (johnhawes)
- Fixed typos I encountered #288 (obilodeau)
- Version 1.6.0 to 1.7.0 #286 (h3xstream)
- Implement detector for weak SSL/TLS protocols #285 (xsun12)
Hashes:
dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip
Version 1.6.0 - Post SHA-1 Era
Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.
The new detectors are covering a wide range of vulnerability types. See the changelog below.
In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.
version-1.6.0 (2017-03-15)
Implemented enhancements:
- Unexpected deserialization with RestEasy/Jersey #198
- Turbine SQL Injection #238
- Detect hardcoded password in unknown API #231
- Malicious deserialization from LDAP entry #228
- (Dev internal) Validate the configuration files automatically #158
- Turbine SQL injections #253 (h3xstream)
- Adding overly permissive CORS policy detector #248 (plr0man)
- LDAP improvements #278 (h3xstream)
- Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
- Add File Disclosure Injection detector #265 (plr0man)
- Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
- Add JavaBeans Property Injection detector #263 (plr0man)
- Add Insecure SMTP SSL detector #259 (plr0man)
- SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
- Add Url rewriting detector #252 (plr0man)
- UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
- Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)
Fixed bugs:
- Out of bounds mutables in ... (Assertion trigged) #275
- Force encoding to UTF-8 on windows when generating micro-website #232
- Freemarker description fix #230
- Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)
Closed issues:
- Find-sec-bugs maven plugin failed to execute #274
- False negatives in detection of bad modes of operation #270
- findbugs not working with Sonarqube 6.1 #235
- Update JSP compiler #279
Merged pull requests:
- Remove duplicated word in README #282 (jwilk)
- Update JSP compiler #281 (h3xstream)
- Fix #275 #277 (h3xstream)
- Add Format String Manipulation Injection Detector #266 (plr0man)
- Travis improvements: batch mode and verify phase #262 (ptamarit)
- Add AWS Query Injection detector #260 (plr0man)
- Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
- Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
- Persistent cookie detector #251 (plr0man)
- Anonymous LDAP Bind detector #250 (plr0man)
- Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
- Adding ThreadLocalRandom detection #246 (plr0man)
- Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
- Update plugins #279 #280 (h3xstream)
- Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
- (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)
Version 1.5.0 - Shall we Play a game?
A couple huge improvements are bundled in this release including:
- Better Scala support with a couple new detectors (thanks to @MaxNad )
- New Rule: Scala Path Traversal
- New Rule: Sensitive data exposure in cookies
- New Rule: XSS detection in Play Framework
- .. and many other improvements
- Huge set of small fixes and improvements (thanks to @topolik from Liferay) #214
- New Rule: XXE with XMLStreamReader
- New Rule: Template injection with Velocity and Freemarker
- New Rule: XSS detection in Porlet
These are the major new detectors but, as usual, many false positive patterns are now supported and avoided.
Quick note on the version notation: The previous releases were made on minor version (1.4.1-1.4.6) even though they include major improvements. It was never really a big concern because no major issue required to be fixed. This may have brought some confusion to some users. The release plan is still to keep going forward and not maintain older versions. There should be no benifit to keep using an old version.
version-1.5.0 (2016-10-06)
Implemented enhancements:
- Detect template usage (template injection) #227
- Reduce the number of FP related to Trust Boundary Violation #226
- XSS in Portlet #216
- How to set findsecbugs.taint.customconfigfile through gradle? #215
- Identify weak XML parser properties that could lead to XXE #209
- Scala : XSS in twirl template #207
- Scala: XSS in Play controller #206
- XML parsing vulnerable to XXE (XMLReader) shortage #191
- Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
- Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
- XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
- Taint analysis bug fixes and improvements #214 (topolik)
- Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
- XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
- CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)
Fixed bugs:
- FP: sending local broadcasts via LocalBroadcastManager #224
- False positive: ResourceBundle in JSP #213
- Out of bounds mutables in static myclass$.()V #199
- Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
- Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
Closed issues:
- not to report null-porter dereference if there is code already throws RuntimeError #197
- Release version 1.4.6 #195
- Release 1.4.5 #159
- Fix mix-content on micro-website #229
Merged pull requests: