Java Web Full-Stack White-Box Code Security Audit Skill Collection (v1.1)
中文: README.zh.md
Built on the code-audit-skill-blueprint methodology. Covers OWASP Top 10 plus Java-specific high-impact vulnerability classes (deserialization chains, JNDI, SpEL, OGNL, Spring4Shell, Log4Shell family).
# 1. Install to Claude Code user skills directory
mkdir -p ~/.claude/skills
cp -r /path/to/java-skills ~/.claude/skills/java-code-audit
# 2. Prompt in Claude / Cursor
Perform a complete white-box security audit on the following Java project.
Use java-audit-pipeline as the sole entry point.
Source: /tmp/audit/project
Output: /tmp/audit/project_audit
When finished, output <promise>Java full-stack code audit complete</promise>See USAGE.md for detailed installation and prompt templates.
| Feature | Description |
|---|---|
| Meta-thinking M1–M5 embedded | M1 (L1–L5) / M2 (four-tuple) / M3 (L0–L3) / M4 (blind spots) / M5 (reverse reasoning) woven into C1–C4 |
| Single entry point | All audits go through java-audit-pipeline; sub-skills are internal components only |
| Immediate write-to-disk protocol | Each sub-skill writes output files as it completes; phase 5 must Read from disk |
| wave-gate phase gates | Automatic artifact completeness checks before phase transitions |
| Full Java stack coverage | Spring (MVC/WebFlux/Cloud/Boot), Struts2, Hibernate/JPA, MyBatis, Thymeleaf/JSP, Jackson/Fastjson, Log4j, etc. |
| CVE knowledge base | Log4Shell, Spring4Shell, Fastjson, Shiro, WebLogic, ActiveMQ, and other canonical chains |
| Multi-SAST fusion | CodeQL / Semgrep / SpotBugs+FindSecBugs / Fortify / Snyk + OWASP Dependency-Check / OSV-Scanner |
java-skills/
├── CLAUDE.md / AGENTS.md # Platform entry points (dual redundancy)
├── USAGE.md / README.md # Usage guides
├── rules/ # alwaysApply rule layer (7 files)
│ ├── 00-general.md # General + Java-specific anti-rationalization (15 items)
│ ├── 01-output-spec.md # Output directory layout
│ ├── 02-severity-spec.md # Severity grading
│ ├── 03-evidence-spec.md # Evidence EVID_*
│ ├── 04-finding-spec.md # Finding template + Java CWE/OWASP mapping
│ ├── 05-tool-spec.md # Tool integration (Java toolchain)
│ └── 06-meta-thinking.md # M1–M5 meta-thinking guide
├── shared/ # Shared docs (OUTPUT_STRUCTURE / TOOL_INTEGRATION, etc.)
├── scripts/ # wave-gate.sh / scan_dangerous_functions.sh
├── research/ # Research notes
├── java-audit-pipeline/ # 🟢 Sole user entry (7-phase orchestration)
├── java-route-mapper/ # 🔧 Route modeling
├── java-route-tracer/ # 🔧 Path tracing (AOP/@Async/MyBatis XML)
├── java-vuln-scanner/ # 🔧 CVE scanning
├── java-fp-verify/ # 🔧 False-positive review (7 gates)
├── java-context-build/ # 🔧 Deep context building
├── java-variant-analysis/ # 🔧 Variant recall expansion
├── java-exploit-chain-audit/ # 🔧 Exploit chain aggregation
├── java-deser-audit/ # 🔴 P0 Deserialization
├── java-jndi-audit/ # 🔴 P0 JNDI (Log4Shell family)
├── java-expr-audit/ # 🔴 P0 SpEL / OGNL
├── java-sql-audit/ # 🔴 P0 SQL injection
├── java-cmd-audit/ # 🔴 P0 Command injection
├── java-spring-audit/ # 🟠 P0 Spring framework
├── java-hibernate-audit/ # 🟠 P0 Hibernate / JPA
├── java-xxe-audit/ # 🟠 P0 XXE
├── java-ssrf-audit/ # 🟠 P1 SSRF
├── java-xss-audit/ # 🟠 P1 XSS
├── java-file-upload-audit/ # 🟠 P1 File upload
├── java-path-audit/ # 🟠 P1 Path traversal
├── java-csrf-audit/ # 🟡 P1 CSRF
├── java-auth-audit/ # 🟡 P1 Authentication / authorization
├── java-crypto-audit/ # 🟡 P1 Weak cryptography
└── java-cfg-audit/ # 🟡 P1 Configuration security
See code-audit-skill-blueprint/01-architecture.md for architectural details.
- 🟢 java-audit-pipeline — 7-phase orchestration (attack surface mapping → modeling → tracing → sub-skill dispatch → false-positive review → exploit chains → report)
| Skill | Topic | Java Focus |
|---|---|---|
| 🔴 java-deser-audit | Deserialization | ObjectInputStream / Jackson DefaultTyping / Fastjson @type / XStream / SnakeYAML / Shiro rememberMe |
| 🔴 java-jndi-audit | JNDI injection | Log4Shell (CVE-2021-44228) / ${jndi:ldap://...} / Spring JndiObjectFactoryBean |
| 🔴 java-expr-audit | Expression injection | Spring4Shell / @Value / @PreAuthorize / Spring Cloud Gateway / Struts2 OGNL |
| 🔴 java-sql-audit | SQL injection | Statement / createNativeQuery / @Query(nativeQuery=true) / MyBatis ${var} |
| 🔴 java-cmd-audit | Command injection | Runtime.exec / ProcessBuilder / Apache Commons Exec / Actuator jolokia |
| 🟠 java-spring-audit | Spring ecosystem | actuator / CORS / CSRF / H2 console / Mass Assignment |
| 🟠 java-hibernate-audit | Hibernate / JPA | HQL injection / @JoinFormula / Specification concatenation |
| 🟠 java-xxe-audit | XML external entities | DocumentBuilder / SAXParser / Jackson XML / SOAP-WS / JAXB |
| Skill | Topic |
|---|---|
| 🟠 java-ssrf-audit | SSRF (URL.openConnection / RestTemplate / WebClient / Feign) |
| 🟠 java-xss-audit | XSS (Thymeleaf th:utext / JSP <%= %> / @ResponseBody) |
| 🟠 java-file-upload-audit | File upload RCE |
| 🟠 java-path-audit | Path traversal / Zip Slip |
| 🟡 java-csrf-audit | CSRF (Spring Security config / stateless detection) |
| 🟡 java-auth-audit | Auth chain (@PreAuthorize / Filter misconfiguration / missing JWT validation) |
| 🟡 java-crypto-audit | Weak crypto (MD5/SHA1 / ECB / hardcoded keys / weak RNG) |
| 🟡 java-cfg-audit | Configuration security (actuator / yml / default credentials) |
| Skill | Role |
|---|---|
| 🔧 java-route-mapper | Route modeling (Spring MVC / WebFlux / JAX-RS / Servlet / Struts2 / Actuator) |
| 🔧 java-route-tracer | Path tracing (AOP / @Async / MyBatis XML penetration / 13 EVID_* types) |
| 🔧 java-sast-ingest | (v1.1 new) Unified SAST report ingestion (SARIF / SpotBugs XML / Semgrep JSON / Fortify FPR / Snyk Code / SonarQube) → 00-recon/tool-scan-intake.md |
| 🔧 java-vuln-scanner | Third-party SCA scanning (Maven + Gradle + OWASP DC + Snyk OS + OSV + Trivy + Dependabot + CVE→audit skill routing table) |
| 🔧 java-fp-verify | False-positive review (7 gates, v1.1 adds G7 tool cross-check) |
| 🔧 java-context-build | Deep context (three sources + AOP / @Async) |
| 🔧 java-variant-analysis | Variant recall expansion (seven categories) |
| 🔧 java-exploit-chain-audit | Exploit chain aggregation (L1–L5 + four boundaries + v1.1 CVE correlation) |
This skill collection embeds meta-thinking principles into C1–C4 sections rather than treating them as standalone paragraphs:
| Meta-thinking | Meaning | Embedded In |
|---|---|---|
| M1 Synonym recognition | Sink 5-layer exhaustiveness (L1 direct / L2 wrapper / L3 trigger / L4 config / L5 framework encapsulation) | C1 |
| M2 First-principles failure | Defense four-tuple (mechanism / scope / failure mode / path omission) | C2 |
| M3 Controllability spectrum | L0–L3 + escalation paths | C4 |
| M4 Counter-intuitive blind spots | 8 blind spots (error handling / batch APIs / debug leftovers / CLI / internal APIs / config toggles, etc.) | C3 |
| M5 Attacker-goal reverse reasoning | G1–G5 (admin / database / lateral movement / RCE / financial impact) | Before pipeline phase 4 |
See code-audit-skill-blueprint/05-meta-thinking.md.
This skill collection passed two rounds of automated acceptance:
- 30-item design quality assessment (see _quality-report.md)
- Meta-thinking authenticity verification (see _meta-thinking-verify.md)
Benchmark targets: WebGoat / Spring PetClinic / Java Vulnerable Lab / OWASP Benchmark.
This repository implements the following methodology documents:
| Blueprint Section | Implementation |
|---|---|
| 01-architecture.md — Three-layer architecture | rules / pipeline / sub-skills |
| 02-pipeline-design.md — Pipeline | java-audit-pipeline/SKILL.md |
| 03-subskill-design.md — Sub-skills | 16 vulnerability types + 7 supporting |
| 04-rules-design.md — Rules layer | rules/00-06.md |
| 05-meta-thinking.md — Meta-thinking | C1–C4 embedding |
| 06-output-spec.md — Output spec | shared/OUTPUT_STRUCTURE.md |
| 07-tool-integration.md — Tool integration | rules/05-tool-spec.md + java-vuln-scanner |
| 08-process-quality.md — Process quality | wave-gate.sh + trust-score |
| 09-development-process.md — Development process | research/ + _progress.md |
| 10-pitfalls.md — Field pitfalls | Anti-rationalization checklist |
| 11-quality-assessment.md — Assessment method | _quality-report.md / _meta-thinking-verify.md |
| language-adapters/java.md — Java adapter | C1–C4 in all SKILL.md files |
- v1.1 (2026-05-26) — Tool integration enhancement
- Added
java-sast-ingest(unified SAST report ingestion) → 25 skills total - Added
shared/TOOL_INTEGRATION_JAVA.md(430 lines / 8-section tool integration spec) - Added
scripts/parse-sast-report.sh+parse-sca-report.sh(multi-format auto-parsing) - Pipeline 7-phase full tool integration (phase 0 detection / phase 1 mandatory intake / phase 2 tri-state labeling / phase 4 audit skill 5-step startup protocol / phase 4.5 G7 tool cross-check / phase 5 tool accuracy cross-validation)
- Updated 16 vulnerability audit skills with §3.5 tool report ingestion + mandatory tri-state labels
- Upgraded rules/05-tool-spec.md to 8-step action chain (19 CWE routing table + multi-tool fusion algorithm)
- Design quality score: 60/60 (A+, full marks) / Meta-thinking pass rate: 18/18 (design PASS)
- Added
- v1.0 (2026-05-26)
- All 24 SKILLs in place (1 pipeline + 16 P0/P1 + 7 supporting)
- rules/ 7-file localization complete
- Design quality + meta-thinking authenticity two-round automated acceptance (59/60 + 17/17)
High-quality Skills are not one-time deliverables. They require ongoing maintenance as the Java ecosystem, CVE intelligence, framework evolution, and real-world audit feedback change — static rules and checklists quickly fall behind actual attack surfaces.
Better versions are built together: we welcome improvements via Issues and PRs, audit case studies, false-positive pattern reports, new vulnerability type coverage, and production usage feedback. Every contribution makes this skill collection more valuable to the community.
- 🐘 PHP-skills — PHP implementation under the same blueprint; structurally aligned with this repo
- 🔴 Ruby skills — Ruby/Rails implementation (v1.0, 22 SKILLs)
- 🟪 .NET skills — .NET / C# / ASP.NET implementation (v1.0, 24 SKILLs)
- 📖 code-audit-skill-blueprint — Cross-language code audit Skill development methodology blueprint
Same as the upstream blueprint project.