Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standalone command line tool to scan jars with or without the source #100

Closed
h3xstream opened this issue Sep 23, 2015 · 6 comments
Closed

Standalone command line tool to scan jars with or without the source #100

h3xstream opened this issue Sep 23, 2015 · 6 comments
Assignees
@h3xstream
Labels
enhancement New feature or improvement to existing detector.
Milestone
version-1.4.4

Comments

@h3xstream
Copy link
Member

I already have build a unofficial command line tool that bundle FindBugs and FindSecurityBugs.
I think it could be useful to release it for the following use cases: scanning dependencies, scanning application without the source code and Android binary (transformed from dex2jar).

The new tool would be a separated module that depends on the plugin module.
@h3xstream h3xstream added this to the version-1.4.4 milestone Sep 23, 2015
@h3xstream h3xstream added the enhancement New feature or improvement to existing detector. label Sep 23, 2015
@xeno6696
Copy link

I would love to have access to a tool like that. One of my contracts
wanted me to validate findbugs results and I had to cobble together some
shell scripts in order to pull it off outside of Eclipse.

On Wed, Sep 23, 2015 at 12:15 PM, Philippe Arteau notifications@github.com
wrote:

I already have build a unofficial command line tool that bundle FindBugs
and FindSecurityBugs.
I think it could be useful to release it for the following use cases:
scanning dependencies, scanning application without the source code and
Android binary (transformed from dex2jar).

The new tool would be a separated module that depends on the plugin module.


Reply to this email directly or view it on GitHub
https://github.com/h3xstream/find-sec-bugs/issues/100.

Matt Seil
Cyber Security Software Engineer
Member ACM/OWASP

@formanek
Copy link
Contributor

What are the advantages over standalone FindBugs GUI and CLI? It can scan JARs without the source and generate HTML reports, you just need to drop FindSecurityBugs to the plugin folder.

@h3xstream
Copy link
Member Author

The idea would be to wrap the current CLI or create something new.

My objective is to have a simpler alternative: single jar and minimal configuration.
java -jar findsecbugs.jar App.jar
java -jar findsecbugs.jar -profile=webapp App.jar
java -jar findsecbugs.jar -profile=android App.jar

It could potentially support the other FindBugs CLI arguments.

@h3xstream h3xstream self-assigned this Oct 17, 2015
h3xstream added a commit that referenced this issue Nov 20, 2015
@h3xstream
First version of the Command Line Interface #100
100f332 
It is based on FindBugs command line client.
@h3xstream
Copy link
Member Author

Here is a preview of the first version. All FindBugs arguments will work. -help for more info..

> findsecbugs -high C:\Java\jenkins\WEB-INF\lib\remoting-2.53.jar
  ______ _           _    _____             ____
 |  ____(_)         | |  / ____|           |  _ \
 | |__   _ _ __   __| | | (___   ___  ___  | |_) |_   _  __ _ ___
 |  __| | | '_ \ / _` |  \___ \ / _ \/ __| |  _ <| | | |/ _` / __|
 | |    | | | | | (_| |  ____) |  __/ (__  | |_) | |_| | (_| \__ \
 |_|    |_|_| |_|\__,_| |_____/ \___|\___| |____/ \__,_|\__, |___/
                                                         __/ |
           - Security Analysis for Java Applications -  |___/

H X CIPINT: The cipher does not provide data integrity  At HandshakeCiphers.java:[line 111]
H X CIPINT: The cipher does not provide data integrity  At HandshakeCiphers.java:[line 113]
H X CIPINT: The cipher does not provide data integrity  At ChannelCiphers.java:[line 89]
H X CIPINT: The cipher does not provide data integrity  At ChannelCiphers.java:[line 91]
H X SECOBDES: Object deserialization is used in hudson.remoting.Capability.hudson.remoting.Capability.read(InputStream)  At Capability.java:[line 139]
H X SECOBDES: Object deserialization is used in hudson.remoting.Command.hudson.remoting.Command.readFrom(Channel, ObjectInputStream)  At Command.java:[line 92]
H X SECOBDES: Object deserialization is used in hudson.remoting.UserRequest.hudson.remoting.UserRequest.deserialize(Channel, byte[], ClassLoader)  At UserRequest.java:[line 184]
H X SECOBDES: Object deserialization is used in hudson.remoting.RemoteInputStream.hudson.remoting.RemoteInputStream.readObject(ObjectInputStream)  At RemoteInputStream.java:[line 179]
H X SECOBDES: Object deserialization is used in hudson.remoting.ClassLoaderHolder.hudson.remoting.ClassLoaderHolder.readObject(ObjectInputStream)  At ClassLoaderHolder.java:[line 35]
H X CIPINT: The cipher does not provide data integrity  At Launcher.java:[line 289]
H X SECPTI: File(...) reads a file whose location might be specified by user input  At CmdLineParser.java:[line 552]

@ThrawnCA
Copy link

I'm not clear on the answer to @formanek ; what is the advantage over findbugs:gui?

@h3xstream
Copy link
Member Author

It is the same thing. The idea is just to provide an all-in-one package.
It is the same as doing java -jar findbugs.jar -pluginList findsecbugs-1.4.4.jar MyApp.jar.
It include minor improvements: less typing and only one download.

The tool I'm referring in the original description is actually something different from what was finally release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h3xstream h3xstream

Labels
enhancement New feature or improvement to existing detector.
Projects
None yet
Milestone
version-1.4.4
Development

No branches or pull requests
4 participants
@h3xstream @formanek @ThrawnCA @xeno6696