Version 1.9.0 - To Bee or not to Bee: The first official OWASP release
The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.
For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.
An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit
PS: I know that wasps (OWASP mascot) are not the same as bees. 😆
New contributors for this release
(In order of contribution date)
Implemented enhancements:
- New Rule: Detect Information Exposure through printStackTrace() #356
- detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
- Detect if entity objects are being returned by controllers in Spring #454
- Apache XML RPC setEnabledForExtensions(true) #418
- False Positive XSS in Expression Language ${pageContext.request.contextPath} #399
- False positive XSS when using OWASP taglib #353
- Detect Commons lang Random utilities #243
- New Rule: Use of setEscapeModelStrings in Wicket project #201
- Extended PredictiveRandomDetector #437 (ManWhoLaughs)
Fixed bugs:
- Possible bug in DeserializationGadgetDetectorTest #408
- [Error] Resource not found: java/lang/Object.class (Java 9) #365
- detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
- 1.8.0 findsecbugs.sh script errors #460
- Version mismatch in the findsecbugs-cli sh script. #445
- Test coverage for command injection for Kotlin #428
- ECIES integrity false positive #417
- Error while executing finsecbugs.sh on ubuntu #367
- False positive: ASN1InputStream identify as ObjectInputStream #170
Closed issues:
- The following classes needed for analysis were missing for method names #440
- false positive for CRLF_INJECTION_LOGS #425
- Migrate from BCEL Constants interface to Const class #413
- No class directories configured for FindBugs analysis error #412
- Kotlin arrayOf considered safe #432
- False Positive - JSTL Core accessing exported scoped variable storing the status of the iteration. #404
Merged pull requests:
- Restructuring the sub-modules #465 (h3xstream)
- Remove graph module #449 (h3xstream)
- Update to use findsecbugs-plugin 1.8.0 #436 (jbleduigou)
- Added Kotlin support for CRLF detector #430 (mario-areias)
- Kotlin file path traversal sink signatures #427 (JoshCunninghame)
- Added test coverage for command injection for kotlin string and func apis #423 (JoshCunninghame)
- Kotlin deserialisation gadget #422 (JoshCunninghame)
- Unsafe jackson object deserialisation kotlin module #421 (JoshCunninghame)
- Unsafe object deserialisation kotlin module #420 (JoshCunninghame)
- Kotlin hardcode password equals #419 (JoshCunninghame)
- Added KotlinHardcodePasswordInMap detector and created new module for… #416 (JoshCunninghame)
- Update the CLI packaging #415 (h3xstream)
- Replace deprecated BCEL Constants interface with Const class, #413 #414 (ThrawnCA)
- Add prism code highlight for the micro-website. #464 (h3xstream)
- Update descriptions #463 (h3xstream)
- Add references to Wicket XSS #462 (h3xstream)
- Added Entity Leak Detector #457 (karanb192)
- XSS using Wicket component #453 (h3xstream)
- Fix the FP generated by ECIES usage #417 #452 (h3xstream)
- JSTL expression white listing #451 (h3xstream)
- Fix #432 #450 (h3xstream)
- Fix Kotlin handling of the String being build with the Appendable class #448 (h3xstream)
- Improve and generalize the CLI unix launcher #447 (thypon)
- Fix TravisCI for JDK version 10 #444 (h3xstream)
- Improve XSLT RCE resolution #443 (h3xstream)
- Extended PredictiveRandomDetector (added new test) #441 (ManWhoLaughs)
- Apache XML RPC setEnabledForExtensions(true) #439 (shirinnikita)
> sha1sum findsecbugs-cli-1.9.0.zip
27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip
> md5sum findsecbugs-cli-1.9.0.zip
cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip
> sha1sum findsecbugs-cli-1.9.0-fix1.zip
f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix1.zip
795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix2.zip
0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2.zip
> sha1sum findsecbugs-cli-1.9.0-fix2.zip
998437752ebfbed1cace3c9d73cc4644fb3f1545 *findsecbugs-cli-1.9.0-fix2.zip