Custom signatures

Philippe Arteau edited this page Sep 1, 2016 · 2 revisions

This page describe how to configure FindSecurityBugs to detect injection vulnerability type in custom or proprietary API.

We are trying to find API like in the following example where there is an API that should not concatenate user input.

Example

public void findUser(String parameterInput) {
    SqlUtil.execQuery("select * from UserEntity where id = " + parameterInput);
}

How to

1. Build your configuration

Here is file with one single "sink".

sqli/MySqlWrapper.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;:0
  • sqli/MySqlWrapper : Fully classified name
  • . : Separator
  • executeQuery : Method name
  • (Ljava/lang/String;)Ljava/sql/ResultSet; : Method signature
  • : : Separator
  • 0 : Index of the argument that is "injectable" (NOTE: Index start from the right. It is the stack based order)

For more information, refer to the Sink file format in developer area.

2. Loading the file

Finally, you need to configure FindSecurityBugs to load your custom signature set.

You can do so by specifying the JVM environment variable within the execution of the FindBugs process:

-Dfindsecbugs.taint.customconfigfile=/my/config/custom_sink.txt