Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend java-find-secbugs module to include package and class name in error code #108

Conversation

Projects
None yet
2 participants
@flosell
Copy link
Contributor

commented May 1, 2019

Description

At the moment, java-find-secbugs only allows users to exclude findings based on the the type of bug-pattern. Since the same finding can be a false positive in one part of the code (esp. since findsecbugs also includes library code) but a real problem in another, this PR adds the package
and classname to the error code.

Fixes #107

Type of change

  • New feature (non-breaking change which adds functionality)

Toolchain

  • Java
  • Kotlin

How Has This Been Tested?

  • Rebuild the Hawkeye Container to get all the tools

    $ docker build -t hawkeye-new .
    
  • Get a Spring Boot project where findsecbugs detects problems in the library

    $ curl https://start.spring.io/starter.tgz \
             -d type=gradle-project \
             -d baseDir=spring-boot-java-gradle \
             -d language=java | tar -xzvf -
    $ cd spring-boot-java-gradle
    $ ./gradlew build
    
  • Run Hawkeye against the project. You should see some findings from find-secbugs about spring boot internals and see the extended code

    $ docker run --rm -v $PWD:/target hawkeye-new scan --show-code -m java-find-secbugs
    
  • Run Hawkeye again, this time excluding org.springframework. Hawkeye should come back without findings

    $ docker run --rm -v $PWD:/target hawkeye-new scan --show-code -m java-find-secbugs  --exclude '.*-org\.springframework.*'
    

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (no related documentation)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@felixhammerl felixhammerl merged commit ba3eeb6 into hawkeyesec:master May 3, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.