New detector for MET03-J #2447
Merged
New detector for MET03-J #2447
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added Checker as well.
Added Checker as well. Added test cases calsses.
Added Checker as well. Added test cases calsses. Added test class (JUnit) as well.
Added Checker as well. Added test cases calsses. Added test class (JUnit) as well. Edited the Changelog.md.
Added Checker as well. Added test cases calsses. Added test class (JUnit) as well. Edited the Changelog.md. Fixed the formatting issues as well.
If one of the stream-returning methods (doubles, ints, or longs) is called on Random or SecureRandom, don't report that the Random was only used once Fixes spotbugs#2370
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…bugs#2376) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…potbugs#2377) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…2381) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#2385) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
spotbugs#2383) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#2382) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#2387) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#2390) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#2393) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…potbugs#2394) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* Issue-543 Store Java class annotation names to PackageMemberAnnotations * Issue-543 Store Java class annotation names to PackageMemberAnnotations * Issue-543 Add AnnotationMatcher for filtering (with test cases) * Issue-543 Extend SAX handler for AnnotationMatcher and classjas attr * Issue-543 Fix whitespaces * Issue-543 Add CHANGELOG entry * Issue-543 Make compatible with Java 1.8 * Issue-543 Extract code to addJavaAnnotationNames method * Issue-543 Update filter file xml schema * Issue-543 Run spotlessApply * Issue-543 Fix AnnotationMatcherTest * Issue-543 Fix file header comments * Issue-543 Use MethodHandles for logger * Issue 543 Fix documentation * Issue 543 Combine expressions when getting annotation type * Issue 543 Rename attribute classjas to classAnnotationNames * Issue-543 Fix whitespaces * Issue-543: Fix typo --------- Co-authored-by: Philipp Sadler <philipp.sadler@gebit.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…33.0 (spotbugs#2399) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…bugs#2403) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
spotbugs#2405) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…t is very efficient.
…n of the checker.
Fixed bug reporting message.
Fixed the private methods with 1 usage only.
This reverts commit e8f89d4.
# Conflicts: # CHANGELOG.md # spotbugs/etc/findbugs.xml # spotbugs/etc/messages.xml
ThrawnCA
approved these changes
Jun 11, 2023
hazendaz
approved these changes
Jun 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have implemented a checker named "FindVulnerableSecurityCheckMethods" for SEI CERT MET03-J
The checker proved to be effective in identifying potential security vulnerabilities in Java code. By enforcing the declaration of methods that use security checks as private or final, this checker helps reduce the risk of security breaches.
I have both White Box and Black Box Testing. For White Box Testing, I have created 5 compliant and 18 non-compliant test cases. My checker passes all of the test cases. For Black Box Testing, I tested the checker on Elasticsearch and SpotBugs projects. In the Elasticsearch project, there was no detection (As it is not using SecurityManager class). In SpotBugs, I got 6 true positives and 0 false positives.
Results for Eclipse:
output_Eclipse.txt
Results for spotbugs Project:
5.0_SBTestRepoMessageandTestsFixing.txt
Detections by MET03-J in SpotBugs:
5.0_SBTestRepoMessageandTestsFixing_filtered.txt
Details and link to detections:
True Positive in javax.activation.CommandMap.setCommandMap: M V VSC: The method 'javax.activation.CommandMap.setDefaultCommandMap(CommandMap)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At CommandMap.java:[line 57]
True Positive in [javax.activation.FileTypeMap.setDefaultFileTypeMap]:(https://github.com/kohsuke/javax.activation/blob/90efa5762cd2004076eb473b22e527ab02bd2e49/src/main/java/javax/activation/FileTypeMap.java#L98): M V VSC: The method 'javax.activation.FileTypeMap.setDefaultFileTypeMap(FileTypeMap)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At FileTypeMap.java:[line 68]
True Positive in javax.activation.DataHandler.setDataContentHandlerFactory: M V VSC: The method 'javax.activation.DataHandler.setDataContentHandlerFactory(DataContentHandlerFactory)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At DataHandler.java:[line 619]
True Positive in bugIdeas.Ideas_2011_08_10.setSecurityManager: M V VSC: The method 'bugIdeas.Ideas_2011_08_10.setSecurityManager(SecurityManager)' performs security check by using 'SecurityManager.checkPackageAccess(String)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At Ideas_2011_08_10.java:[line 52]
True Positive in ReflectionIncreaseAccessibilityNegativeTest.create: M V VSC: The method 'ReflectionIncreaseAccessibilityNegativeTest.create(Class)' performs security check by using 'SecurityManager.checkPackageAccess(String)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At ReflectionIncreaseAccessibilityNegativeTest.java:[line 21]
True Positive in (couldn't find the link. In the repo, this file is in a jar so couldn't get URL) M V VSC: The method 'javax.security.jacc.PolicyConfigurationFactory.getPolicyConfigurationFactory()' performs security check by using 'SecurityManager.checkPermission(Permission)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At PolicyConfigurationFactory.java:[line 82]
True Positive in javax.activation.CommandMap.setCommandMap: M V VSC: The method 'javax.activation.CommandMap.setDefaultCommandMap(CommandMap)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At CommandMap.java:[line 57]
True Positive in [javax.activation.FileTypeMap.setDefaultFileTypeMap]:(https://github.com/kohsuke/javax.activation/blob/90efa5762cd2004076eb473b22e527ab02bd2e49/src/main/java/javax/activation/FileTypeMap.java#L98): M V VSC: The method 'javax.activation.FileTypeMap.setDefaultFileTypeMap(FileTypeMap)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At FileTypeMap.java:[line 68]
True Positive in javax.activation.DataHandler.setDataContentHandlerFactory: M V VSC: The method 'javax.activation.DataHandler.setDataContentHandlerFactory(DataContentHandlerFactory)' performs security check by using 'SecurityManager.checkSetFactory()' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At DataHandler.java:[line 619]
True Positive in bugIdeas.Ideas_2011_08_10.setSecurityManager: M V VSC: The method 'bugIdeas.Ideas_2011_08_10.setSecurityManager(SecurityManager)' performs security check by using 'SecurityManager.checkPackageAccess(String)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At Ideas_2011_08_10.java:[line 52]
True Positive in ReflectionIncreaseAccessibilityNegativeTest.create: M V VSC: The method 'ReflectionIncreaseAccessibilityNegativeTest.create(Class)' performs security check by using 'SecurityManager.checkPackageAccess(String)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At ReflectionIncreaseAccessibilityNegativeTest.java:[line 21]
True Positive in (couldn't find the link. In the repo, this file is in a jar so couldn't get URL) M V VSC: The method 'javax.security.jacc.PolicyConfigurationFactory.getPolicyConfigurationFactory()' performs security check by using 'SecurityManager.checkPermission(Permission)' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. At PolicyConfigurationFactory.java:[line 82]
Make sure these boxes are checked before submitting your PR -- thank you!
CHANGELOG.mdif you have changed SpotBugs code