[研究] FindBugs、SpotBugs、OWAP Find Security Bugs 與原始碼安全檢測
2020-11-13
FindBugs 官方網站
http://findbugs.sourceforge.net/
FindBugs - 維基百科,自由的百科全書
https://zh.wikipedia.org/zh-tw/FindBugs
FindBugs 最後是 3.0.1 版,於 06 March, 2015 釋出,多年沒更新了。
http://findbugs.sourceforge.net/downloads.html
FindBugs 的 Git 網站
https://github.com/findbugsproject/findbugs
FindBugs 官方網站沒提到 SpotBugs,但 Github 上有提 SpotBugs 是後繼。
FindBugs is now SpotBugs
********************************************************************************
SpotBugs 網站
SpotBugs 安裝
https://spotbugs.readthedocs.io/en/stable/installing.html
SpotBus 有 Malicious code vulnerability (MALICIOUS_CODE) 和 Security
(SECURITY)
https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html
OWAP Find Security Bugs
https://owasp.org/www-project-find-security-bugs/
Find Security Bugs is a SpotBugs plugin for security audits
OWAP Find Security Bugs 是 SpotBugs 的安全稽核插件。
********************************************************************************
有人拿 FindBugs 或 SpotBugs 來做原始程式碼 (源碼,Source Code) 的資安安全性檢測。
說實在話,從軟體名稱可知,這主要是找 Bug 的 (支援 Java,不支援 .NET),主要不是測安全的。
檢測能力遠比不上商業的 Micro Focus Fortify SCA ( Source Code Analyzer ) 或 CheckMarx。
FindBugs 支援的 Security, Malicious code vulnerability 詳細內容
http://findbugs.sourceforge.net/bugDescriptions.html
Malicious code vulnerability
DP: Classloaders should only be created inside doPrivileged block
DP: Method invoked that should be only be invoked inside a doPrivileged block
EI: May expose internal representation by returning reference to mutable object
EI2: May expose internal representation by incorporating reference to mutable object
FI: Finalizer should be protected, not public
MS: May expose internal static state by storing a mutable object into a static field
MS: Field isn't final and can't be protected from malicious code
MS: Public static method may expose internal representation by returning array
MS: Field should be both final and package protected
MS: Field is a mutable array
MS: Field is a mutable collection
MS: Field is a mutable collection which should be package protected
MS: Field is a mutable Hashtable
MS: Field should be moved out of an interface and made package protected
MS: Field should be package protected
MS: Field isn't final but should be
MS: Field isn't final but should be refactored to be so
Security
Dm: Hardcoded constant database password
Dm: Empty database password
HRS: HTTP cookie formed from untrusted input
HRS: HTTP Response splitting vulnerability
PT: Absolute path traversal in servlet
PT: Relative path traversal in servlet
SQL: Nonconstant string passed to execute or addBatch method on an SQL statement
SQL: A prepared statement is generated from a nonconstant String
XSS: JSP reflected cross site scripting vulnerability
XSS: Servlet reflected cross site scripting vulnerability in error page
XSS: Servlet reflected cross site scripting vulnerability
能做的就這麼多了。
(完)
相關
Java 程式碼檢測FindBugs or SpotBugs
https://matthung0807.blogspot.com/2019/07/java-findbugs-or-spotbugs.html
沒有留言:
張貼留言