Stack Overflow
Stack Overflow

Questions tagged [find-sec-bugs]

Use the find-sec-bugs tag for questions specifically about the Find Security Bugs plugin for SpotBugs.

Find Security Bugs (or "find-sec-bugs") is a SpotBugs plugin for security audits of Java web applications. It provides additional detectors to SpotBugs which has only few detectors dedicated to security by default. It can detect many vulnerability types including command injection, XPath injection, SQL/HQL injection, cryptography weaknesses and many more.

The software is licensed under LGPL just like .

For more information, visit the official website.

25 questions
4
votes
1 answer

How to mark false positive in spotbug report

I went through the documentation of spotbug https://spotbugs.readthedocs.io/en/stable/ However information on false positive is not comprehensive. Kindly help me with the steps to mark certain bug reported as false positive and so that those are not…
subir
  • 310
  • 4
  • 13
3
votes
1 answer

Path traversal vulnerabilities not found at Scala code

I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins. The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala…
Maxi Lagos
  • 33
  • 2
2
votes
1 answer

The jar file provided by Maven repository does not include class files

I need to use BaseDetectorTest provided from one of Spotbugs extension library I added the maven dependency from (FindBugs Test Utility) But it does not include the BaseDetectorTest class file (Once Maven is updated, the jar file is added to the…
Yoochul Kim
  • 31
  • 2
2
votes
1 answer

False positive Spring LDAP from findbugs-sec-plugin

It looks like it does not take into account that Filter.toString/encode can actually encode LDAP filter correctly. So if I have a flags something like Filter filter = blahblah; ldapTemplate.search("", filter.toString()); it would flag that this…
Nat
  • 3,587
  • 20
  • 22
2
votes
1 answer

Simple gradle file using spotbugs and find security bugs?

Does anyone have a basic gradle file for gradle 5.X using the "old" form of plugin entry, that uses both spotbugs and find-security-bugs, and that, when ./gradlew clean build is run will execute both spot bugs and security bugs? I can get spot bugs…
bharal
  • 15,461
  • 36
  • 117
  • 195
2
votes
1 answer

Is there any SAST tool for Workfusion code?

Currently I'm involved in a project for implementing security code reviews for Workfusion bots. Workfusion can handle a mix of Java and Groovy code embedded in XML files or standalone code. My team is trying to assess if it's possible to use any…
Alex Percont
  • 31
  • 2
2
votes
2 answers

False positives for SQL injection from find-sec-bugs

We're using find-sec-bugs with findbugs to find potential problems in our code. We using Spring JDBCTemplate for our DB access, and find-sec-bugs seems to think we have SQL injection vulnerabilities all over the place. The simplest example is as…
dnc253
  • 39,967
  • 41
  • 141
  • 157
1
vote
1 answer

Sonar and findsecbugs Potential code injection when using Spring Expression

We have a spring-boot (2.4.2) application and an Aspect class that does some handling "Around" methods annotated with a custom annotation, defined by us, and using SpEL handling. The SpEL expressions are defined as fields in the annotation, by…
razvanone
  • 1,351
  • 18
  • 27
1
vote
1 answer

How to resolve HTTP Parameter Pollution warning?

While checking for findSpecBugs warnings in my scala based application, I encountered: HTTP Parameter Pollution warning with the message: Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request…
Mansi Babbar
  • 21
  • 4
1
vote
0 answers

scala innerClass, find-sec-bugs PREDICTABLE_RANDOM_SCALA

I want to improve detection of PREDICTABLE_RANDOM_SCALA code. methodName contains 'token','id','csrf' etc. find-sec-bug existing detection logic but in scala. scala source code and javap -v you can see below. class PredictableRandomScala { def…
acceler
  • 31
  • 4
1
vote
1 answer

How can I run only defined detectors in find-sec-bugs

I'd like to run a findsecbugs scan (CLI version) against multiple jar and I only want it to check for issues related to bad usage of crypto functions (like using md5). How can I tell findsecbugs to only use detectors defined by me? Thank you!
pinas
  • 2,708
  • 4
  • 21
  • 33
1
vote
0 answers

Detecting information leakage in Find Sec Bugs via taint analysis and custom annotations

Does Find Sec Bugs allow one to define sensitive sources and sinks via annotations, like other static analysis tools such as the Checker Framework? Right now I only see sources/sinks being defined in config files like so:…
Anton
  • 11
  • 2
1
vote
0 answers

How do I configure the maven findbugs reporting plugin to link bug patterns to the correct site?

I use the Findbugs Maven plugin to generate a report for my projects that provides a summary of issues that Findbugs has found. I also use plugins such as the find security bugs plugin to find additional potential issues. When I look at the…
Jason Thompson
  • 4,643
  • 5
  • 50
  • 74
1
vote
1 answer

Find Security Bugs - Real SQL injection or false positive?

I am using FindBug along with the plugin Find Security Bugs to help me find security flaws in my code. I am not sure why some code is flagged as vulnerable to SQL injection. Here are two examples: final StringBuilder queryString = new…
Flanfl
  • 516
  • 8
  • 29
0
votes
0 answers

How to debug a detector test in the IntelliJ idea?

I'm new to Find-Sec-Bugs (FSB) and want to trace through analysis steps by debugging the HttpParameterPollutionDetectorTest test in the IntelliJ IDE. I've successfully run all tests with maven, but when I start to run/debug the…
Lewis Young
  • 1
  • 1
1
2