Devops开发|测试左移 使用Find Security Bugs检查代码安全问题

Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

Find Security Bugs 是SpotsBug的插件,他主要用来做web和android应用的代码安全测试。目前可以检测出 141 种不同类型的安全漏洞。它支持大量的使用主流的框架和库的代码检测,如包括 Spring-MVC,Struts,Tapestry等,并可以与 IDE 集成,可用于 Eclipse,IntelliJ,Android Studio 和 NetBeans 中的 findbug并提供命令行接口以便用于 maven 和 ant,支持与 Jenkins 和 SonarQube 等系统进行持续集成。针对检测同的漏洞进行了 OWASP TOP 10 和 CWE 覆盖分类并提供了修复参考。
获取软件包 Find Security Bugs,去官方网站下载可执行的软件包即可
http://find-sec-bugs.github.io/download.htm
IDE中使用

  • SpotBugs安装(Eclipse)
在Eclipse的应用市场中搜索SpotBugs,默认安装插件,然后重启Eclipse即可。
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

把Find Security Bugs导入到SpotBugs中
进入 Eclipse -> Preference-> Java -> FindBugs,,在Plugins and misc. settings TAB 页中导入 findsecbugs-plugin-1.11.0.jar
注意:不要把findsecbugs-plugin-*.jar放到桌面或者C盘,会出现无法加载jar包的问题!
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片


  • SpotBugs安装(IDEA)
interllij配置如下,首先安装插件spotbugs,然后导入find security bugs jar包
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

然后配置安全规则
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片


选择安全检查项 (包括sql注入、XSS漏洞、绝对路径和相对路径漏洞等) 这里以eclipse为例进行讲解,IDEA的配置与其类似。进入Spotbugs配置页面,勾选Security选项,如下图:
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

切换到detector configration页面,先取消全部选择,然后在Category 中的Security中进行勾选,如下图:
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

常用的安全检查配置项
常用的安全检测项如下图所示,我们只需要在Eclipe中配置的对应列进行匹配勾选即可。
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片


扫描项目 Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片


查看扫描结果 打开bug explorer视图
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

可以查看扫描出的安全性问题
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片

注意:spotsbug是对.class文件进行扫描的,所以工程必须成功完成编译并生成.class文件!
点击代码前小虫的图标可以查看代码安全性问题描述、解决方案及对应的WASC\OWASP\CWE引文
Devops开发|测试左移 使用Find Security Bugs检查代码安全问题
文章图片


Maven 构建 也可以在maven构建时进行代码安全的检测
pom.xml构建
[...] [...]com.github.spotbugs spotbugs-maven-plugin 4.0.4 Max medium true ${session.executionRootDirectory}/spotbugs-security-include.xml ${session.executionRootDirectory}/spotbugs-security-exclude.xmlcom.h3xstream.findsecbugs findsecbugs-plugin 1.10.1

指定检测安全问题类型 /spotbugs-security-include.xml
我们可以把在ide中,需要检测的安全问题类型加到spotbugs-security-include.xml文件中

同理可以设置不需要检测的问题件类型,excludeFilterFile
构建方法 mvn compile
mvn spotbugs:spotbugs
日志
  • Gui方式
mvn spotbugs:gui
  • xml报告
Xml报告生成到目录target/findbugsXml.xml
安全漏洞解释 如果想了解每一种安全漏洞的信息信息,可以参考官网:https://find-sec-bugs.github.io/bugs.htm
文章中不仅有对每一种漏洞的具体描述,还提供了漏洞错误写法以及正确写法的实例
Predictable pseudorandom number generator (PREDICTABLE_RANDOM)
Predictable pseudorandom number generator (Scala) (PREDICTABLE_RANDOM_SCALA)
Untrusted servlet parameter (SERVLET_PARAMETER)
Untrusted Content-Type header (SERVLET_CONTENT_TYPE)
Untrusted Hostname header (SERVLET_SERVER_NAME)
Untrusted session cookie value (SERVLET_SESSION_ID)
Untrusted query string (SERVLET_QUERY_STRING)
HTTP headers untrusted (SERVLET_HEADER)
Untrusted Referer header (SERVLET_HEADER_REFERER)
Untrusted User-Agent header (SERVLET_HEADER_USER_AGENT)
Potentially sensitive data in a cookie (COOKIE_USAGE)
Potential Path Traversal (file read) (PATH_TRAVERSAL_IN)
Potential Path Traversal (file write) (PATH_TRAVERSAL_OUT)
Potential Path Traversal using Scala API (file read) (SCALA_PATH_TRAVERSAL_IN)
Potential Command Injection (COMMAND_INJECTION)
Potential Command Injection (Scala) (SCALA_COMMAND_INJECTION)
FilenameUtils not filtering null bytes (WEAK_FILENAMEUTILS)
TrustManager that accept any certificates (WEAK_TRUST_MANAGER)
HostnameVerifier that accept any signed certificates (WEAK_HOSTNAME_VERIFIER)
Found JAX-WS SOAP endpoint (JAXWS_ENDPOINT)
Found JAX-RS REST endpoint (JAXRS_ENDPOINT)
Found Tapestry page (TAPESTRY_ENDPOINT)
Found Wicket WebPage (WICKET_ENDPOINT)
MD2, MD4 and MD5 are weak hash functions (WEAK_MESSAGE_DIGEST_MD5)
SHA-1 is a weak hash function (WEAK_MESSAGE_DIGEST_SHA1)
DefaultHttpClient with default constructor is not compatible with TLS 1.2 (DEFAULT_HTTP_CLIENT)
Weak SSLContext (SSL_CONTEXT)
Message digest is custom (CUSTOM_MESSAGE_DIGEST)
Tainted filename read (FILE_UPLOAD_FILENAME)
Regex DOS (ReDOS) (REDOS)
XML parsing vulnerable to XXE (XMLStreamReader) (XXE_XMLSTREAMREADER)
XML parsing vulnerable to XXE (XPathExpression) (XXE_XPATH)
XML parsing vulnerable to XXE (SAXParser) (XXE_SAXPARSER)
XML parsing vulnerable to XXE (XMLReader) (XXE_XMLREADER)
XML parsing vulnerable to XXE (DocumentBuilder) (XXE_DOCUMENT)
XML parsing vulnerable to XXE (TransformerFactory) (XXE_DTD_TRANSFORM_FACTORY)
【Devops开发|测试左移 使用Find Security Bugs检查代码安全问题】XSLT parsing vulnerable to XXE (TransformerFactory) (XXE_XSLT_TRANSFORM_FACTORY)
Potential XPath Injection (XPATH_INJECTION)
Found Struts 1 endpoint (STRUTS1_ENDPOINT)
Found Struts 2 endpoint (STRUTS2_ENDPOINT)
Found Spring endpoint (SPRING_ENDPOINT)
Spring CSRF protection disabled (SPRING_CSRF_PROTECTION_DISABLED)
Spring CSRF unrestricted RequestMapping (SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)
Potential injection (custom) (CUSTOM_INJECTION)
Potential SQL Injection (SQL_INJECTION)
Potential SQL Injection with Turbine (SQL_INJECTION_TURBINE)
Potential SQL/HQL Injection (Hibernate) (SQL_INJECTION_HIBERNATE)
Potential SQL/JDOQL Injection (JDO) (SQL_INJECTION_JDO)
Potential SQL/JPQL Injection (JPA) (SQL_INJECTION_JPA)
Potential JDBC Injection (Spring JDBC) (SQL_INJECTION_SPRING_JDBC)
Potential JDBC Injection (SQL_INJECTION_JDBC)
Potential Scala Slick Injection (SCALA_SQL_INJECTION_SLICK)
Potential Scala Anorm Injection (SCALA_SQL_INJECTION_ANORM)
Potential SQL Injection with Vert.x Sql Client (SQL_INJECTION_VERTX)
Potential Android SQL Injection (SQL_INJECTION_ANDROID)
Potential LDAP Injection (LDAP_INJECTION)
Potential code injection when using Script Engine (SCRIPT_ENGINE_INJECTION)
Potential code injection when using Spring Expression (SPEL_INJECTION)
Potential code injection when using Expression Language (EL) (EL_INJECTION)
Potential code injection in Seam logging call (SEAM_LOG_INJECTION)
Potential code injection when using OGNL expression (OGNL_INJECTION)
Potential code injection when using GroovyShell (GROOVY_SHELL)
Potential HTTP Response Splitting (HTTP_RESPONSE_SPLITTING)
Potential CRLF Injection for logs (CRLF_INJECTION_LOGS)
Potential external control of configuration (EXTERNAL_CONFIG_CONTROL)
Bad hexadecimal concatenation (BAD_HEXA_CONVERSION)
Hazelcast symmetric encryption (HAZELCAST_SYMMETRIC_ENCRYPTION)
NullCipher is insecure (NULL_CIPHER)
Unencrypted Socket (UNENCRYPTED_SOCKET)
Unencrypted Server Socket (UNENCRYPTED_SERVER_SOCKET)
DES is insecure (DES_USAGE)
DESede is insecure (TDES_USAGE)
RSA with no padding is insecure (RSA_NO_PADDING)
Hard coded password (HARD_CODE_PASSWORD)
Hard coded key (HARD_CODE_KEY)
Unsafe hash equals (UNSAFE_HASH_EQUALS)
Struts Form without input validation (STRUTS_FORM_VALIDATION)
XSSRequestWrapper is a weak XSS protection (XSS_REQUEST_WRAPPER)
Blowfish usage with short key (BLOWFISH_KEY_SIZE)
RSA usage with short key (RSA_KEY_SIZE)
Unvalidated Redirect (UNVALIDATED_REDIRECT)
Unvalidated Redirect (Play Framework) (PLAY_UNVALIDATED_REDIRECT)
Spring Unvalidated Redirect (SPRING_UNVALIDATED_REDIRECT)
Unexpected property leak (ENTITY_LEAK)
Mass assignment (ENTITY_MASS_ASSIGNMENT)
Dynamic JSP inclusion (JSP_INCLUDE)
Dynamic variable in Spring expression (JSP_SPRING_EVAL)
Escaping of special XML characters is disabled (JSP_JSTL_OUT)
Potential XSS in JSP (XSS_JSP_PRINT)
Potential XSS in Servlet (XSS_SERVLET)
XMLDecoder usage (XML_DECODER)
Static IV (STATIC_IV)
ECB mode is insecure (ECB_MODE)
Cipher is susceptible to Padding Oracle (PADDING_ORACLE)
Cipher with no integrity (CIPHER_INTEGRITY)
Use of ESAPI Encryptor (ESAPI_ENCRYPTOR)
External file access (Android) (ANDROID_EXTERNAL_FILE_ACCESS)
Broadcast (Android) (ANDROID_BROADCAST)
World writable file (Android) (ANDROID_WORLD_WRITABLE)
WebView with geolocation activated (Android) (ANDROID_GEOLOCATION)
WebView with JavaScript enabled (Android) (ANDROID_WEB_VIEW_JAVASCRIPT)
WebView with JavaScript interface (Android) (ANDROID_WEB_VIEW_JAVASCRIPT_INTERFACE)
Cookie without the secure flag (INSECURE_COOKIE)
Cookie without the HttpOnly flag (HTTPONLY_COOKIE)
Object deserialization is used (OBJECT_DESERIALIZATION)
Unsafe Jackson deserialization configuration (JACKSON_UNSAFE_DESERIALIZATION)
This class could be used as deserialization gadget (DESERIALIZATION_GADGET)
Trust Boundary Violation (TRUST_BOUNDARY_VIOLATION)
A malicious XSLT could be provided to the JSP tag (JSP_XSLT)
A malicious XSLT could be provided (MALICIOUS_XSLT)
Potential information leakage in Scala Play (SCALA_SENSITIVE_DATA_EXPOSURE)
Scala Play Server-Side Request Forgery (SSRF) (SCALA_PLAY_SSRF)
URLConnection Server-Side Request Forgery (SSRF) and File Disclosure (URLCONNECTION_SSRF_FD)
Potential XSS in Scala Twirl template engine (SCALA_XSS_TWIRL)
Potential XSS in Scala MVC API engine (SCALA_XSS_MVC_API)
Potential template injection with Velocity (TEMPLATE_INJECTION_VELOCITY)
Potential template injection with Freemarker (TEMPLATE_INJECTION_FREEMARKER)
Potential template injection with Pebble (TEMPLATE_INJECTION_PEBBLE)
Overly permissive CORS policy (PERMISSIVE_CORS)
Anonymous LDAP bind (LDAP_ANONYMOUS)
LDAP Entry Poisoning (LDAP_ENTRY_POISONING)
Persistent Cookie Usage (COOKIE_PERSISTENT)
URL rewriting method (URL_REWRITING)

    推荐阅读