find-sec-bugs | SpotBugs plugin for security audits | Code Analyzer library
kandi X-RAY | find-sec-bugs Summary
kandi X-RAY | find-sec-bugs Summary
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Analyzes a method invocation
- Get the sinks for a given invoke instruction
- Get the number of arguments in an InvokeInstruction
- Check all sinks for a method invocation
- Overrides the visitor to look for classes that are known to be static
- Looks to see if this method has multiple external calls
- Overrides the visitor to look for the method calls to get the value of the stack
- Looks for the hash function that looks for the given algorithm
- Initializes the initial state of a TaintFrame
- Checks if a slot is tainted by a parameter
- Overrides the visitor to look for new schema methods
- Overrides the visitor to collect null values
- Overrides the visitor to look for calls to parse XML
- Overrides the visitor to check for validators
- Returns the injectable parameters of the given method
- Overrides the visitor to look for jspacing
- Overrides the visitor to look for validations on the method
- Overrides the visitor to look for methods that don t work
- Compute the number of required parameters
- Implements the visitor to look for localhost
- Visit a load instruction
- Handles a load instruction
- Overrides the visitor to look for calls to xml files
- Overrides the visitor to look for the parameters of a return type
- Implements the visitor to look for methods that are static initializers
- Load a map from the parameters
find-sec-bugs Key Features
find-sec-bugs Examples and Code Snippets
Community Discussions
Trending Discussions on find-sec-bugs
QUESTION
I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins.
The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala https://github.com/find-sec-bugs/find-sec-bugs
I have installed the plugin as the documentation says, and tried a few scans but nothing related to vulnerabilities in scala is coming up.
So, in order to figure out if the code was really good or there was a misconfiguration on my SonarQube settings, I went to http://find-sec-bugs.github.io/bugs.htm, I took one of the examples (Potential Path Traversal), inserted the example code and I ran the scanner again. It was not found.
The rule (Security - Potential Path Traversal (file read)) is activated in the Quality Profile, and despite it is a Java profile, it is assigned to the project, since the code in the mentioned example is Scala.
I noticed that all the rules coming from find-sec-bugs are java ones, so I'm wondering if they don't work on scala or there is something else I can do to make it work.
Thanks in advance, and let me know if you need any extra information, I'd be glad to provide you.
...ANSWER
Answered 2018-Dec-06 at 13:34Looks like the main reason for that to happen is that Scala bug patterns are explicitly excluded for some reasons:
Their are plenty of limitation with the SonarQube architecture regarding the multi-language support. It is closely tie to the sonar-source plugin design.
- Language can't have the same extension (https://jira.sonarsource.com/browse/MMF-672)
- Repository can't contains rule that apply to multiple languages. (If you would have Scala only code, the Java core rules would not be enable unless you have one Java file present)
- Sensor are couple to the language definition (depends on the most popular plugin that declares it).
- etc, etc..
Source: https://github.com/spotbugs/sonar-findbugs/issues/108#issuecomment-305909652
All the exclusions can be seen here: https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e
Particularly, for Scala:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install find-sec-bugs
You can use find-sec-bugs like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the find-sec-bugs component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page