Find Security Bugs 是SpotsBug的插件，他主要用来做web和android应用的代码安全测试。目前可以检测出 141 种不同类型的安全漏洞。它支持大量的使用主流的框架和库的代码检测，如包括 Spring-MVC，Struts，Tapestry等，并可以与 IDE 集成，可用于 Eclipse，IntelliJ，Android Studio 和 NetBeans 中的 findbug并提供命令行接口以便用于 maven 和 ant，支持与 Jenkins 和 SonarQube 等系统进行持续集成。针对检测同的漏洞进行了 OWASP TOP 10 和 CWE 覆盖分类并提供了修复参考。

获取软件包 Find Security Bugs，去官方网站下载可执行的软件包即可

http://find-sec-bugs.github.io/download.htm

IDE中使用

• SpotBugs安装（Eclipse）

在Eclipse的应用市场中搜索SpotBugs，默认安装插件，然后重启Eclipse即可。

把Find Security Bugs导入到SpotBugs中

进入 Eclipse -> Preference-> Java -> FindBugs,，在Plugins and misc. settings TAB 页中导入 findsecbugs-plugin-1.11.0.jar

注意：不要把findsecbugs-plugin-*.jar放到桌面或者C盘，会出现无法加载jar包的问题！

• SpotBugs安装（IDEA）

interllij配置如下，首先安装插件spotbugs，然后导入find security bugs jar包

然后配置安全规则

 

选择安全检查项 （包括sql注入、XSS漏洞、绝对路径和相对路径漏洞等）

这里以eclipse为例进行讲解，IDEA的配置与其类似。进入Spotbugs配置页面，勾选Security选项，如下图：

切换到detector configration页面，先取消全部选择，然后在Category 中的Security中进行勾选，如下图：

常用的安全检查配置项

常用的安全检测项如下图所示，我们只需要在Eclipe中配置的对应列进行匹配勾选即可。

 

扫描项目

 

查看扫描结果

打开bug explorer视图

可以查看扫描出的安全性问题

注意：spotsbug是对.class文件进行扫描的，所以工程必须成功完成编译并生成.class文件！

点击代码前小虫的图标可以查看代码安全性问题描述、解决方案及对应的WASC\OWASP\CWE引文

 

Maven 构建

也可以在maven构建时进行代码安全的检测

pom.xml构建

[...]
<build>
<plugins>
[...]
<!-- SpotBugs Static Analysis -->
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.0.4</version>
<configuration>
<effort>Max</effort>
<threshold>medium</threshold>
<failOnError>true</failOnError>
<includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
<excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.10.1</version>
</plugin>
</plugins>
</configuration>
</plugin>
</plugins>
</build>

指定检测安全问题类型

/spotbugs-security-include.xml

我们可以把在ide中，需要检测的安全问题类型加到spotbugs-security-include.xml文件中

<FindBugsFilter>
<Match>
<Bug category="SECURITY"/>
</Match>
</FindBugsFilter>

同理可以设置不需要检测的问题件类型，excludeFilterFile

构建方法

mvn compile

mvn spotbugs:spotbugs

日志

• Gui方式

mvn spotbugs:gui

• xml报告

Xml报告生成到目录target/findbugsXml.xml

安全漏洞解释

如果想了解每一种安全漏洞的信息信息，可以参考官网：https://find-sec-bugs.github.io/bugs.htm

文章中不仅有对每一种漏洞的具体描述，还提供了漏洞错误写法以及正确写法的实例

Predictable pseudorandom number generator (PREDICTABLE_RANDOM)

Predictable pseudorandom number generator (Scala) (PREDICTABLE_RANDOM_SCALA)

Untrusted servlet parameter (SERVLET_PARAMETER)

Untrusted Content-Type header (SERVLET_CONTENT_TYPE)

Untrusted Hostname header (SERVLET_SERVER_NAME)

Untrusted session cookie value (SERVLET_SESSION_ID)

Untrusted query string (SERVLET_QUERY_STRING)

HTTP headers untrusted (SERVLET_HEADER)

Untrusted Referer header (SERVLET_HEADER_REFERER)

Untrusted User-Agent header (SERVLET_HEADER_USER_AGENT)

Potentially sensitive data in a cookie (COOKIE_USAGE)

Potential Path Traversal (file read) (PATH_TRAVERSAL_IN)

Potential Path Traversal (file write) (PATH_TRAVERSAL_OUT)

Potential Path Traversal using Scala API (file read) (SCALA_PATH_TRAVERSAL_IN)

Potential Command Injection (COMMAND_INJECTION)

Potential Command Injection (Scala) (SCALA_COMMAND_INJECTION)

FilenameUtils not filtering null bytes (WEAK_FILENAMEUTILS)

TrustManager that accept any certificates (WEAK_TRUST_MANAGER)

HostnameVerifier that accept any signed certificates (WEAK_HOSTNAME_VERIFIER)

Found JAX-WS SOAP endpoint (JAXWS_ENDPOINT)

Found JAX-RS REST endpoint (JAXRS_ENDPOINT)

Found Tapestry page (TAPESTRY_ENDPOINT)

Found Wicket WebPage (WICKET_ENDPOINT)

MD2, MD4 and MD5 are weak hash functions (WEAK_MESSAGE_DIGEST_MD5)

SHA-1 is a weak hash function (WEAK_MESSAGE_DIGEST_SHA1)

DefaultHttpClient with default constructor is not compatible with TLS 1.2 (DEFAULT_HTTP_CLIENT)

Weak SSLContext (SSL_CONTEXT)

Message digest is custom (CUSTOM_MESSAGE_DIGEST)

Tainted filename read (FILE_UPLOAD_FILENAME)

Regex DOS (ReDOS) (REDOS)

XML parsing vulnerable to XXE (XMLStreamReader) (XXE_XMLSTREAMREADER)

XML parsing vulnerable to XXE (XPathExpression) (XXE_XPATH)

XML parsing vulnerable to XXE (SAXParser) (XXE_SAXPARSER)

XML parsing vulnerable to XXE (XMLReader) (XXE_XMLREADER)

XML parsing vulnerable to XXE (DocumentBuilder) (XXE_DOCUMENT)

XML parsing vulnerable to XXE (TransformerFactory) (XXE_DTD_TRANSFORM_FACTORY)

XSLT parsing vulnerable to XXE (TransformerFactory) (XXE_XSLT_TRANSFORM_FACTORY)

Potential XPath Injection (XPATH_INJECTION)

Found Struts 1 endpoint (STRUTS1_ENDPOINT)

Found Struts 2 endpoint (STRUTS2_ENDPOINT)

Found Spring endpoint (SPRING_ENDPOINT)

Spring CSRF protection disabled (SPRING_CSRF_PROTECTION_DISABLED)

Spring CSRF unrestricted RequestMapping (SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)

Potential injection (custom) (CUSTOM_INJECTION)

Potential SQL Injection (SQL_INJECTION)

Potential SQL Injection with Turbine (SQL_INJECTION_TURBINE)

Potential SQL/HQL Injection (Hibernate) (SQL_INJECTION_HIBERNATE)

Potential SQL/JDOQL Injection (JDO) (SQL_INJECTION_JDO)

Potential SQL/JPQL Injection (JPA) (SQL_INJECTION_JPA)

Potential JDBC Injection (Spring JDBC) (SQL_INJECTION_SPRING_JDBC)

Potential JDBC Injection (SQL_INJECTION_JDBC)

Potential Scala Slick Injection (SCALA_SQL_INJECTION_SLICK)

Potential Scala Anorm Injection (SCALA_SQL_INJECTION_ANORM)

Potential SQL Injection with Vert.x Sql Client (SQL_INJECTION_VERTX)

Potential Android SQL Injection (SQL_INJECTION_ANDROID)

Potential LDAP Injection (LDAP_INJECTION)

Potential code injection when using Script Engine (SCRIPT_ENGINE_INJECTION)

Potential code injection when using Spring Expression (SPEL_INJECTION)

Potential code injection when using Expression Language (EL) (EL_INJECTION)

Potential code injection in Seam logging call (SEAM_LOG_INJECTION)

Potential code injection when using OGNL expression (OGNL_INJECTION)

Potential code injection when using GroovyShell (GROOVY_SHELL)

Potential HTTP Response Splitting (HTTP_RESPONSE_SPLITTING)

Potential CRLF Injection for logs (CRLF_INJECTION_LOGS)

Potential external control of configuration (EXTERNAL_CONFIG_CONTROL)

Bad hexadecimal concatenation (BAD_HEXA_CONVERSION)

Hazelcast symmetric encryption (HAZELCAST_SYMMETRIC_ENCRYPTION)

NullCipher is insecure (NULL_CIPHER)

Unencrypted Socket (UNENCRYPTED_SOCKET)

Unencrypted Server Socket (UNENCRYPTED_SERVER_SOCKET)

DES is insecure (DES_USAGE)

DESede is insecure (TDES_USAGE)

RSA with no padding is insecure (RSA_NO_PADDING)

Hard coded password (HARD_CODE_PASSWORD)

Hard coded key (HARD_CODE_KEY)

Unsafe hash equals (UNSAFE_HASH_EQUALS)

Struts Form without input validation (STRUTS_FORM_VALIDATION)

XSSRequestWrapper is a weak XSS protection (XSS_REQUEST_WRAPPER)

Blowfish usage with short key (BLOWFISH_KEY_SIZE)

RSA usage with short key (RSA_KEY_SIZE)

Unvalidated Redirect (UNVALIDATED_REDIRECT)

Unvalidated Redirect (Play Framework) (PLAY_UNVALIDATED_REDIRECT)

Spring Unvalidated Redirect (SPRING_UNVALIDATED_REDIRECT)

Unexpected property leak (ENTITY_LEAK)

Mass assignment (ENTITY_MASS_ASSIGNMENT)

Dynamic JSP inclusion (JSP_INCLUDE)

Dynamic variable in Spring expression (JSP_SPRING_EVAL)

Escaping of special XML characters is disabled (JSP_JSTL_OUT)

Potential XSS in JSP (XSS_JSP_PRINT)

Potential XSS in Servlet (XSS_SERVLET)

XMLDecoder usage (XML_DECODER)

Static IV (STATIC_IV)

ECB mode is insecure (ECB_MODE)

Cipher is susceptible to Padding Oracle (PADDING_ORACLE)

Cipher with no integrity (CIPHER_INTEGRITY)

Use of ESAPI Encryptor (ESAPI_ENCRYPTOR)

External file access (Android) (ANDROID_EXTERNAL_FILE_ACCESS)

Broadcast (Android) (ANDROID_BROADCAST)

World writable file (Android) (ANDROID_WORLD_WRITABLE)

WebView with geolocation activated (Android) (ANDROID_GEOLOCATION)

WebView with JavaScript enabled (Android) (ANDROID_WEB_VIEW_JAVASCRIPT)

WebView with JavaScript interface (Android) (ANDROID_WEB_VIEW_JAVASCRIPT_INTERFACE)

Cookie without the secure flag (INSECURE_COOKIE)

Cookie without the HttpOnly flag (HTTPONLY_COOKIE)

Object deserialization is used (OBJECT_DESERIALIZATION)

Unsafe Jackson deserialization configuration (JACKSON_UNSAFE_DESERIALIZATION)

This class could be used as deserialization gadget (DESERIALIZATION_GADGET)

Trust Boundary Violation (TRUST_BOUNDARY_VIOLATION)

A malicious XSLT could be provided to the JSP tag (JSP_XSLT)

A malicious XSLT could be provided (MALICIOUS_XSLT)

Potential information leakage in Scala Play (SCALA_SENSITIVE_DATA_EXPOSURE)

Scala Play Server-Side Request Forgery (SSRF) (SCALA_PLAY_SSRF)

URLConnection Server-Side Request Forgery (SSRF) and File Disclosure (URLCONNECTION_SSRF_FD)

Potential XSS in Scala Twirl template engine (SCALA_XSS_TWIRL)

Potential XSS in Scala MVC API engine (SCALA_XSS_MVC_API)

Potential template injection with Velocity (TEMPLATE_INJECTION_VELOCITY)

Potential template injection with Freemarker (TEMPLATE_INJECTION_FREEMARKER)

Potential template injection with Pebble (TEMPLATE_INJECTION_PEBBLE)

Overly permissive CORS policy (PERMISSIVE_CORS)

Anonymous LDAP bind (LDAP_ANONYMOUS)

LDAP Entry Poisoning (LDAP_ENTRY_POISONING)

Persistent Cookie Usage (COOKIE_PERSISTENT)

URL rewriting method (URL_REWRITING)