You are on page 1of 10

SpotBugs Report file:///home/wael/Bureau/sco.

html

SpotBugs Report
Project Information
Project: secure

SpotBugs version: 4.5.0

Code analyzed:

• /home/wael/Tools/spring/secure coding/E-Commerce

Metrics
0 lines of code analyzed, in 0 classes, in 5 packages.

Metric Total Density*


High Priority Warnings 1 0.00
Medium Priority Warnings 42 0.00
Low Priority Warnings 49 0.00
Total Warnings 92 0.00

(* Defects per Thousand lines of non-commenting source statements)

Contents
• Bad practice Warnings
• Correctness Warnings
• Malicious code vulnerability Warnings
• Security Warnings
• Dodgy code Warnings
• Details

Summary
Warning Type Number
Bad practice Warnings 3
Correctness Warnings 9
Malicious code vulnerability Warnings 7
Security Warnings 60
Dodgy code Warnings 13
Total 92

Warnings
Click on a warning row to see full context information.

1 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

Bad practice Warnings


Code Warning
Le nom de la méthode com.vastra.shopping.service.ReviewServiceImpl.ReviewsByProduct(int) ne
Nm
commence pas par une minuscule
Le nom de la méthode com.vastra.shopping.service.StockServiceImpl.UpdateStock(Stock, int) ne
Nm
commence pas par une minuscule
SnVI com.vastra.shopping.model.User est Serializable ; pensez à déclarer serialVersionUID

Correctness Warnings
Code Warning
Method com.vastra.shopping.service.ProductServiceImpl.findByPrice(double) that can return
AI
null, is missing a @Nullable annotation
Method com.vastra.shopping.service.ProductServiceImpl.findByType(String) that can return null,
AI
is missing a @Nullable annotation
Method com.vastra.shopping.service.ReviewServiceImpl.ReviewsByProduct(int) that can return
AI
null, is missing a @Nullable annotation
Method com.vastra.shopping.service.StockServiceImpl.findStock(int) that can return null, is
AI
missing a @Nullable annotation
Method com.vastra.shopping.service.StockServiceImpl.recupStockName() that can return null, is
AI
missing a @Nullable annotation
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) that can return null, is
AI
missing a @Nullable annotation
FCBL Class com.vastra.shopping.model.Review defines fields that are used only as locals
FCBL Class com.vastra.shopping.model.Review defines fields that are used only as locals
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) throws alternative
LEST
exception from catch block without history

Malicious code vulnerability Warnings


Code Warning
La méthode com.vastra.shopping.model.Product.getReview() risque d'exposer sa représentation
EI
interne en renvoyant com.vastra.shopping.model.Product.review
La méthode com.vastra.shopping.model.User.getDob() risque d'exposer sa représentation interne
EI
en renvoyant com.vastra.shopping.model.User.dob
La méthode new com.vastra.shopping.controller.OrdersController(OrderService) risque d'exposer
EI2 sa représentation interne en stockant un objet externe modifiable dans
com.vastra.shopping.controller.OrdersController.orderService
La méthode new com.vastra.shopping.controller.UserController(UserService) risque d'exposer sa
EI2 représentation interne en stockant un objet externe modifiable dans
com.vastra.shopping.controller.UserController.userService
La méthode com.vastra.shopping.model.Product.setReview(List) risque d'exposer sa
EI2 représentation interne en stockant un objet externe modifiable dans
com.vastra.shopping.model.Product.review
La méthode new com.vastra.shopping.model.User(String, String, String, String, String, String,
EI2 String, String, Date, String, String) risque d'exposer sa représentation interne en stockant un
objet externe modifiable dans com.vastra.shopping.model.User.dob
La méthode com.vastra.shopping.model.User.setDob(Date) risque d'exposer sa représentation
EI2
interne en stockant un objet externe modifiable dans com.vastra.shopping.model.User.dob

Security Warnings
Code Warning
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages

2 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include


SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
Unexpected property could be leaked because a persistence class is directly exposed to
SECELEAK
the client
SECEMA The persistent objects could be exploited by attacker to read sensitive information.
SECEMA The persistent objects could be exploited by attacker to read sensitive information.
SECEMA The persistent objects could be exploited by attacker to read sensitive information.
SECEMA The persistent objects could be exploited by attacker to read sensitive information.
SECEMA The persistent objects could be exploited by attacker to read sensitive information.
SECHCP Hard coded password found
SECHCP Hard coded password found
SECHCP Hard coded password found
SECHCP Hard coded password found
SECHCP Hard coded password found
SECSC com.vastra.shopping.controller.OrdersController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.OrdersController is a Spring endpoint (Controller)

3 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

SECSC com.vastra.shopping.controller.OrdersController is a Spring endpoint (Controller)


SECSC com.vastra.shopping.controller.OrdersController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ProductRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ReviewRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.ReviewRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.StockRestControlImpl is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)
SECSC com.vastra.shopping.controller.UserController is a Spring endpoint (Controller)

Dodgy code Warnings


Code Warning
Alimentation à perte d'une variable locale dans la méthode
DLS
com.vastra.shopping.orders.OrdersTest.findOrder()
IMC Class com.vastra.shopping.controller.OrdersController does not implement a toString method
IMC Class com.vastra.shopping.controller.UserController does not implement a toString method
IMC Class com.vastra.shopping.service.OrderServiceImpl does not implement a toString method
IMC Class com.vastra.shopping.service.ProductServiceImpl orders instance fields before static fields
IMC Class com.vastra.shopping.service.ReviewServiceImpl orders instance fields before static fields
IMC Class com.vastra.shopping.service.StockServiceImpl does not implement a toString method
IMC Class com.vastra.shopping.service.StockServiceImpl orders instance fields before static fields
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) prints the stack trace
IMC
to the console
Method com.vastra.shopping.controller.UserController.loginUser(User, HttpServletRequest,
LSC
String) makes literal string comparisons passing the literal as an argument
La méthode com.vastra.shopping.service.UserServiceImpl.addNewUser(User) intercepte
REC Exception, mais Exception n'est pas lancé dans le bloc try/catch et RuntimeException n'est pas
appelé
SA Double assignment of field Stock.stock_name in new com.vastra.shopping.model.Stock(String)
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) throws exception with
WEM
static message string

Details
AI_ANNOTATION_ISSUES_NEEDS_NULLABLE: Method that
can return null, is missing a @Nullable annotation
This method can return null, but is not annotated with an @Nullable annotation. Without this
annotation, various IDEs, and static analysis tools may not be able to fully discover possible
NullPointerExceptions in your code. By adding these annotations, you will discover problems around

4 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

null-ness, more easily.

Unfortunately there isn't just one @Nullable annotation, but this detector will recognize:

• org.jetbrains.annotations.Nullable
• javax.annotation.Nullable
• javax.annotation.CheckForNull
• edu.umd.cs.findbugs.annotations.Nullable
• org.springframework.lang.Nullable
• android.support.annotations.Nullable

You can supply a comma separated list of classes that are custom Nullable Annotations if you desire, by
using the system property -Dfb-contrib.ai.annotations="com.acme.Foo,com.acme.Boo" when run.

DLS_DEAD_LOCAL_STORE: Alimentation à perte d'une variable


locale
Cette instruction assigne une valeur à une variable locale mais cette variable n'est pas lue par la suite.
Ceci indique souvent une erreur puisque la valeur calculée n'est jamais utilisée.

Notez que le compilateur javac de Sun génère fréquemment ce genre d'affectations à perte. FindBugs
analysant le byte-code généré, il n'y a pas de façon simple d'éliminer ces fausses alarmes.

EI_EXPOSE_REP: Une méthode peut exposer sa représentation


interne en renvoyant une référence à un objet modifiable
Renvoyer une référence à un objet modifiable stocké dans les champs d'un objet expose la
représentation interne de l'objet. Si des instances sont accédées par du code non fiable, et que des
modifications non vérifiées peuvent compromettre la sécurité ou d'autres propriétés importantes, vous
devez faire autre chose. Renvoyer une nouvelle copie de l'objet est une meilleur approche dans de
nombreuses situations.

EI_EXPOSE_REP2: Une méthode expose sa représentation


interne en incorporant une référence à un objet modifiable
Ce code stocke une référence à un objet externe modifiable dans la représentation interne de l'objet. Si
des instances sont accédées par du code non fiable, et que des modifications non vérifiées peuvent
compromettre la sécurité ou d'autres propriétés importantes, vous devez faire autre chose. Stocker une
copie de l'objet est une meilleur approche dans de nombreuses situations.

FCBL_FIELD_COULD_BE_LOCAL: Class defines fields that are


used only as locals
This class defines fields that are used in a local only fashion, specifically private fields or protected fields
in final classes that are accessed first in each method with a store vs. a load. This field could be replaced
by one or more local variables.

IMC_IMMATURE_CLASS_NO_TOSTRING: Class does not


implement a toString method
This class, which has instance fields, has no toString() method, which will make debugging with this
class more difficult than it could be. Consider adding a toString() method. Using libraries like commons-
lang3 ToStringBuilder makes this process easy.

IMC_IMMATURE_CLASS_WRONG_FIELD_ORDER: Class orders


instance fields before static fields
This class defines fields in an order that is confusing, and not expected by other developers. The
standard is for static fields to be listed first, followed by instance fields. When fields are listed out of
order, developers may make assumptions about their behaviour that are incorrect and lead to bugs.

5 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

IMC_IMMATURE_CLASS_PRINTSTACKTRACE: Method prints


the stack trace to the console
This method prints a stack trace to the console. This is non configurable, and causes an application to
look unprofessional. Switch to using loggers so that users can control what is logged and where.

LEST_LOST_EXCEPTION_STACK_TRACE: Method throws


alternative exception from catch block without history
This method catches an exception, and throws a different exception, without incorporating the original
exception. Doing so hides the original source of the exception, making debugging and fixing these
problems difficult. It is better to use the constructor of this new exception that takes an original
exception so that this detail can be passed along to the user. If this exception has no constructor that
takes an initial cause parameter, use the initCause method to initialize it instead.

catch (IOException e) {
throw new MySpecialException("Failed to open configuration", e);
}

LSC_LITERAL_STRING_COMPARISON: Method makes literal


string comparisons passing the literal as an argument
This line is in the form of
String str = ...
str.equals("someOtherString");
//or
str.compareTo("someOtherString");

A NullPointerException may occur if the String variable str is null. If instead the code was restructured to
String str = ...
"someOtherString".equals(str);
//or
"someOtherString".compareTo(str);

that is, call equals() or compareTo() on the string literal, passing the variable as an argument, then this
exception could never happen as both equals() and compareTo() check for null.

NM_METHOD_NAMING_CONVENTION: Nom de méthode


devant commencer par une minuscule
Les noms de méthodes devraient être des verbes en minuscules, avec la première lettre des mots, après
le premier, en majuscules.

REC_CATCH_EXCEPTION: java.lang.Exception est intercepté


alors qu'Exception n'est jamais lancé
Cette méthode utilise un block try-catch qui intercepte les objets Exception, mais Exception n'est jamais
déclenché dans ce bloc, et RuntimeException n'est pas explicitement intercepté. C'est une erreur commune
de dire que try / catch (Exception e) est identique à plusieurs try / catch, mais cette tournure intercepte
également les RuntimeException, masquant des bugs potentiels.

SA_FIELD_DOUBLE_ASSIGNMENT: Double assignment of field


This method contains a double assignment of a field; e.g.
int x,y;
public void foo() {
x = x = 17;
}

Assigning to a field twice is useless, and may indicate a logic error or typo.

6 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

CRLF_INJECTION_LOGS: Potential CRLF Injection for logs


When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could
forge log entries or include malicious content. Inserted false entries could be used to skew statistics,
distract the administrator or even to implicate another party in the commission of a malicious act. If the
log file is processed automatically, the attacker can render the file unusable by corrupting the format of
the file or injecting unexpected characters. An attacker may also inject code or other commands into the
log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or
XSS).

Code at risk:
String val = request.getParameter("user");
String metadata = request.getParameter("metadata");
[...]
if(authenticated) {
log.info("User " + val + " (" + metadata + ") was authenticated successfully");
}
else {
log.info("User " + val + " (" + metadata + ") was not authenticated");
}

A malicious user could send the metadata parameter with the value: "Firefox) was authenticated
successfully\r\n[INFO] User bbb (Internet Explorer".

Solution:

You can manually sanitize each parameter.


log.info("User " + val.replaceAll("[\r\n]","") + " (" + userAgent.replaceAll("[\r\n]","") + ") was not authenticated");

You can also configure your logger service to replace new line for all message events. Here is sample
configuration for LogBack using the replace function.
<pattern>%-5level - %replace(%msg){'[\r\n]', ''}%n</pattern>

Finally, you can use a logger implementation that replace new line by spaces. The project OWASP
Security Logging has an implementation for Logback and Log4j.

References
CWE-117: Improper Output Neutralization for Logs
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
OWASP Security Logging

ENTITY_LEAK: Unexpected property leak


Persistent objects should never be returned by APIs. They might lead to leaking business logic over the
UI, unauthorized tampering of persistent objects in database.

Vulnerable Code:
@javax.persistence.Entity
class UserEntity {

@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;

private String username;

private String password;


}

[...]
@Controller
class UserController {

@GetMapping("/user/{id}")
public UserEntity getUser(@PathVariable("id") String id) {

7 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

return userService.findById(id).get(); //Return the user entity with ALL fields.


}

Solution/Countermeasures:

• Data transfer objects should be used instead including only the parameters needed as
input/response to/from the API.
• Sensitive parameters should be removed properly before transferring to UI.
• Data should be persisted in database only after proper sanitisation checks.

Spring MVC Solution:


In Spring specifically, you can apply the following solution to allow or disallow specific fields.
@Controller
class UserController {

@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["username","firstname","lastname"]);
}

References
OWASP Top 10-2017 A3: Sensitive Data Exposure
OWASP Cheat Sheet: Mass Assignment
CWE-212: Improper Cross-boundary Removal of Sensitive Data
CWE-213: Intentional Information Exposure

ENTITY_MASS_ASSIGNMENT: Mass assignment


Persistent objects should never be returned by APIs. They might lead to leaking business logic over the
UI, unauthorized tampering of persistent objects in database.

Vulnerable Code:
@javax.persistence.Entity
class UserEntity {

@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;

private String username;

private String password;

private Long role;


}

[...]
@Controller
class UserController {

@PutMapping("/user/")
@ResponseStatus(value = HttpStatus.OK)
public void update(UserEntity user) {

userService.save(user); //ALL fields from the user can be altered


}

General Guidelines:

• Data transfer objects should be used instead including only the parameters needed as
input/response to/from the API.
• Sensitive parameters should be removed properly before transferring to UI.
• Data should be persisted in database only after proper sanitisation checks.

Spring MVC Solution:


In Spring specifically, you can apply the following solution to allow or disallow specific fields.

8 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

With whitelist:
@Controller
class UserController {

@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["username","password"]);
}

With a blacklist:
@Controller
class UserController {

@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setDisallowedFields(["role"]);
}

References
OWASP Cheat Sheet: Mass Assignment
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

HARD_CODE_PASSWORD: Hard coded password


Passwords should not be kept in the source code. The source code can be widely shared in an enterprise
environment, and is certainly shared in open source. To be managed safely, passwords and secret keys
should be stored in separate configuration files or keystores. (Hard coded keys are reported separately
by Hard Coded Key pattern)

Vulnerable Code:
private String SECRET_PASSWORD = "letMeIn!";

Properties props = new Properties();


props.put(Context.SECURITY_CREDENTIALS, "p@ssw0rd");

References
CWE-259: Use of Hard-coded Password

SPRING_ENDPOINT: Found Spring endpoint


This class is a Spring Controller. All methods annotated with RequestMapping (as well as its shortcut
annotations GetMapping, PostMapping, PutMapping, DeleteMapping, and PatchMapping) are reachable remotely. This
class should be analyzed to make sure that remotely exposed methods are safe to expose to potential
attackers.

SE_NO_SERIALVERSIONID: La classe est Serializable, mais ne


définit pas serialVersionUID
Cette classe implémente l'interface Serializable mais ne définit pas de champ serialVersionUID. Une
modification aussi simple qu'ajouter une référence vers un objet .class ajoutera des champs synthétiques
à la classe, ce qui malheureusement changera la valeur implicite de serialVersionUID (Ex. : ajouter une
référence à String.class générera un champ statique class$java$lang$String). De plus, différents
compilateurs source vers bytecode peuvent utiliser différentes conventions de nommage pour les
variables synthétiques générées pour référencer les objets classes et les classes internes. Afin de
garantir l'interopérabilité de Serializable suivant les versions, pensez à ajouter un champ serialVersionUID
explicite.

9 sur 10 16/11/2021, 21:19


SpotBugs Report file:///home/wael/Bureau/sco.html

WEM_WEAK_EXCEPTION_MESSAGING: Method throws


exception with static message string
This method creates and throws an exception using a static string as the exceptions message. Without
any specific context of this particular exception invocation, such as the values of parameters, key
member variables, or local variables, it may be difficult to infer how this exception occurred. Consider
adding context to the exception message.

10 sur 10 16/11/2021, 21:19

You might also like