Professional Documents
Culture Documents
html
SpotBugs Report
Project Information
Project: secure
Code analyzed:
• /home/wael/Tools/spring/secure coding/E-Commerce
Metrics
0 lines of code analyzed, in 0 classes, in 5 packages.
Contents
• Bad practice Warnings
• Correctness Warnings
• Malicious code vulnerability Warnings
• Security Warnings
• Dodgy code Warnings
• Details
Summary
Warning Type Number
Bad practice Warnings 3
Correctness Warnings 9
Malicious code vulnerability Warnings 7
Security Warnings 60
Dodgy code Warnings 13
Total 92
Warnings
Click on a warning row to see full context information.
Correctness Warnings
Code Warning
Method com.vastra.shopping.service.ProductServiceImpl.findByPrice(double) that can return
AI
null, is missing a @Nullable annotation
Method com.vastra.shopping.service.ProductServiceImpl.findByType(String) that can return null,
AI
is missing a @Nullable annotation
Method com.vastra.shopping.service.ReviewServiceImpl.ReviewsByProduct(int) that can return
AI
null, is missing a @Nullable annotation
Method com.vastra.shopping.service.StockServiceImpl.findStock(int) that can return null, is
AI
missing a @Nullable annotation
Method com.vastra.shopping.service.StockServiceImpl.recupStockName() that can return null, is
AI
missing a @Nullable annotation
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) that can return null, is
AI
missing a @Nullable annotation
FCBL Class com.vastra.shopping.model.Review defines fields that are used only as locals
FCBL Class com.vastra.shopping.model.Review defines fields that are used only as locals
Method com.vastra.shopping.service.UserServiceImpl.addNewUser(User) throws alternative
LEST
exception from catch block without history
Security Warnings
Code Warning
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
This use of org/apache/log4j/Logger.info(Ljava/lang/Object;)V might be used to include
SECCRLFLOG
CRLF characters into log messages
Details
AI_ANNOTATION_ISSUES_NEEDS_NULLABLE: Method that
can return null, is missing a @Nullable annotation
This method can return null, but is not annotated with an @Nullable annotation. Without this
annotation, various IDEs, and static analysis tools may not be able to fully discover possible
NullPointerExceptions in your code. By adding these annotations, you will discover problems around
Unfortunately there isn't just one @Nullable annotation, but this detector will recognize:
• org.jetbrains.annotations.Nullable
• javax.annotation.Nullable
• javax.annotation.CheckForNull
• edu.umd.cs.findbugs.annotations.Nullable
• org.springframework.lang.Nullable
• android.support.annotations.Nullable
You can supply a comma separated list of classes that are custom Nullable Annotations if you desire, by
using the system property -Dfb-contrib.ai.annotations="com.acme.Foo,com.acme.Boo" when run.
Notez que le compilateur javac de Sun génère fréquemment ce genre d'affectations à perte. FindBugs
analysant le byte-code généré, il n'y a pas de façon simple d'éliminer ces fausses alarmes.
catch (IOException e) {
throw new MySpecialException("Failed to open configuration", e);
}
A NullPointerException may occur if the String variable str is null. If instead the code was restructured to
String str = ...
"someOtherString".equals(str);
//or
"someOtherString".compareTo(str);
that is, call equals() or compareTo() on the string literal, passing the variable as an argument, then this
exception could never happen as both equals() and compareTo() check for null.
Assigning to a field twice is useless, and may indicate a logic error or typo.
Code at risk:
String val = request.getParameter("user");
String metadata = request.getParameter("metadata");
[...]
if(authenticated) {
log.info("User " + val + " (" + metadata + ") was authenticated successfully");
}
else {
log.info("User " + val + " (" + metadata + ") was not authenticated");
}
A malicious user could send the metadata parameter with the value: "Firefox) was authenticated
successfully\r\n[INFO] User bbb (Internet Explorer".
Solution:
You can also configure your logger service to replace new line for all message events. Here is sample
configuration for LogBack using the replace function.
<pattern>%-5level - %replace(%msg){'[\r\n]', ''}%n</pattern>
Finally, you can use a logger implementation that replace new line by spaces. The project OWASP
Security Logging has an implementation for Logback and Log4j.
References
CWE-117: Improper Output Neutralization for Logs
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
OWASP Security Logging
Vulnerable Code:
@javax.persistence.Entity
class UserEntity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
[...]
@Controller
class UserController {
@GetMapping("/user/{id}")
public UserEntity getUser(@PathVariable("id") String id) {
Solution/Countermeasures:
• Data transfer objects should be used instead including only the parameters needed as
input/response to/from the API.
• Sensitive parameters should be removed properly before transferring to UI.
• Data should be persisted in database only after proper sanitisation checks.
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["username","firstname","lastname"]);
}
References
OWASP Top 10-2017 A3: Sensitive Data Exposure
OWASP Cheat Sheet: Mass Assignment
CWE-212: Improper Cross-boundary Removal of Sensitive Data
CWE-213: Intentional Information Exposure
Vulnerable Code:
@javax.persistence.Entity
class UserEntity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
[...]
@Controller
class UserController {
@PutMapping("/user/")
@ResponseStatus(value = HttpStatus.OK)
public void update(UserEntity user) {
General Guidelines:
• Data transfer objects should be used instead including only the parameters needed as
input/response to/from the API.
• Sensitive parameters should be removed properly before transferring to UI.
• Data should be persisted in database only after proper sanitisation checks.
With whitelist:
@Controller
class UserController {
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["username","password"]);
}
With a blacklist:
@Controller
class UserController {
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setDisallowedFields(["role"]);
}
References
OWASP Cheat Sheet: Mass Assignment
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Vulnerable Code:
private String SECRET_PASSWORD = "letMeIn!";
References
CWE-259: Use of Hard-coded Password