Merge pull request spotbugs#113 from h3xstream/master

Descriptions update

Author: h3xstream

README.md

@@ -1,4 +1,4 @@
-# Sonar Findbugs [![Build Status](https://travis-ci.org/SonarQubeCommunity/sonar-findbugs.svg?branch=master)](https://travis-ci.org/SonarQubeCommunity/sonar-findbugs) ![FindBugs Rules](https://img.shields.io/badge/FindBugs%20rules-797-brightgreen.svg?maxAge=2592000) [![Dependency Status](https://www.versioneye.com/user/projects/5755ce407757a0003bd4b22d/badge.svg?style=flat)](https://www.versioneye.com/user/projects/5755ce407757a0003bd4b22d)
+# Sonar Findbugs [![Build Status](https://travis-ci.org/SonarQubeCommunity/sonar-findbugs.svg?branch=master)](https://travis-ci.org/SonarQubeCommunity/sonar-findbugs) ![FindBugs Rules](https://img.shields.io/badge/FindBugs%20rules-820-brightgreen.svg?maxAge=2592000) [![Dependency Status](https://www.versioneye.com/user/projects/5755ce407757a0003bd4b22d/badge.svg?style=flat)](https://www.versioneye.com/user/projects/5755ce407757a0003bd4b22d)
 
 ## Description / Features
 

generate_profiles/BuildXmlFiles.groovy

@@ -1,135 +1,18 @@
-import groovy.xml.MarkupBuilder
-
+import groovy.xml.MarkupBuilder;
+import FsbClassifier;
+import static FsbClassifier.*;
 @Grapes([
-    @Grab(group='com.github.spotbugs', module='spotbugs', version='3.1.0-RC1'),
+    @Grab(group='com.github.spotbugs', module='spotbugs', version='3.1.0-RC2'),
     @Grab(group='com.mebigfatguy.fb-contrib', module='fb-contrib', version='7.0.0'),
     @Grab(group='com.h3xstream.findsecbugs' , module='findsecbugs-plugin', version='1.6.0')]
 )
 
-//Includes all the bugs that are bundle with FindBugs by default
-findBugsPatterns = ["XSS_REQUEST_PARAMETER_TO_SEND_ERROR",
-                    "XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER",
-                    "HRS_REQUEST_PARAMETER_TO_HTTP_HEADER",
-                    "HRS_REQUEST_PARAMETER_TO_COOKIE",
-                    "DMI_CONSTANT_DB_PASSWORD",
-                    "DMI_EMPTY_DB_PASSWORD",
-                    "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE",
-                    "SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING",
-]
-
-//Informational stuff that will interest Security Reviewer but will annoys the developers.
-informationnalPatterns = ["SERVLET_PARAMETER",
-                          "SERVLET_CONTENT_TYPE",
-                          "SERVLET_SERVER_NAME",
-                          "SERVLET_SESSION_ID",
-                          "SERVLET_QUERY_STRING",
-                          "SERVLET_HEADER",
-                          "SERVLET_HEADER_REFERER",
-                          "SERVLET_HEADER_USER_AGENT",
-                          "COOKIE_USAGE",
-                          "WEAK_FILENAMEUTILS",
-                          "JAXWS_ENDPOINT",
-                          "JAXRS_ENDPOINT",
-                          "TAPESTRY_ENDPOINT",
-                          "WICKET_ENDPOINT",
-                          "FILE_UPLOAD_FILENAME",
-                          "STRUTS1_ENDPOINT",
-                          "STRUTS2_ENDPOINT",
-                          "SPRING_ENDPOINT",
-                          "HTTP_RESPONSE_SPLITTING",
-                          "CRLF_INJECTION_LOGS",
-                          "EXTERNAL_CONFIG_CONTROL",
-                          "STRUTS_FORM_VALIDATION",
-                          "ESAPI_ENCRYPTOR",
-                          "ANDROID_BROADCAST",
-                          "ANDROID_GEOLOCATION",
-                          "ANDROID_WEB_VIEW_JAVASCRIPT",
-                          "ANDROID_WEB_VIEW_JAVASCRIPT_INTERFACE"]
-
-//All the cryptography related bugs. Usually with issues related to confidentiality or integrity of data in transit.
-cryptoBugs = [
-        "WEAK_TRUST_MANAGER",
-        "WEAK_HOSTNAME_VERIFIER",
-        //"WEAK_MESSAGE_DIGEST", //Deprecated
-        "WEAK_MESSAGE_DIGEST_MD5",
-        "WEAK_MESSAGE_DIGEST_SHA1",
-        "CUSTOM_MESSAGE_DIGEST",
-        "HAZELCAST_SYMMETRIC_ENCRYPTION",
-        "NULL_CIPHER",
-        "UNENCRYPTED_SOCKET",
-        "DES_USAGE",
-        "RSA_NO_PADDING",
-        "RSA_KEY_SIZE",
-        "BLOWFISH_KEY_SIZE",
-        "STATIC_IV",
-        "ECB_MODE",
-        "PADDING_ORACLE",
-        "CIPHER_INTEGRITY"
-]
-
-majorBugsAuditOnly = [ //Mostly due to their high false-positive rate
-        "TRUST_BOUNDARY_VIOLATION"
-]
-
-//Important bugs but that have lower chance to get full compromise of system (see critical).
-majorBugs = [
-        "PREDICTABLE_RANDOM",
-        "PATH_TRAVERSAL_IN",
-        "PATH_TRAVERSAL_OUT",
-        "REDOS",
-        "BAD_HEXA_CONVERSION",
-        "HARD_CODE_PASSWORD",
-        "HARD_CODE_KEY",
-        "XSS_REQUEST_WRAPPER",
-        "UNVALIDATED_REDIRECT",
-        "ANDROID_EXTERNAL_FILE_ACCESS",
-        "ANDROID_WORLD_WRITABLE",
-        "INSECURE_COOKIE",
-        "HTTPONLY_COOKIE",
-        "TRUST_BOUNDARY_VIOLATION",
-        "XSS_SERVLET",
-]
-
-criticalBugs = [ //RCE or powerful function
-        "COMMAND_INJECTION",
-        "XXE_SAXPARSER",
-        "XXE_XMLREADER",
-        "XXE_DOCUMENT",
-        "SQL_INJECTION_HIBERNATE",
-        "SQL_INJECTION_JDO",
-        "SQL_INJECTION_JPA",
-        "LDAP_INJECTION",
-        "XPATH_INJECTION",
-        "XML_DECODER",
-        "SCRIPT_ENGINE_INJECTION",
-        "SPEL_INJECTION",
-        "SQL_INJECTION_SPRING_JDBC",
-        "SQL_INJECTION_JDBC",
-        "EL_INJECTION",
-        "SEAM_LOG_INJECTION",
-        "OBJECT_DESERIALIZATION",
-        "MALICIOUS_XSLT",
-        "SPRING_CSRF_PROTECTION_DISABLED",
-        "SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING"
-]
-
-majorJspBugs = ["XSS_REQUEST_PARAMETER_TO_JSP_WRITER",
-        "XSS_JSP_PRINT", "JSP_JSTL_OUT"]
-
-//RCE from JSP specific functions (taglibs)
-criticalJspBugs = ["JSP_INCLUDE","JSP_SPRING_EVAL","JSP_XSLT"]
-
-exclusions = ['CUSTOM_INJECTION']
-
-deprecatedRules = ["XSS_REQUEST_PARAMETER_TO_JSP_WRITER"]
 
 ////////////// Generate rules files
 
 def getSonarPriority(String type,String category, String description) {
-    //FSB Specific
-    if (type in criticalBugs || type in criticalJspBugs) return "CRITICAL";
-    if (type in majorBugs || type in cryptoBugs || type in majorJspBugs) return "MAJOR";
-    if (type in informationnalPatterns) return "INFO"
+    String priority = FsbClassifier.getPriorityFromType(type);
+    if(priority != null) return priority
 
     //Findbugs critical base on the type or message
     if(type.contains("IMPOSSIBLE")) {
@@ -141,13 +24,17 @@ def getSonarPriority(String type,String category, String description) {
 
     //Findbugs general
     if(category in ["CORRECTNESS", "PERFORMANCE", "SECURITY","MULTI-THREADING","BAD_PRACTICE"]) return "MAJOR";
-    if(category in ["STYLE", "MALICIOUS_CODE", "I18N"]) return "INFO"
+    if(category in ["STYLE", "MALICIOUS_CODE", "I18N","EXPERIMENTAL"]) return "INFO"
 
     println("Unknown priority for "+type+" ("+category+")")
     return "INFO";
 }
 
-//Plugin definition
+/**
+ * Plugin definition.
+ * Utility that read the messages and metadata from the plugin.
+ * It expecting that the jars are already present on disk (See Grape annotation that fetch each dependency)
+ */
 class Plugin {
     String groupId = ""
     String artifactId = ""
@@ -191,7 +78,7 @@ String getFindBugsCategory(List<Plugin> plugins, String bugType) {
     return "EXPERIMENTAL"
 }
 
-FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '3.1.0-RC1')
+FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '3.1.0-RC2')
 CONTRIB = new Plugin(groupId: 'com.mebigfatguy.fb-contrib', artifactId: 'fb-contrib', version: '7.0.0')
 FSB = new Plugin(groupId: 'com.h3xstream.findsecbugs', artifactId: 'findsecbugs-plugin', version: '1.6.0')
 
@@ -221,10 +108,8 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
             if(category == "NOISE" || pattern.attribute("type") in ["TESTING", "TESTING1", "TESTING2", "TESTING3", "UNKNOWN"]) return;
             if(category == "MT_CORRECTNESS") category = "MULTI-THREADING"
 
-            //if(rulesSetName == 'jsp') println pattern.attribute("type")
 
             if((includedBugs.isEmpty() || includedBugs.contains(pattern.attribute("type"))) && !excludedBugs.contains(pattern.attribute("type"))) {
-                //if(rulesSetName == 'jsp') println "-INCLUDED"
 
                 rule(key: pattern.attribute("type"),
                         priority: getSonarPriority(pattern.attribute("type"),category,pattern.Details.text())) {
@@ -287,14 +172,10 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
                     //Category related
                     tag(category.toLowerCase().replace("_","-"))
 
-
                     if(category in ['PERFORMANCE','CORRECTNESS','MULTI-THREADING']) {
                         tag("bug")
                     }
 
-                    if(deprecatedRules.contains(pattern.attribute("type"))) {
-                        status("DEPRECATED")
-                    }
                 }
                 //name: pattern.ShortDescription.text(),
                 //  'description': pattern.Details.text(),
@@ -326,7 +207,7 @@ def writeProfile(String profileName,List<String> includedBugs,List<String> exclu
     File f = new File("out_sonar","profile-"+profileName+".xml")
     printf("Building profile %s (%s)%n",profileName,f.getCanonicalPath())
 
-
+    def countBugs=0;
 
     def xml = new MarkupBuilder(new PrintWriter(f))
     xml.FindBugsFilter {
@@ -338,11 +219,15 @@ def writeProfile(String profileName,List<String> includedBugs,List<String> exclu
             if(!excludedBugs.contains(patternName)) {
                 Match {
                     Bug(pattern: patternName)
+
+                    countBugs++
                 }
             }
         }
 
     }
+
+    return countBugs
 }
 
 
@@ -363,9 +248,11 @@ def getAllPatternsFromPlugin(Plugin plugin) {
     return patterns;
 }
 
-
+totalCount = 0
 writeProfile("findbugs-only", getAllPatternsFromPlugin(FB), excludedJspRules);
-writeProfile("findbugs-and-fb-contrib", getAllPatternsFromPlugin(FB) + getAllPatternsFromPlugin(CONTRIB), excludedJspRules);
-writeProfile("findbugs-security-audit", informationnalPatterns + cryptoBugs + majorBugs + majorBugsAuditOnly + criticalBugs + findBugsPatterns)
+totalCount += writeProfile("findbugs-and-fb-contrib", getAllPatternsFromPlugin(FB) + getAllPatternsFromPlugin(CONTRIB), excludedJspRules);
+totalCount += writeProfile("findbugs-security-audit", informationnalPatterns + cryptoBugs + majorBugs + majorBugsAuditOnly + criticalBugs + findBugsPatterns)
 writeProfile("findbugs-security-minimal", cryptoBugs + majorBugs + criticalBugs + findBugsPatterns)
-writeProfile("findbugs-security-jsp", majorJspBugs + criticalJspBugs)
+totalCount += writeProfile("findbugs-security-jsp", majorJspBugs + criticalJspBugs)
+
+println "Total bugs patterns "+totalCount

generate_profiles/FsbClassifier.groovy

@@ -0,0 +1,133 @@
+import groovy.transform.Field
+
+class FsbClassifier {
+
+  //Includes all the bugs that are bundle with FindBugs by default
+
+  static findBugsPatterns = ["XSS_REQUEST_PARAMETER_TO_SEND_ERROR",
+                      "XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER",
+                      "HRS_REQUEST_PARAMETER_TO_HTTP_HEADER",
+                      "HRS_REQUEST_PARAMETER_TO_COOKIE",
+                      "DMI_CONSTANT_DB_PASSWORD",
+                      "DMI_EMPTY_DB_PASSWORD",
+                      "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE",
+                      "SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING"
+  ]
+
+  //Informational stuff that will interest Security Reviewer but will annoys the developers.
+  static informationnalPatterns = ["SERVLET_PARAMETER",
+                            "SERVLET_CONTENT_TYPE",
+                            "SERVLET_SERVER_NAME",
+                            "SERVLET_SESSION_ID",
+                            "SERVLET_QUERY_STRING",
+                            "SERVLET_HEADER",
+                            "SERVLET_HEADER_REFERER",
+                            "SERVLET_HEADER_USER_AGENT",
+                            "COOKIE_USAGE",
+                            "WEAK_FILENAMEUTILS",
+                            "JAXWS_ENDPOINT",
+                            "JAXRS_ENDPOINT",
+                            "TAPESTRY_ENDPOINT",
+                            "WICKET_ENDPOINT",
+                            "FILE_UPLOAD_FILENAME",
+                            "STRUTS1_ENDPOINT",
+                            "STRUTS2_ENDPOINT",
+                            "SPRING_ENDPOINT",
+                            "HTTP_RESPONSE_SPLITTING",
+                            "CRLF_INJECTION_LOGS",
+                            "EXTERNAL_CONFIG_CONTROL",
+                            "STRUTS_FORM_VALIDATION",
+                            "ESAPI_ENCRYPTOR",
+                            "ANDROID_BROADCAST",
+                            "ANDROID_GEOLOCATION",
+                            "ANDROID_WEB_VIEW_JAVASCRIPT",
+                            "ANDROID_WEB_VIEW_JAVASCRIPT_INTERFACE"]
+
+  //All the cryptography related bugs. Usually with issues related to confidentiality or integrity of data in transit.
+  static cryptoBugs = [
+          "WEAK_TRUST_MANAGER",
+          "WEAK_HOSTNAME_VERIFIER",
+          //"WEAK_MESSAGE_DIGEST", //Deprecated
+          "WEAK_MESSAGE_DIGEST_MD5",
+          "WEAK_MESSAGE_DIGEST_SHA1",
+          "CUSTOM_MESSAGE_DIGEST",
+          "HAZELCAST_SYMMETRIC_ENCRYPTION",
+          "NULL_CIPHER",
+          "UNENCRYPTED_SOCKET",
+          "DES_USAGE",
+          "RSA_NO_PADDING",
+          "RSA_KEY_SIZE",
+          "BLOWFISH_KEY_SIZE",
+          "STATIC_IV",
+          "ECB_MODE",
+          "PADDING_ORACLE",
+          "CIPHER_INTEGRITY"
+  ]
+
+  static majorBugsAuditOnly = [ //Mostly due to their high false-positive rate
+          "TRUST_BOUNDARY_VIOLATION"
+  ]
+
+  //Important bugs but that have lower chance to get full compromise of system (see critical).
+  static majorBugs = [
+          "PREDICTABLE_RANDOM",
+          "PATH_TRAVERSAL_IN",
+          "PATH_TRAVERSAL_OUT",
+          "REDOS",
+          "BAD_HEXA_CONVERSION",
+          "HARD_CODE_PASSWORD",
+          "HARD_CODE_KEY",
+          "XSS_REQUEST_WRAPPER",
+          "UNVALIDATED_REDIRECT",
+          "ANDROID_EXTERNAL_FILE_ACCESS",
+          "ANDROID_WORLD_WRITABLE",
+          "INSECURE_COOKIE",
+          "HTTPONLY_COOKIE",
+          "TRUST_BOUNDARY_VIOLATION",
+          "XSS_SERVLET",
+          "SPRING_CSRF_PROTECTION_DISABLED",
+          "SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING"
+  ]
+
+  static criticalBugs = [ //RCE or powerful function
+          "COMMAND_INJECTION",
+          "XXE_SAXPARSER",
+          "XXE_XMLREADER",
+          "XXE_DOCUMENT",
+          "SQL_INJECTION_HIBERNATE",
+          "SQL_INJECTION_JDO",
+          "SQL_INJECTION_JPA",
+          "LDAP_INJECTION",
+          "XPATH_INJECTION",
+          "XML_DECODER",
+          "SCRIPT_ENGINE_INJECTION",
+          "SPEL_INJECTION",
+          "SQL_INJECTION_SPRING_JDBC",
+          "SQL_INJECTION_JDBC",
+          "EL_INJECTION",
+          "SEAM_LOG_INJECTION",
+          "OBJECT_DESERIALIZATION",
+          "MALICIOUS_XSLT"
+  ]
+
+  static majorJspBugs = ["XSS_REQUEST_PARAMETER_TO_JSP_WRITER",
+          "XSS_JSP_PRINT", "JSP_JSTL_OUT"]
+
+  static //RCE from JSP specific functions (taglibs)
+  criticalJspBugs = ["JSP_INCLUDE","JSP_SPRING_EVAL","JSP_XSLT"]
+
+  static exclusions = ['CUSTOM_INJECTION']
+
+  static deprecatedRules = []
+
+  static String getPriorityFromType(String type) {
+    //FSB Specific
+    if (type in criticalBugs || type in criticalJspBugs) return "CRITICAL";
+    if (type in majorBugs || type in cryptoBugs || type in majorJspBugs) return "MAJOR";
+    if (type in informationnalPatterns) return "INFO"
+
+    //println("Unknown priority for "+type)
+    return null
+  }
+
+}