Java: a new security engine taking the best of SonarSource and RIPS technologies

Hello Java developers,

A New Security Engine

After a couple of months of intense work, I’m really thrilled today to announce that we now have on SonarCloud a more precise security engine taking the best of RIPS and SonarSource technologies for Java analysis :champagne: :partying_face:.
If you analyze today a Java project that was in the past weeks analyzed on SonarCloud, you should see a drop of the number of open vulnerabilities. This is totally expected and it means that the remaining ones are vulnerabilities you should care about and fix.
The visible side effect of this new Java taint analyzer is less false-positives due to the fact that the engine is now field-sensitive.

What is Field-Sensitivity?

We call field-sensitivity the capability of the security engine to precisely track which field of an object is tainted or not by a malicious user input. Let’s considered this example to illustrate the problem:

String param = request.getParameter("name");
SimplePOJO bean = new SimplePOJO();
bean.setFieldA(param); // fieldA is tainted
bean.setFieldB("safe"); // fieldB is not tainted, it's safely assigned to a constant value

String sqlA = "SELECT * FROM TABLE WHERE USERNAME = " + bean.getFieldA();
boolean expectedissue = statement.execute(sqlA);

String sqlB = "SELECT * FROM TABLE WHERE USERNAME = " + bean.getFieldB();
boolean noissuexpected = statement.execute(sqlB);

Previously when the fieldA was tainted, the entire object bean was considered tainted and therefore the use of fieldB in a sink was considered as non-compliant and so two vulnerabilities were raised.
Today, this is no longer the case and field’s values are tracked separately and only relevant issues are raised, here only on statement.execute(sqlA).

Our plan is to continue the effort toward more precision and to bring that technology to C#, JS, PHP and Python analysis.

Together with this release, we also included a bunch of new configurations (sources, sanitizers and sinks) covering Apache Mina SSHD, Spring Web MVC 5.x, Apache Turbine, Apache Torque, MyBatis, Eclipse Vert.x, Apache Commons File Upload.

These changes are already available on SonarCloud, and will be included in SonarQube 8.5 starting from the Developer Edition.

Alex

6 Likes