Java analysis detects broken access control security issues

Hello Java developers,

A couple of days after C++, it’s time for Java code to get access to new rules detecting broken authentication (OWASP A2) and access control (OWASP A5) issues.

Here is what’s new with this update:

  • S5804: Allowing user enumeration is security-sensitive
    If a user-management feature discloses information about the existence of a username, attackers can use brute force attacks to retrieve a large amount of valid usernames that will impact the privacy of corresponding users and facilitate other attacks (phishing, password guessing etc …).
  • S5876: A new session should be created during user authentication
    This is to avoid session fixation attacks that can occur when an attacker can force a legitimate user to use a session ID that he knows.
  • S5808: “Authorizations should be based on strong decisions” should be used instead S4834 which is now deprecated.
  • S4790: “Using weak hashing algorithms is security-sensitive” should be used instead of S2070 which is now deprecated.
  • S3752: Allowing both safe and unsafe HTTP methods is security-sensitive. The rule was rewritten to be more generic and not focus only on Spring.

For more information and details of the improvements we added to the existing rules, you can check the changelog.

These rules are already available on SonarCloud, and will be included in SonarQube 8.6 and SonarLint.