Hello Java developers,
We took some time to review the sources and sinks supported by the RIPS Java engine and decided to take the best of it and integrate these configurations into the Java analyzer running on SonarCloud. The result of this is a big list of improvements that will enable to find more vulnerabilities. A first batch has been deployed on SonarCloud and here is the list of frameworks/APIs we added:
S5146 - Open Redirect:
- GWT
- Restlet#Redirector
- Apache Wicket
S2076 - OS Command Injection:
- Apache Commons Exec
- ZeroTurnaround Exec
S5135 - Deserialization Injection:
- java.io.ObjectInput#readObject()
S5334 - Code Injection:
- GroovyScript
- Janino
S5167 - HTTP Response Splitting:
- Apache Wicket#WebResponse
S5144 - Server-Side Request Forgery (SSRF):
- Apache HttpClient#execute
- Spring RestTemplate#exchange
S2078 - LDAP Injection:
- Spring LDAP 2.x
S5145 - Log Injection:
- Log4j 1.x and 2.x
- SLF4J 1.x
- tinylog 1.x and 2.x
- Apache Commons Logging 1.x
On top of these changes, we added additional sources for Struts 1 & 2, Jersey, Wicket, Stapler, WebFlux, Spring Web Annotation, Spring Web Request.
These changes are already available on SonarCloud, and will be included in SonarQube 8.5.
If you have any feedback/questions about issues raised by these rules, don’t hesitate to come back to us.
Alex