Java security analysis: more APIs supported to detect more vulnerabilities

Hello Java developers,

We took some time to review the sources and sinks supported by the RIPS Java engine and decided to take the best of it and integrate these configurations into the Java analyzer running on SonarCloud. The result of this is a big list of improvements that will enable to find more vulnerabilities. A first batch has been deployed on SonarCloud and here is the list of frameworks/APIs we added:

S5146 - Open Redirect:

  • GWT
  • Restlet#Redirector
  • Apache Wicket

S2076 - OS Command Injection:

  • Apache Commons Exec
  • ZeroTurnaround Exec

S5135 - Deserialization Injection:


S5334 - Code Injection:

  • GroovyScript
  • Janino

S5167 - HTTP Response Splitting:

  • Apache Wicket#WebResponse

S5144 - Server-Side Request Forgery (SSRF):

  • Apache HttpClient#execute
  • Spring RestTemplate#exchange

S2078 - LDAP Injection:

  • Spring LDAP 2.x

S5145 - Log Injection:

  • Log4j 1.x and 2.x
  • SLF4J 1.x
  • tinylog 1.x and 2.x
  • Apache Commons Logging 1.x

On top of these changes, we added additional sources for Struts 1 & 2, Jersey, Wicket, Stapler, WebFlux, Spring Web Annotation, Spring Web Request.

These changes are already available on SonarCloud, and will be included in SonarQube 8.5.

If you have any feedback/questions about issues raised by these rules, don’t hesitate to come back to us.