New security rule for SonarJava plugin

I have implemented a security rule for the java scanner. This rule checks the use of the org.apache.activemq.ActiveMQConnectionFactory class, which is subject to an extended XML Entity flaw.
I guess I should receive a RSPEC before I can merge this rule to the SonarJava scanner. Can you please provide a new number?
Thanx

1 Like

Hello Patrick,

Before thinking about creating a new RSPEC, I think we need a little bit of context.

Can you share some links related to that specific problem? Or explain here what you want to catch and why? Are there already CVEs related to XXE + ActiveMQConnectionFactory?

Thanks

Hi Alexandre,

Here are my references:
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
http://activemq.apache.org/objectmessage.html
http://cwe.mitre.org/data/definitions/611.html
https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)

Regards,
Patrick

Hi Alexandre,

Any update to this issue?

Regards,

Patrick

Hello Patrick,

If my understanding is correct, you want to raise an issue if ActiveMQConnectionFactory is not properly configured or configured in a not safe way as per defined in http://activemq.apache.org/objectmessage.html

For the first case, you will raise an issue when there is no call to factory.setTrustedPackages
For the second case, you will raise an issue when factory.setTrustAllPackages( true );

Is it what you want to catch?

Thanks
Alex

Hello Patrick,

Can you raise your PR with a RSPEC-XXX so I can look at your code to be sure to understand which issue you want to catch?

Thanks

Hi Alexandre,

This is correct. These are the two cases I’d like to catch.

Reards,

Patrick

Le mar. 12 mars 2019 à 15:33, Alexandre Gigleux via SonarSource Community sscommunity@discoursemail.com a écrit :

Hello,

I created https://jira.sonarsource.com/browse/RSPEC-5301 to get a RSPEC ID. I will finalize it once you will have submitted your PR.

Regards

Hello @Patrick_Roth,

Can you submit your PR so we can move forward on this thread?

Thanks

Hi Alexandre,

Unfortunately I didn’t manage to pass the Integration tests. Some tests fail.

Hello,

Where is your code so we can look at it? We can certainly help to fix the ITs.

Thanks

Hi Alexandre,

Sorry for this long delay: I didn’t find any time to work on this rule this summer.

Now the build passes with and without qa profile activated. How can we to go on with this rule?

Best,
Patrick

Hello,

The next step is to create a PR here: https://github.com/SonarSource/sonar-java/pulls

Alex

Related PR: https://github.com/SonarSource/sonar-java/pull/2762

Hello @parrot55,

The rule you suggested RSPEC-5301 is now part of SonarJava 6.1 and will be included in SonarQube 8.2.

Thanks for your contribution!