Stack Overflow
Stack Overflow

Questions tagged [find-sec-bugs]

Use the find-sec-bugs tag for questions specifically about the Find Security Bugs plugin for SpotBugs.

Find Security Bugs (or "find-sec-bugs") is a SpotBugs plugin for security audits of Java web applications. It provides additional detectors to SpotBugs which has only few detectors dedicated to security by default. It can detect many vulnerability types including command injection, XPath injection, SQL/HQL injection, cryptography weaknesses and many more.

The software is licensed under LGPL just like .

For more information, visit the official website.

25 questions
0
votes
0 answers

How can I debug new detectors in find-sec-bugs without repackaging the entire project?

How to quickly debug and modify code? I am not a professional java developer and I am confused about how to debug this find-sec-bugs project. Whenever I add a new detector, do I need to package the entire project and replace plugins.jar in…
timer 9527
  • 1
  • 1
0
votes
0 answers

running secbugs maven plugin from command line/ maven plugin configuration parameters in command line

maybe this is a generic question with regards to how to transfer maven plugin paramters from the pom.xml to the commandline, but I have usually done this without problems using the method below. For the find-security-bugs plugin, however, it is not…
02kfdlde01q23_
  • 43
  • 7
0
votes
2 answers

How to integrate find-sec-bugs in spotbugs?

Recently I downloaded the findsecbugs-plugin-1.11.0.jar in order to use it in spotbugs. I copied this jar file to the folder plugin of the project spotbugs(4.1.4). I execute spotbugs making use of ant. When I run the ant target I get the following…
J_aka_J
  • 1
0
votes
1 answer

Reason why findsecbugs report the vulnerabilities in the code segment of the imported library

As shown in the picture below, line 18 shows that a hard-coded vulnerability was scanned. But it does not report the issue when I import this flagged module in other files. And strangely, it also reports this problem when I remove the flagged…
j0ck
  • 1
  • 1
0
votes
0 answers

Spotbugs XML report does not have instanceHash value when run using Gradle plugin

I have used FindSecBugs plugin in Spotbugs to do a static security analysis of my code. Some of my projects are built using gradle and some are done using maven. I have successfully tested for maven which gives me an xml report like : BugInstance…
Slenderman
  • 1
  • 1
0
votes
2 answers

Using FindSecBugs in Maven throws java.lang.OutOfMemoryError

I'm new to Maven.I'm using Mac OSX. I tried to build the project using maven and it happened properly. Then I used mvn spotbugs:spotbugs to use the spotbugs plugin! It took a while and threw Exception in thread "main" java.lang.OutOfMemoryError:…
Slenderman
  • 1
  • 1
0
votes
1 answer

How to remove "taint" for Findbugs "Find Security Bugs"

I am using the "Find Security Bugs" plugin for Findbugs: https://find-sec-bugs.github.io/ Many of the detectors use "Taint analysis" to raise their warnings. Is there any documentation on how to remove "taint" from a value? I can't find any docs…
Rich
  • 15,048
  • 2
  • 66
  • 119
0
votes
1 answer

Could not initialize class com.h3xstream.findsecbugs.taintanalysis.TaintMethodSummary

I'm using FindBugs-IDEA 1.0.0 with FindBugs 3.0.1. My Android studio version is 2.1.2. I'm only using FindBugs to analyse 1 single Java file (a fragment) if that matters Full stacktrace: java.lang.NoClassDefFoundError: Could not initialize class…
ericn
  • 12,476
  • 16
  • 84
  • 127
0
votes
1 answer

How to write custom detector for find sec bug plugin?

How to write custom detector for find sec bug plugin ? It will be help full if someone write a sample detector to detect the use of a word. Thanks in advance
niraj
  • 47
  • 7
0
votes
1 answer

find security bugs does not scan groovy files

In our project, we use both Groovy and Java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code. The security bugs from Groovy classes are not reported by the plugin. Java classes are properly scanned.…
s_v_2
  • 31
  • 1
  • 6
1
2