metadata.findbugs.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of plugin Show documentation
Show all versions of plugin Show documentation
Core module of the project. It include all the FindBugs detectors.
The resulting jar is the published plugin.
The newest version!
<FindbugsPlugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://findbugs.googlecode.com/svn-history/r13379/trunk/findbugs/etc/findbugsplugin.xsd"
pluginid="com.h3xstream.findsecbugs"
provider="Find Security Bugs"
defaultenabled="true"
website="https://github.com/h3xstream/find-sec-bugs">
<!--
Detector : Java class that analyse the bytecode
Bug Pattern : Vulnerability/Code at risk*. All bug patterns are describe in messages.xml.
* Not all bug pattern are direct vulnerability. For example, the identification of endpoints
-->
<Detector class="com.h3xstream.findsecbugs.PredictableRandomDetector" reports="PREDICTABLE_RANDOM"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.ServletEndpointDetector"
reports="SERVLET_PARAMETER,SERVLET_CONTENT_TYPE,SERVLET_SERVER_NAME,SERVLET_SESSION_ID,SERVLET_QUERY_STRING,SERVLET_HEADER,SERVLET_HEADER_REFERER,SERVLET_HEADER_USER_AGENT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.CookieDetector" reports="COOKIE_USAGE"/>
<Detector class="com.h3xstream.findsecbugs.PathTraversalDetector" reports="PATH_TRAVERSAL_IN,PATH_TRAVERSAL_OUT"/>
<Detector class="com.h3xstream.findsecbugs.CommandInjectionDetector" reports="COMMAND_INJECTION"/>
<Detector class="com.h3xstream.findsecbugs.WeakFilenameUtilsMethodDetector" reports="WEAK_FILENAMEUTILS"/>
<Detector class="com.h3xstream.findsecbugs.crypto.WeakTrustManagerDetector" reports="WEAK_TRUST_MANAGER"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.JaxWsEndpointDetector" reports="JAXWS_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.JaxRsEndpointDetector" reports="JAXRS_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.TapestryEndpointDetector" reports="TAPESTRY_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.WicketEndpointDetector" reports="WICKET_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.crypto.WeakMessageDigestDetector" reports="WEAK_MESSAGE_DIGEST"/>
<Detector class="com.h3xstream.findsecbugs.crypto.CustomMessageDigestDetector" reports="CUSTOM_MESSAGE_DIGEST"/>
<Detector class="com.h3xstream.findsecbugs.FileUploadFilenameDetector" reports="FILE_UPLOAD_FILENAME"/>
<Detector class="com.h3xstream.findsecbugs.ReDosDetector" reports="REDOS"/>
<Detector class="com.h3xstream.findsecbugs.xxe.SaxParserXxeDetector" reports="XXE"/>
<Detector class="com.h3xstream.findsecbugs.xpath.XPathInjectionJavaxDetector" reports="XPATH_INJECTION"/>
<Detector class="com.h3xstream.findsecbugs.xpath.XPathInjectionApacheXPathApiDetector" reports="XPATH_INJECTION"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.Struts1EndpointDetector" reports="STRUTS1_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.Struts2EndpointDetector" reports="STRUTS2_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.endpoint.SpringMvcEndpointDetector" reports="SPRING_ENDPOINT"/>
<Detector class="com.h3xstream.findsecbugs.injection.sql.SqlInjectionDetector" reports="SQL_INJECTION"/>
<Detector class="com.h3xstream.findsecbugs.injection.ldap.LdapInjectionDetector" reports="LDAP_INJECTION"/>
<Detector class="com.h3xstream.findsecbugs.crypto.BadHexadecimalConversionDetector" reports="BAD_HEXA_CONVERSION"/>
<Detector class="com.h3xstream.findsecbugs.crypto.EcbModeDetector" reports="ECB_MODE"/>
<Detector class="com.h3xstream.findsecbugs.crypto.HazelcastSymmetricEncryptionDetector" reports="HAZELCAST_SYMMETRIC_ENCRYPTION"/>
<Detector class="com.h3xstream.findsecbugs.crypto.NullCipherDetector" reports="NULL_CIPHER"/>
<Detector class="com.h3xstream.findsecbugs.crypto.UnencryptedSocketDetector" reports="UNENCRYPTED_SOCKET"/>
<Detector class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" reports="DES_USAGE"/>
<Detector class="com.h3xstream.findsecbugs.crypto.RsaNoPaddingDetector" reports="RSA_NO_PADDING"/>
<Detector class="com.h3xstream.findsecbugs.password.GoogleApiKeyDetector" reports="HARD_CODE_PASSWORD"/>
<Detector class="com.h3xstream.findsecbugs.password.JndiCredentialsDetector" reports="HARD_CODE_PASSWORD"/>
<Detector class="com.h3xstream.findsecbugs.StrutsValidatorFormDetector" reports="STRUTS_FORM_VALIDATION"/> <!-- TODO : Disable by default -->
<Detector class="com.h3xstream.findsecbugs.xss.XSSRequestWrapperDetector" reports="XSS_REQUEST_WRAPPER"/>
<Detector class="com.h3xstream.findsecbugs.crypto.InsufficientKeySizeBlowfishDetector" reports="BLOWFISH_KEY_SIZE"/>
<Detector class="com.h3xstream.findsecbugs.crypto.InsufficientKeySizeRsaDetector" reports="RSA_KEY_SIZE"/>
<Detector class="com.h3xstream.findsecbugs.injection.redirect.UnvalidatedRedirectDetector" reports="UNVALIDATED_REDIRECT" />
<BugPattern type="PREDICTABLE_RANDOM" abbrev="SECPR" category="SECURITY"/>
<BugPattern type="SERVLET_PARAMETER" abbrev="SECSP" category="SECURITY"/>
<BugPattern type="SERVLET_CONTENT_TYPE" abbrev="SECSCT" category="SECURITY"/>
<BugPattern type="SERVLET_SERVER_NAME" abbrev="SECSSN" category="SECURITY"/>
<BugPattern type="SERVLET_SESSION_ID" abbrev="SECSSID" category="SECURITY"/>
<BugPattern type="SERVLET_QUERY_STRING" abbrev="SECSSQ" category="SECURITY"/>
<BugPattern type="SERVLET_HEADER" abbrev="SECSH" category="SECURITY"/>
<BugPattern type="SERVLET_HEADER_REFERER" abbrev="SECSHR" category="SECURITY"/>
<BugPattern type="SERVLET_HEADER_USER_AGENT" abbrev="SECSHUA" category="SECURITY"/>
<BugPattern type="COOKIE_USAGE" abbrev="SECCU" category="SECURITY"/>
<BugPattern type="PATH_TRAVERSAL_IN" abbrev="SECPTI" category="SECURITY"/>
<BugPattern type="PATH_TRAVERSAL_OUT" abbrev="SECPTO" category="SECURITY"/>
<BugPattern type="COMMAND_INJECTION" abbrev="SECCI" category="SECURITY"/>
<BugPattern type="WEAK_FILENAMEUTILS" abbrev="SECWF" category="SECURITY"/>
<BugPattern type="WEAK_TRUST_MANAGER" abbrev="SECWTM" category="SECURITY"/>
<BugPattern type="JAXWS_ENDPOINT" abbrev="SECJWS" category="SECURITY"/>
<BugPattern type="JAXRS_ENDPOINT" abbrev="SECJRS" category="SECURITY"/>
<BugPattern type="TAPESTRY_ENDPOINT" abbrev="SECTE" category="SECURITY"/>
<BugPattern type="WICKET_ENDPOINT" abbrev="SECWE" category="SECURITY"/>
<BugPattern type="WEAK_MESSAGE_DIGEST" abbrev="SECWMD" category="SECURITY"/>
<BugPattern type="CUSTOM_MESSAGE_DIGEST" abbrev="SECCMD" category="SECURITY"/>
<BugPattern type="FILE_UPLOAD_FILENAME" abbrev="SECFUN" category="SECURITY"/>
<BugPattern type="REDOS" abbrev="SECRD" category="SECURITY"/>
<BugPattern type="XXE" abbrev="SECXXE" category="SECURITY"/>
<BugPattern type="XPATH_INJECTION" abbrev="SECXPI" category="SECURITY"/>
<BugPattern type="STRUTS1_ENDPOINT" abbrev="SECSTR1" category="SECURITY"/>
<BugPattern type="STRUTS2_ENDPOINT" abbrev="SECSTR2" category="SECURITY"/>
<BugPattern type="SPRING_ENDPOINT" abbrev="SECSC" category="SECURITY"/>
<BugPattern type="SQL_INJECTION" abbrev="SECSQLI" category="SECURITY"/>
<BugPattern type="LDAP_INJECTION" abbrev="SECLDAPI" category="SECURITY"/>
<BugPattern type="BAD_HEXA_CONVERSION" abbrev="SECBHC" category="SECURITY"/>
<BugPattern type="ECB_MODE" abbrev="SECECB" category="SECURITY"/>
<BugPattern type="HAZELCAST_SYMMETRIC_ENCRYPTION" abbrev="SECHAZ" category="SECURITY"/>
<BugPattern type="NULL_CIPHER" abbrev="SECNC" category="SECURITY"/>
<BugPattern type="UNENCRYPTED_SOCKET" abbrev="SECUS" category="SECURITY"/>
<BugPattern type="DES_USAGE" abbrev="SECDU" category="SECURITY"/>
<BugPattern type="RSA_NO_PADDING" abbrev="SECRNP" category="SECURITY"/>
<BugPattern type="HARD_CODE_PASSWORD" abbrev="SECHCP" category="SECURITY"/>
<BugPattern type="STRUTS_FORM_VALIDATION" abbrev="SECSFV" category="SECURITY"/>
<BugPattern type="XSS_REQUEST_WRAPPER" abbrev="SECXRW" category="SECURITY"/>
<BugPattern type="RSA_KEY_SIZE" abbrev="SECRKS" category="SECURITY"/>
<BugPattern type="BLOWFISH_KEY_SIZE" abbrev="SECBKS" category="SECURITY"/>
<BugPattern type="UNVALIDATED_REDIRECT" abbrev="SECUR" category="SECURITY"/>
<!--
<Detector class="com.h3xstream.findsecbugs.crypto.StaticIvDetector" reports="STATIC_IV"/>
<BugPattern type="STATIC_IV" abbrev="SECSIV" category="SECURITY"/>
-->
</FindbugsPlugin>
© 2015 - 2025 Weber Informatics LLC | Privacy Policy