Open-source static analysis for Security in 2018 — Part 2: Java
So yesterday I talked about the most usable static analysis tool I’ve found in open source for Python. How about Java? The language still tops to TIOBE index despite all the hate it gets. As the saying usually attributed to Bjarne Stroustrup goes (which he denies),
There are only two kinds of languages: the ones people complain about and the ones nobody uses
Java falls in the territory of languages that people have to use either for server side, for Android or for some reason. I do think the JVM is one of the most rock solid VM implementations out there.
So what does the story look like for static analysis tools? If you want the TLDR version — use spotbugs, and pmd, I’ll talk further down in how you can integrate. But I’d like to give my biased version of my history with static analysis with Java.
What is the equivalent of the safety package I talked about in the last post in Java? Meet the OWASP Dependency Check, this can be run as a standalone tool or as a maven plugin, and it even works within Jenkins at least.
For maven at least you can add the following, now you can run
mvn verify and get the report or run it explicitly with
mvn dependency-check:check , the html report file is saved by default at target/dependency-check-report.html.
From actionability and noise, this is incredible, you get a full view of what vulnerabilities are available, and the confidence, along with the CVEs. For each entry there’s a browsable link.
The jenkins job comes with a chart for tracking how many dependency problems are being addressed. If you don’t want to be another Equifax, I recommend using this plugin.
I refuse to use Eclipse anymore but my first introduction to “static analysis” on the fly was actually in this IDE (it could have been Netbeans or . Since it’s damn near impossible to be productive in Java without an IDE, I find that the on the fly code checking that IntelliJ’s built-in checks provide is really useful. There are integrations available for most major tools for IntelliJ and JetBrains knows JVM and how to write a typed language on it.
Test Coverage Tools
I find that JaCoCo covers a lot of ground in at least allowing you to only check the code that’s being covered with tests, and some basic checks. I mention it here because it often finds neat code paths that would manifest as logical errors if they aren’t covered by unit tests. Baeldung’s review has one of these examples.
I have used a few closed sourced ones in the part, and frankly they didn’t seem worth the cost.
FindBugs + FindSecBugs
Findbugs was the first tool that everyone recommended me to use and sometime in 2016, I gave up on it because it was no longer being maintained and I was tired of false positives and bugs. It seemed that I was spending a lot of time covering around the issues. I still see that the last release was in 2015. http://findbugs.sourceforge.net/
A lot of the bugs I needed to solve at the time dealt with OWASP vulnerabilities (and well, OWASP Top 10 is still a staple money maker ;) ), and with FindSecBugs, it’s a little bit better. Integrating with existing tools is relatively straightforward. Tools like SonarQube do a reasonable job of integrating with FindSecBugs
SpotBugs + FindSecBugs
I find that this hits the right balance for maintainability, actionability of the static analysis tools. I usually integrate it in the following way in maven, I haven’t bothered with Gradle in quite some time, to give you something usable. Put this in between
<!-- SpotBugs Static Analysis -->
<!-- Optional directory to put spotbugs xdoc xml report -->
<version>LATEST</version> <!-- Auto-update to the latest stable -->
Now you can run
mvn spotbugs:check and it will nicely break your build. You can play around with the profiles or parent pom to enforce on build or package for certain environments. For instance, I may allow snapshot builds to be a little relaxed but final builds to be required to pass.
You can also get a gui to explore with
I’d still classify a few of these as false-positives, but for the most part it’s decent start.
I don’t use PMD as much as SpotBugs but it’s a solid and mature piece of static code checking system. Particularly the features to detect Copy-Paste code (which well usually have similar bugs as origin) and to be able to run specific rulesets are very useful. Further info: https://maven.apache.org/plugins/maven-pmd-plugin/
I don’t have any active projects using PMD to present further information, but if I do, I’ll have some sample code here.
While the tools have improved and there’s a plethora of them, along with a few vendors who would like to help, I would still like to get a better coverage for the OWASP Top 10 from open source tools. Java is the one language I have some familiarity with some closed source tools too — Veracode and Synopsis’s suite of tools like Coverity, SecureAssist are pretty decent if you can spare the money for them.
At the end of the day, trying to find a single tool isn’t quite enough because
- Data Flow matters
- Runtime changes matter
- Dependency checks matter
- Locks matter
- Variable ownership/leaking matters
Even if you go to the OWASP Static Code Analysis page there are many ways to do static analysis. I think we’re getting better with the availability of better tools and lot of techniques from strongly typed functional languages like ML coming to mainstream languages. Java is slowly showing promise though.