Scribd Logo
Upload

Welcome to Scribd!

  • 119 views

    Evalution of Findbugs: Arooj Fatima Anam Khan Sumaya Basheer

    Uploaded by

    Arooj Fatima
    Complete beginner topic about Static testing with findbugs including OWASP Vulnerabilities and ways to use tool.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Evalution of Findbugs: Arooj Fatima Anam Khan Sumaya Basheer

    Uploaded by

    Arooj Fatima
    119 views28 pages
    Complete beginner topic about Static testing with findbugs including OWASP Vulnerabilities and ways to use tool.

    Original Title

    Find Bugs

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Complete beginner topic about Static testing with findbugs including OWASP Vulnerabilities and ways to use tool.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    119 views28 pages

    Evalution of Findbugs: Arooj Fatima Anam Khan Sumaya Basheer

    Uploaded by

    Arooj Fatima
    Complete beginner topic about Static testing with findbugs including OWASP Vulnerabilities and ways to use tool.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 28

    Evalution of FindBugs

    Arooj Fatima
    Anam Khan
    Sumaya Basheer
    Description

    • Static Analysis tool that finds bugs in


    Java code
    • Open- source and multi-platform
    • Analyzes byte code instead of source
    code
    • Analysis based on bug patterns
    • Available as standalone or plugin
    How it works?
    Use “bug patterns” to detect potential bugs
    FindBugs comes with over 800+ rules divided into different categories:
    Correctness
    E.g. infinite recursive loop, reads a field that is never written
    Bad practice
    E.g. code that drops exceptions or fails to close file
    Performance
    E.g. Method concatenates strings using + in a loop
    Multithreaded correctness
    E.g.Incorrect lazy initialization and update of static field
    Security
    E.g.Hardcoded constant database password
    Dodgy
    E.g. unused local variables or unchecked casts
    How it works?
    Use “bug patterns” to detect potential bugs
    FindBugs comes with over 800+ rules divided into different categories:
    Experimental
    E.g. Methods may fail to clean up stream or reasources
    internationalization
    E.g.Default encding
    How it works?
    Use “bug patterns” to detect potential bugs

    public boolean equals(Object obj) {


    NullPointerExcep OfConcernRankBugs object =
    tion (OfConcernRankBugs) obj;
    return
    this.getPlaceHolder().equals(object.getPlaceH
    older());
    }
    public class ShoppingCart {
    private List items;
    Uninitialized public addItem(Item item) {
    field items.add(item);
    }
    }
    How it works?
    Bad practice

    statement =
    Method may fail to close
    getConnection_dmiConstantDbPasswordCORR
    database resource on
    ECT().prepareStatement(query);
    expectation

    Comparison of String
    System.out.println(" - " + (string1 ==
    objects using == or !=
    string2));
    How it works?
    Correctness

    final Long value = (Long) doubleValue;


    Impossible cast

    if (null != value & value.length() > 2) {


    System.out.println(String.format(" - "
    Possible null pointer + value));
    dereference }
    How it works?
    Experimental

    Method fail to clean up resultSet = statement.executeQuery();


    resource

    Method fail to clean up statement =


    resource or stream on getConnection_dmiConstantDbPasswordCORR
    checked exception ECT().prepareStatement(query);
    How it works?
    Malicious code vulnerability

    Feild isn't final but should protected static List<String> sessionList =


    be new ArrayList<String>();

    Field should be package protected static long lastTime =


    protected System.currentTimeMillis();
    How it works?
    Multithreaded correctness

    Method Called synchronized (this) {


    thread.sleep() with a lock Thread.sleep(5000);
    held }

    private void emptySynchronized() {


    Empty Synchoronised block
    synchronized (this) {
    // Forgot implementation
    }
    }
    How it works?
    Performance

    Private Method never called private void executeSomeConditions() {


    if
    ("SomeValue".equals(this.checkStrValue)) {
    // Condition 1
    } else if
    ("SomeValue".equals(this.checkStrValue)) {
    // Condition 2
    }
    }
    How it works?
    Dodgy Code

    Load of known null value final String value = null;


    if (null != value & value.length() > 2) {};

    if ("SomeValue".equals(this.checkStrValue)) {
    // Condition 1
    Useless control flow
    } else if
    ("SomeValue".equals(this.checkStrValue)) {
    // Condition 2
    };
    How it works?
    Security

    Empty database password connection =


    DriverManager.getConnection("jdbc:derby:me
    mory:myDB;create=true", "APP", "");

    Hardcoded constant connection =


    database password DriverManager.getConnection("jdbc:derby:me
    mory:myDB;create=true", "APP",
    "my-secret-password");
    OWASP Top 10 of web application vulnerabilities

    1.Injection
    2.Broken Authentication
    3.Sensitive data exposure Anyone building a web-
    4. XML External Entities (XXE) application should know
    5.Broken Access control about these vulnerabilities:
    6.Security misconfigurations
    7.Cross Site Scripting (XSS)
    8.Insecure Deserialization
    9.Using Components with known
    vulnerabilities
    10.Insufficient logging and
    monitoring
    1. XML External Entities (XXE)

    Injection
    Trust boundary violation
    Sensitive data exposure
    Secure flag
    XML External Entities (XXE)
    How about False alarms?
    false positive

    public class Thingy {


    private final Lock lock = new
    ReentrantLock();
    private boolean shutdown;
    public void shutdown() {
    lock.lock();
    shutdown = true;
    lock.unlock();
    }
    }
    FindBugs complains that
    "Thingy.shutdown() does not release
    lock on all exception paths"
    Why use FindBugs
    ●Finding bug in java program
    ●Prevent human error
    ●Learn from error
    How to use FindBugs?
    3 flavours

    GUI

    Plugin

    CommandLine
    GUI?
    lets have a look

    Select File | New project


    GUI?
    lets have a look

    Select byte code files and their


    source code [Point to jar files or
    class files]

    [Point to java
    files]
    Command prompt?
    lets see Commands

    Directory
    To open findbugs GUI: name

    C:\>java -jar D:/findbugs-


    3.0.1/lib/findbugs.jar
    Command prompt?
    lets see Commands

    General Commands:
    License?
    it's open source

    1. Free software released under the LGPL

    2. A University of Maryland project that has received funding from Google,


    Sun Microsystems, NSF, Fortify Software, SureLogic and the IBM Eclipse
    Innovation award
    Thank You! 
    Any Questions?

    You might also like