FindSecBugs-cli crashes when trying to write SARIF output
northdpole opened this issue · comments
Hey find-sec-bugs team, thank you for maintaining such a useful tool!
Y'all are awesome!
Environment
FindSecBugs 1.12.0 downloaded from
https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip
Problem
Trying to run FindSecBugs cli against any Jar throws several exceptions after the analysis phase and before it writes the results.
All the exceptions are: URISyntaxException and look like the following:
java.net.URISyntaxException: Illegal character in path at index 16: org/hsqldb/util/<Unknown>
An example stacktrace is
java.net.URISyntaxException: Illegal character in path at index 16: org/hsqldb/util/<Unknown>
at java.net.URI$Parser.fail(URI.java:2847)
at java.net.URI$Parser.checkChars(URI.java:3020)
at java.net.URI$Parser.parseHierarchical(URI.java:3104)
at java.net.URI$Parser.parse(URI.java:3062)
at java.net.URI.<init>(URI.java:588)
at edu.umd.cs.findbugs.sarif.Location$ArtifactLocation.fromBugAnnotation(Location.java:158)
at edu.umd.cs.findbugs.sarif.Location$PhysicalLocation.fromBugAnnotation(Location.java:257)
at edu.umd.cs.findbugs.sarif.Location.findPhysicalLocation(Location.java:96)
at edu.umd.cs.findbugs.sarif.Location.fromBugInstance(Location.java:76)
at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.processResult(BugCollectionAnalyser.java:70)
at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.lambda$new$1(BugCollectionAnalyser.java:38)
at java.lang.Iterable.forEach(Iterable.java:75)
at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.<init>(BugCollectionAnalyser.java:34)
at edu.umd.cs.findbugs.sarif.SarifBugReporter.processRuns(SarifBugReporter.java:42)
at edu.umd.cs.findbugs.sarif.SarifBugReporter.finish(SarifBugReporter.java:29)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1165)
at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
at edu.umd.cs.findbugs.LaunchAppropriateUI.launch(LaunchAppropriateUI.java:106)
at edu.umd.cs.findbugs.LaunchAppropriateUI.main(LaunchAppropriateUI.java:198)
Code
This happens for several jars (e.g. this one) another example is the webgoat jar here.
In case this is due to the environment FindSecBugs runs in, I tried the following two Dockerfiles and they both produced the same result.
Corretto
FROM amazoncorretto:8 as build
RUN yum install -y wget unzip &&\
mkdir findsecbugs && cd findsecbugs/ &&\
wget https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip &&\
unzip findsecbugs-cli-1.12.0.zip &&\
chmod +x findsecbugs.sh &&\
rm -f findsecbugs-cli-1.12.0.zip
FROM amazoncorretto:8
COPY --from=build /findsecbugs /findsecbugs
ENTRYPOINT [ "/findsecbugs/findsecbugs.sh","-home","/findsecbugs"] %
and eclipse
FROM eclipse-temurin:8-jre as build
RUN apt update &&\
apt install -y wget zip &&\
mkdir findsecbugs && cd findsecbugs/ &&\
wget https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip &&\
unzip findsecbugs-cli-1.12.0.zip &&\
chmod +x findsecbugs.sh &&\
rm -f findsecbugs-cli-1.12.0.zip
FROM eclipse-temurin:8-jre
COPY --from=build /findsecbugs /findsecbugs
ENTRYPOINT [ "/findsecbugs/findsecbugs.sh","-home","/findsecbugs"]
I am running FindSecBugs as such:
docker run -v $(pwd):/code -ti <corretto image or eclipse image> -quiet -sarif -progress -output /code/out.json -exitcode 0 /code/webgoat.jar
This takes about 10 minutes to run and ends up producing several instances of the stacktrace above (I suspect one instance per issue produced).
Based on my experience it is possible to create SARIF reports using FindSecBugs.
SecHub has a Dockerized solution for FindSecBugs and we have no problem creating SARIF reports.
From me the question is, did you scan something with an unusual name?