Giters

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page:https://find-sec-bugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FindSecBugs-cli crashes when trying to write SARIF output

northdpole opened this issue · comments

commented

Hey find-sec-bugs team, thank you for maintaining such a useful tool!
Y'all are awesome!

Environment

FindSecBugs 1.12.0 downloaded from
https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip

Problem

Trying to run FindSecBugs cli against any Jar throws several exceptions after the analysis phase and before it writes the results.
All the exceptions are: URISyntaxException and look like the following:

java.net.URISyntaxException: Illegal character in path at index 16: org/hsqldb/util/<Unknown>

An example stacktrace is

java.net.URISyntaxException: Illegal character in path at index 16: org/hsqldb/util/<Unknown>
        at java.net.URI$Parser.fail(URI.java:2847)
        at java.net.URI$Parser.checkChars(URI.java:3020)
        at java.net.URI$Parser.parseHierarchical(URI.java:3104)
        at java.net.URI$Parser.parse(URI.java:3062)
        at java.net.URI.<init>(URI.java:588)
        at edu.umd.cs.findbugs.sarif.Location$ArtifactLocation.fromBugAnnotation(Location.java:158)
        at edu.umd.cs.findbugs.sarif.Location$PhysicalLocation.fromBugAnnotation(Location.java:257)
        at edu.umd.cs.findbugs.sarif.Location.findPhysicalLocation(Location.java:96)
        at edu.umd.cs.findbugs.sarif.Location.fromBugInstance(Location.java:76)
        at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.processResult(BugCollectionAnalyser.java:70)
        at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.lambda$new$1(BugCollectionAnalyser.java:38)
        at java.lang.Iterable.forEach(Iterable.java:75)
        at edu.umd.cs.findbugs.sarif.BugCollectionAnalyser.<init>(BugCollectionAnalyser.java:34)
        at edu.umd.cs.findbugs.sarif.SarifBugReporter.processRuns(SarifBugReporter.java:42)
        at edu.umd.cs.findbugs.sarif.SarifBugReporter.finish(SarifBugReporter.java:29)
        at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
        at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
        at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:89)
        at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1165)
        at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
        at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
        at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
        at edu.umd.cs.findbugs.LaunchAppropriateUI.launch(LaunchAppropriateUI.java:106)
        at edu.umd.cs.findbugs.LaunchAppropriateUI.main(LaunchAppropriateUI.java:198)

Code

This happens for several jars (e.g. this one) another example is the webgoat jar here.

In case this is due to the environment FindSecBugs runs in, I tried the following two Dockerfiles and they both produced the same result.

Corretto

FROM amazoncorretto:8 as build

RUN  yum install -y  wget unzip &&\
     mkdir findsecbugs && cd findsecbugs/ &&\
     wget https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip &&\
     unzip findsecbugs-cli-1.12.0.zip &&\
     chmod +x findsecbugs.sh &&\
     rm -f findsecbugs-cli-1.12.0.zip

FROM amazoncorretto:8

COPY --from=build /findsecbugs /findsecbugs
ENTRYPOINT [ "/findsecbugs/findsecbugs.sh","-home","/findsecbugs"] %

and eclipse

FROM eclipse-temurin:8-jre as build

RUN  apt update &&\
     apt install -y wget zip &&\
     mkdir findsecbugs && cd findsecbugs/ &&\
     wget https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip &&\
     unzip findsecbugs-cli-1.12.0.zip &&\
     chmod +x findsecbugs.sh &&\
     rm -f findsecbugs-cli-1.12.0.zip

FROM eclipse-temurin:8-jre

COPY --from=build /findsecbugs /findsecbugs
ENTRYPOINT [ "/findsecbugs/findsecbugs.sh","-home","/findsecbugs"]

I am running FindSecBugs as such:

docker run -v $(pwd):/code -ti <corretto image or eclipse image> -quiet -sarif -progress -output /code/out.json -exitcode 0 /code/webgoat.jar

This takes about 10 minutes to run and ends up producing several instances of the stacktrace above (I suspect one instance per issue produced).

commented

Based on my experience it is possible to create SARIF reports using FindSecBugs.

SecHub has a Dockerized solution for FindSecBugs and we have no problem creating SARIF reports.

From me the question is, did you scan something with an unusual name?