Secure Coding Experience For Java SE
I just had been assigned to the secure coding for a Java project. The first thing I 'd do, as usual, is look for suitable documents to set up my own checklist. In doing so, we'll ensure we don't miss any kind of bugs or unsafe code output.
Once making the security checklists, people still talk about OWASP for the first time, so do I. Fortunately, I also found https://www.oracle.com/java/technologies/javase/seccodeguide.html which was made by Oracle, and this should be reliable and valuable reference. I should have glanced over the OWASP secure coding guidelines, but I think Oracle provides a sufficient knowledge with respect to their child. Hence, I decided to stick with their guideline.
You should also look at many other viewpoints as well when performing the code analysis either manually or automatically:
Control Flow Analysis ( a graph of the program's control flow and look for anomalies)
Symbolic Execution (determine the inputs that cause certian parts of the code to execute)
Taint Analysis (check what variables are controled by other objects)
Test Coverage (ensure that unit tests cover all of the code)
Linting (ensure that contract meets style requirements and has no grammatical errors)
The above-mentioned perspectives should cover most of the important things that a code review should be conducted. However, in this article I'd want to keen on secure code review than checking for the grammatical errors :D
Checklist
You can find it here
Automation Tests
For Java:
PMD (.java)
Download the latest version of PMD
Decompress the file and compile the souce code as the following
The files should be placed in
pmd-pmd_releases-6.25.0/pmd-dist/target/pmd-bin-6.25.0/bin./run.sh pmd -d /Users/macbookpro/Downloads/java/contract.java -R ../../../../pmd-java/src/main/resources/category/java/bestpractices.xml -f html >> report_sample.html
The rule files should be taken from pmd-java/src/main/resources/category/java/.
Read the documentation for more details
Deep Dive (.apk, .jar)
Download the latest version of DeepDive
Decompress the zip file
The
run.shshould be in/binIt might return the error of
JAVA_HOME must point to a valid JRE (You may want to set it permanently in setenv.sh).Run these 2 commands to get rid of the above issue and pop up the GUI
export CLASSPATH=../discotek.deepdive-1.5.5-beta.jar:../lib/discotek.deepdive-engine-1.5.5-beta.jar
java -Xmx4G -jar ../lib/discotek.deepdive-engine-1.5.5-beta.jar -decompile=true -project-directory=../sample-config -output-directory=/temp/report ../discotek.deepdive-1.5.5-beta.jar
Semgrep (java, python, golang, javascript)
Clone the repo and read the Readme
Run
semgrep --config=https://semgrep.live/c/p/java <PathToFile>VisualCodeGrepp (C++, C#, VB, PHP, Java, PL/SQL and COBOL)
Download the latest version
Install it in WIndows
Select the language
Open the folder that contains the source code files.
Gaudit (many languages)
graudit [opts] /path/to/scan
OPTIONS
-d database to use or /path/to/file.db (uses default if not specified)
-A scan ALL files
-x exclude these files (comma separated list: -x .js,.sql)
-i case in-sensitive scan
-c number of lines of context to display, default is 2
-B suppress banner
-L vim friendly lines
-b colour blind friendly template
-z suppress colors
-Z high contrast colors
-l lists databases available
-v prints version number
-h prints this help screen
Manual Review
Use your eyes. But this tool can help you identify the LOC and language
Last updated