Find security bugs学习笔记V10.docx

简介http://h3xstream.github.io/find-sec-bugs/Find Security Bugs is a plugin for FindBugs that aim to help security audit on Java web application.Some vulnerability categories covered:Endpoints from various frameworkCommand InjectionXPath InjectionXml eXternal Entity (XXE)Weak cryptographyTainted inputsPredictable randomSpecific library weaknessXSS in JSP pageSQL/HQL injectionReDOSPath traversalFrameworks support:Spring MVCApache Tapestry 5Struts 1Struts 2JaxRS (Jersey)JaxWS (Axis2, Metro)J2EE classic Web apiApache WicketFind Security Bugs has a total of 38 detectors and 45 different bug patterns. The complete list of bug patterns are list in this section：http://h3xstream.github.io/find-sec-bugs/bugs.htmFindBugs/Experience with FindBugs（Google的FindBugs实践）Google FindBugs Fixit: Google has a tradition of?engineering fixits, special days where they try to get all of their engineers focused on some specific problem or technique for improving the systems at Google. A fixit might work to improve web accessibility, internal testing, removing TODOs from internal software, etc.In 2009, Google held a global fixit for UMDs FindBugs tool a static analysis tool for finding coding mistakes in Java software. The focus of the fixit was to get feedback on the 4,000 highest confidence issues found by FindBugs at Google, and let Google engineers decide which issues, if any, needed fixing.More than 700 engineers ran FindBugs from dozens of offices. More than 250 of them entered more than 8,000 reviews of the issues. A review is a classification of an issue as must-fix, should-fix, mostly-harmless, not-a-bug, and several other categories. More than 75% of the reviews classified issues as must fix, should fix or I will fix. Many of the scariest issues received more than 10 reviews each.Engineers have already submitted changes that made more than 1,100 of the 3,800 issues go away. Engineers filed more than 1,700 bug reports, of which 600 have already been marked as fixed Work continues on ad