Java GA Language Rules

[elsapet]

Bringing the Java rules to GA will be a three-step process.

1. Improve rule coverage

We currently have ~20 Java rules. The initial part of this work will be to expand our Java rule set to cover a wider area, predominantly Java lang rules (and not e.g. 3rd party API rules as this is step 2).

Focus - Java is missing rules for the following CWEs and these should be the initial focus.

CWEs to be supported that are known Java candidates:

• CWE-22 feat(java): add path traversal rule (CWE-22) #239
• CWE-94 feat(java): code injection rule (CWE-94) #224
• CWE-200 feat(java/android): add screenshot prevention rule (CWE-200) #228
• CWE-276 feat(java/android): add world readable/writeable rule (CWE-276) #229
• CWE-295
  • feat(java): missing TLS validation #230
  • feat(java): missing or permissive ssl hostname verifier (CWE-295) #231
• CWE-319 feat(java): add warning-level rule about socket creation best practices (CWE-319) #233
• CWE-502 feat(java): deserialization of user input (CWE-502) #237
• CWE-601 feat(java): open redirect rule (CWE-601) #234
• CWE-798 feat(java): add hardcoded secret rule (CWE-798) #206
• CWE-918 feat(java): add SSRF rule (CWE-918) #235
• CWE-942 feat(java): add permissive allow origin rule (CWE-942) #242
• CWE-943 feat(java): add AWS query injection rule (CWE-943) #236
• CWE-917 feat(java): log4j rules #269 - Log4j vulnerability

Additional CWEs to be supported (some may not be good Java candidates):

• CWE-470 feat(java): unsafe reflection (CWE-470) #247
• CWE-95 feat(java): add eval injection rule (CWE-95) #244
• CWE-210 feat(java): exception rule (CWE-210) #245
• CWE-315 feat(java): add cookie leaks rule (CWE-315) #246
• CWE-346 feat(java): add insecure allow origin rule (CWE-346) #220
• CWE-693 feat(java): permissive cookie config (CWE-693) #248
• CWE-1287 feat(java): regex using user input (CWE-1287) #249
• CWE-1395 feat(java): vulnerable Apache commons collection version (CWE-1395) #250

2. Add 3rd party API rules (CWE-201 - "Insertion of Sensitive Information Into Sent Data"). This is the list from other languages supported by bearer-rules, and part of this step will be to investigate which of these APIs are supported by Java:

• Airbrake feat(java): airbrake library (CWE-201) #252
• Algolia feat(java): add third party rule for Algolia (CWE-201) #254
• Bugsnag feat(java): add third parties bugsnag rule (CWE-201) #258
• Clickhouse feat(java): third parties clickhouse rule #259
• Datadog feat(java): add third parties Datadog (CWE-201) #262
• Elasticsearch feat(java): third parties ElasticSearch (CWE-201) #261
• New Relic feat(java): third parties new relic #264
• Open Telemetry feat(java): add third parties open telemetry #265
• Rollbar feat(java): third parties rollbar (CWE-201) #266
• Sentry feat(java): third parties sentry #268

As we did with Go, PHP and JS (in the case of Google Dataflow), we skip the Google APIs:

• Google Analytics worth of rule is unclear. API accessed through HTTP calls (which we would catch in other rules) or through a client. Client usage relies on builders making detection very fine grained
• Google Dataflow

The following third parties are not applicable in terms of Java rules:

• Honeybadger Java support hooks into config, so java_lang_exception will catch leakage cases
• Scout APM no Java support https://scoutapm.com/

And the following are not currently supported they require us to catch on sensitive data being entered into HashMap data structures

• BigQuery feat(java): add third parties Google BigQuery rule (CWE-201) #256
• Segment feat(java): third parties segment (CWE-201) #267

3. Battle test 💪

• Extend CWE-547 to catch String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"}; - feat(java): extend hardcoded secret rule #330
• Extend CWE-547 to catch TextCodec.BASE64.encode("somePassword") - feat(java): extend hardcoded secret rule #330
• Extend CWE-798 to catch "somePassword".equals(password) - feat(java): extend hardcoded secret rule #330
• CWE-611 XXE - feat(java): add xxe rule #333
• CWE-208 Timing Attack - feat(java): add observable timing rule #336
• CWE-347 Improper Verification of Cryptographic Signature (specifically JWT Signature Verification Bypass) - feat(java): add jwt missing signature verification #337

Spring cases from battle testing

• Include Spring @RequestParam annotation (see Spring docs) as user input e.g. someMethod(@RequestParam String payload)
• CWE-352 CSRF in Spring - HttpSecurity instance without csrf enabled

SQLi cases from battle testing

• Snyk (and Semgrep) counts as SQLi any query string that includes a variable. Some of these were known user input because of Spring @RequestParam annotation, but a lot were simply the function argument included in the query string. Likely a larger question across all languages whether we want to catch such cases, and how (warning-level, for example).