esapi-java-legacy FindSecBugs errors: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()

I noticed a whole stream of these errors when running: mvn site. I suspect the actual bug is in FindSecBugs itself, but not sure. Not a big deal, but would be nice to track down and fix.

[INFO] 1 report detected for spotbugs-maven-plugin:4.2.2: spotbugs [INFO] Fork Value is true [java] The following errors occurred during analysis: [java] Exception while analyzing org.owasp.esapi.ESAPI.accessController()Lorg/owasp/esapi/AccessController; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) [java] Exception while analyzing org.owasp.esapi.ESAPI.encryptor()Lorg/owasp/esapi/Encryptor; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) ... and many more.

Mar 23 '21 17:03 davewichers

@h3xstream - As the author/maintainer of FindSecBugs, can you help us figure out whether this is caused by a bug in your SpotBugs plugin? Or something we are doing wrong?

Mar 23 '21 17:03 davewichers

I meant to look at that. Apparently FindSecBugs tries to instantiate classes to do some fuzzing if I'm understanding this output correctly. But many of our classes have to be loaded with configurations which it will never know about. Might be best to create a findBugs profile to disengage tests like that. I don't think FindSecBugs would take this up.

On 3/23/2021 10:16 AM, Dave Wichers wrote:

I noticed a whole stream of these errors when running: mvn site. I suspect the actual bug is in FindSecBugs itself, but not sure. Not a big deal, but would be nice to track down and fix.

[INFO] 1 report detected for spotbugs-maven-plugin:4.2.2: spotbugs [INFO] Fork Value is true [java] The following errors occurred during analysis: [java] Exception while analyzing org.owasp.esapi.ESAPI.accessController()Lorg/owasp/esapi/AccessController; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) [java] Exception while analyzing org.owasp.esapi.ESAPI.encryptor()Lorg/owasp/esapi/Encryptor; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) ... and many more.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/613, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIQAQPYT6FYKYS5M5YJJKLTFDEFZANCNFSM4ZVTQCUA.

Mar 23 '21 18:03 xeno6696

@xeno6696 - What you wrote makes sense, but I would think there are a lot of things in ESAPI like this because of all those singletons everywhere. Maybe FindSecBugs should call whatever method twice and see if they get back the identical reference and act accordingly, knowing that fuzzing probably won't help if the assumption is you are getting different objects. If we didn't have that stupid ESAPI.override() kludge, maybe we could denote ESAPI.securityConfiguration() as returning 'final SecurityConfiguration', dropping a clue. IDK. I'm mostly just rambling at point. :)

Mar 24 '21 00:03 kwwall

esapi-java-legacy esapi-java-legacy copied to clipboard

FindSecBugs errors: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()

esapi-java-legacy
esapi-java-legacy copied to clipboard