rewrite-java-security
rewrite-java-security copied to clipboard
openrewrite
OpenRewrite recipes for patching Java security vulnerabilities.
### Problem > Describe the issue you are experiencing. ### Expected behavior > Describe what you expected to see. ### Example diff **From:** `spring-beans/src/test/java/org/springframework/beans/factory/aot/BeanDefinitionMethodGeneratorTests.java` ```diff Collections.emptyList()); MethodReference method = generator.generateBeanDefinitionMethod(...
Spotted while running `Remediate vulnerabilities from the OWASP Top Ten` https://app.moderne.io/results/UcdFWND6j ``` java.util.concurrent.ExecutionException: java.lang.IllegalStateException: Unable to construct Java17Parser. java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) java.base/java.util.concurrent.FutureTask.get(FutureTask.java:205) Caused by java.lang.IllegalStateException: Unable to construct Java17Parser. org.openrewrite.java.Java17Parser$Builder.build(Java17Parser.java:96) org.openrewrite.java.Java17Parser$Builder.build(Java17Parser.java:63) org.openrewrite.java.security.spring.GenerateWebSecurityConfigurerAdapter.generate(GenerateWebSecurityConfigurerAdapter.java:75)...
When using `org.openrewrite.java.security:OwaspTopTen` recipe, it call `org.openrewrite.java.security.spring.CsrfProtection` recipe that use deprecated `WebSecurityConfigurerAdapter` Spring class. When `-Werror` is activated on Java compiler, it break build. ``` [WARNING] /builds/src/main/java/.../SecurityConfig.java:[9,30] org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter in org.springframework.security.config.annotation.web.configuration...
Demonstrates how `@NestedOptions` would be used for Security Recipes. This allows for filtering the application of Recipes so they are only applied to tests when non-tests are modified. To be...
### Problem There already appears to be a guard in place that, incorrectly, protects against this vulnerability. ```java while (enumEntries.hasMoreElements()) { java.util.jar.JarEntry file = (java.util.jar.JarEntry) enumEntries.nextElement(); if(!file.getName().startsWith(prefix)) // Incorrect fix...
### Problem There isn't a vulnerability here, but one is being detected and reported here. ### Expected behavior If a vulnerability isn't being fixed, no code changes should be generated....
### Problem > Describe the issue you are experiencing. ### Expected behavior > Describe what you expected to see. ### Example diff ```diff + "{ this(" + (dim > 0...
### Problem The following two diffs violate the underlying principle of Rewrite that it will keep the formatting of the rest of the file and modify the minimum required. The...
Add and or update `rewrite-java-security` recipes to mitigate issues defined in https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 Some examples of vulnerable code for rewrite to fix, here are some examples: https://lgtm.com/query/3416203378941992723/ - [x] #11 -...
https://rules.sonarsource.com/java/tag/owasp/RSPEC-4544 https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038 https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf
Metadata
Owner
Metadata
OpenRewrite recipes for patching Java security vulnerabilities.