search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
616 stars 366 forks source link

FindSecBugs errors: Unable to call org/owasp/esapi/ESAPI.securityConfiguration() #613

Open davewichers opened 3 years ago

davewichers commented 3 years ago

I noticed a whole stream of these errors when running: mvn site. I suspect the actual bug is in FindSecBugs itself, but not sure. Not a big deal, but would be nice to track down and fix.

[INFO] 1 report detected for spotbugs-maven-plugin:4.2.2: spotbugs [INFO] Fork Value is true [java] The following errors occurred during analysis: [java] Exception while analyzing org.owasp.esapi.ESAPI.accessController()Lorg/owasp/esapi/AccessController; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) [java] Exception while analyzing org.owasp.esapi.ESAPI.encryptor()Lorg/owasp/esapi/Encryptor; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) ... and many more.

davewichers commented 3 years ago

@h3xstream - As the author/maintainer of FindSecBugs, can you help us figure out whether this is caused by a bug in your SpotBugs plugin? Or something we are doing wrong?

xeno6696 commented 3 years ago

I meant to look at that.  Apparently FindSecBugs tries to instantiate classes to do some fuzzing if I'm understanding this output correctly.  But many of our classes have to be loaded with configurations which it will never know about.  Might be best to create a findBugs profile to disengage tests like that.  I don't think FindSecBugs would take this up. 

On 3/23/2021 10:16 AM, Dave Wichers wrote:

I noticed a whole stream of these errors when running: mvn site. I suspect the actual bug is in FindSecBugs itself, but not sure. Not a big deal, but would be nice to track down and fix.

[INFO] 1 report detected for spotbugs-maven-plugin:4.2.2: spotbugs [INFO] Fork Value is true [java] The following errors occurred during analysis: [java] Exception while analyzing org.owasp.esapi.ESAPI.accessController()Lorg/owasp/esapi/AccessController; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) [java] Exception while analyzing org.owasp.esapi.ESAPI.encryptor()Lorg/owasp/esapi/Encryptor; [java] java.lang.RuntimeException: Unable to call org/owasp/esapi/ESAPI.securityConfiguration()Lorg/owasp/esapi/SecurityConfiguration; [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitInvoke(TaintFrameModelingVisitor.java:599) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.visitINVOKESTATIC(TaintFrameModelingVisitor.java:385) [java] At org.apache.bcel.generic.INVOKESTATIC.accept(INVOKESTATIC.java:86) [java] At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintFrameModelingVisitor.analyzeInstruction(TaintFrameModelingVisitor.java:129) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:90) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintAnalysis.transferInstruction(TaintAnalysis.java:51) [java] At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:136) [java] At edu.umd.cs.findbugs.ba.Dataflow.execute(Dataflow.java:378) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:183) [java] At com.h3xstream.findsecbugs.taintanalysis.TaintDataflowEngine.analyze(TaintDataflowEngine.java:56) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.analyzeMethod(AnalysisCache.java:368) [java] At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getMethodAnalysis(AnalysisCache.java:321) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.getTaintDataFlow(AbstractTaintDetector.java:142) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.analyzeMethod(AbstractTaintDetector.java:109) [java] At com.h3xstream.findsecbugs.injection.AbstractTaintDetector.visitClassContext(AbstractTaintDetector.java:79) [java] At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76) [java] At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108) [java] At java.util.concurrent.FutureTask.run(FutureTask.java:266) [java] At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86) [java] At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238) [java] At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118) [java] At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309) [java] At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395) [java] At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231) ... and many more.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/613, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIQAQPYT6FYKYS5M5YJJKLTFDEFZANCNFSM4ZVTQCUA.

kwwall commented 3 years ago

@xeno6696 - What you wrote makes sense, but I would think there are a lot of things in ESAPI like this because of all those singletons everywhere. Maybe FindSecBugs should call whatever method twice and see if they get back the identical reference and act accordingly, knowing that fuzzing probably won't help if the assumption is you are getting different objects. If we didn't have that stupid ESAPI.override() kludge, maybe we could denote ESAPI.securityConfiguration() as returning 'final SecurityConfiguration', dropping a clue. IDK. I'm mostly just rambling at point. :)