find-secbugs findings are usually related to a particular piece of code and the context it's used in so in case they are false-positives, I'd like to exclude the specific finding, not the whole bug pattern.
For example, running Hawkeye against a recent version of the official Spring Boot Starter Template (see below) comes up with a couple of findings related to the Spring Boot Loader. Assuming those are false-positives (I haven't actually looked at the code yet), I'd like to exclude the spring boot packages without compromising my ability to find the same bug pattern in my own code.
Steps to Reproduce
1) Get a Kotlin Spring Boot project with vulnerable dependencies and build it
$ docker run --rm -v $PWD:/target hawkeyesec/scanner-cli scan --show-code
[...]
module level code offender description mitigation
----------------- ------ --------------------------------------- ------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------
java-find-secbugs medium java-find-secbugs-URLCONNECTION_SSRF_FD In method org.springframework.boot.loader.LaunchedURLClassLoader.clearCache() This web server request could be used by an attacker to expose internal services and filesystem. Check line(s) 166, 164
java-find-secbugs medium java-find-secbugs-URLCONNECTION_SSRF_FD In method org.springframework.boot.loader.LaunchedURLClassLoader.lambda$definePackage$0(String, String) This web server request could be used by an attacker to expose internal services and filesystem. Check line(s) 136, 134
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.Launcher.createArchive() java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 124, 119, 120
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getClassPathArchives(String) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 465, 445, 446, 463
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getClassPathArchives(String) java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 468, 445, 446, 463
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getFileResource(String) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 242, 161, 164, 166, 167, 168, 171, 172, 208, 212
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getHomeDirectory() java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 151, 151
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String) java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 519, 445, 446, 463, 481, 519
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 521, 445, 446, 463, 481, 521
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String) java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 530, 445, 446, 463, 481, 524, 526
java-find-secbugs medium java-find-secbugs-URLCONNECTION_SSRF_FD In method org.springframework.boot.loader.PropertiesLauncher.exists(URL) This web server request could be used by an attacker to expose internal services and filesystem. Check line(s) 270, 161, 164, 166, 167, 168, 171, 172, 208, 210, 251, 252
java-find-secbugs medium java-find-secbugs-URLCONNECTION_SSRF_FD In method org.springframework.boot.loader.PropertiesLauncher.getURLResource(String) This web server request could be used by an attacker to expose internal services and filesystem. Check line(s) 253, 161, 164, 166, 167, 168, 171, 172, 208, 210, 251
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.archive.JarFileArchive.createUnpackFolder(File) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 135, 135
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.archive.JarFileArchive.createUnpackFolder(File) java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 137, 135, 136, 137
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.archive.JarFileArchive.getUnpackedNestedArchive(JarEntry) java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 117, 113, 115
java-find-secbugs medium java-find-secbugs-PATH_TRAVERSAL_IN In method org.springframework.boot.loader.jar.Handler.getRootJarFile(String) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input Check line(s) 314, 84, 299, 304, 305, 313, 314
java-find-secbugs medium java-find-secbugs-URLCONNECTION_SSRF_FD In method org.springframework.boot.loader.jar.Handler.openConnection(URLStreamHandler, URL) This web server request could be used by an attacker to expose internal services and filesystem. Check line(s) 147, 87, 101, 147
Expected behavior:
I'd like a way to exclude those specific findings. Does it make sense to add the class and method name to the error code? Or maybe the instanceHash that's part of the report-xml can be used instead?
Version
Latest docker container
Additional Information
I'm happy to submit a PR for this, I'm just wondering what the best approach for this should be. Or maybe what I want is already possible and I just couldn't figure it out.
Description
find-secbugs findings are usually related to a particular piece of code and the context it's used in so in case they are false-positives, I'd like to exclude the specific finding, not the whole bug pattern. For example, running Hawkeye against a recent version of the official Spring Boot Starter Template (see below) comes up with a couple of findings related to the Spring Boot Loader. Assuming those are false-positives (I haven't actually looked at the code yet), I'd like to exclude the spring boot packages without compromising my ability to find the same bug pattern in my own code.
Steps to Reproduce
1) Get a Kotlin Spring Boot project with vulnerable dependencies and build it
2) Run Hawkeye against the project.
Expected behavior: I'd like a way to exclude those specific findings. Does it make sense to add the class and method name to the error code? Or maybe the
instanceHash
that's part of the report-xml can be used instead?Version
Latest docker container
Additional Information
I'm happy to submit a PR for this, I'm just wondering what the best approach for this should be. Or maybe what I want is already possible and I just couldn't figure it out.