How to exclude java-find-secbugs findings effectively.

[flosell]

Description

find-secbugs findings are usually related to a particular piece of code and the context it's used in so in case they are false-positives, I'd like to exclude the specific finding, not the whole bug pattern. For example, running Hawkeye against a recent version of the official Spring Boot Starter Template (see below) comes up with a couple of findings related to the Spring Boot Loader. Assuming those are false-positives (I haven't actually looked at the code yet), I'd like to exclude the spring boot packages without compromising my ability to find the same bug pattern in my own code.

Steps to Reproduce

1) Get a Kotlin Spring Boot project with vulnerable dependencies and build it

   $ curl https://start.spring.io/starter.tgz \
              -d type=gradle-project \
              -d baseDir=spring-boot-java-gradle \
              -d language=java | tar -xzvf -
   $ cd spring-boot-java-gradle
   $ ./gradlew build

2) Run Hawkeye against the project.

    $ docker run --rm -v $PWD:/target hawkeyesec/scanner-cli scan --show-code
    [...]

    module             level   code                                     offender                                                                                                 description                                                                                                          mitigation
    -----------------  ------  ---------------------------------------  -------------------------------------------------------------------------------------------------------  -------------------------------------------------------------------------------------------------------------------  ------------------------------------------------------------------------
    java-find-secbugs  medium  java-find-secbugs-URLCONNECTION_SSRF_FD  In method org.springframework.boot.loader.LaunchedURLClassLoader.clearCache()                            This web server request could be used by an attacker to expose internal services and filesystem.                     Check line(s) 166, 164
    java-find-secbugs  medium  java-find-secbugs-URLCONNECTION_SSRF_FD  In method org.springframework.boot.loader.LaunchedURLClassLoader.lambda$definePackage$0(String, String)  This web server request could be used by an attacker to expose internal services and filesystem.                     Check line(s) 136, 134
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.Launcher.createArchive()                                       java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 124, 119, 120
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getClassPathArchives(String)                java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 465, 445, 446, 463
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getClassPathArchives(String)                java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input  Check line(s) 468, 445, 446, 463
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getFileResource(String)                     java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 242, 161, 164, 166, 167, 168, 171, 172, 208, 212
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getHomeDirectory()                          java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 151, 151
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String)                   java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input  Check line(s) 519, 445, 446, 463, 481, 519
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String)                   java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 521, 445, 446, 463, 481, 521
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.PropertiesLauncher.getNestedArchives(String)                   java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input  Check line(s) 530, 445, 446, 463, 481, 524, 526
    java-find-secbugs  medium  java-find-secbugs-URLCONNECTION_SSRF_FD  In method org.springframework.boot.loader.PropertiesLauncher.exists(URL)                                 This web server request could be used by an attacker to expose internal services and filesystem.                     Check line(s) 270, 161, 164, 166, 167, 168, 171, 172, 208, 210, 251, 252
    java-find-secbugs  medium  java-find-secbugs-URLCONNECTION_SSRF_FD  In method org.springframework.boot.loader.PropertiesLauncher.getURLResource(String)                      This web server request could be used by an attacker to expose internal services and filesystem.                     Check line(s) 253, 161, 164, 166, 167, 168, 171, 172, 208, 210, 251
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.archive.JarFileArchive.createUnpackFolder(File)                java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 135, 135
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.archive.JarFileArchive.createUnpackFolder(File)                java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input  Check line(s) 137, 135, 136, 137
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.archive.JarFileArchive.getUnpackedNestedArchive(JarEntry)      java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input  Check line(s) 117, 113, 115
    java-find-secbugs  medium  java-find-secbugs-PATH_TRAVERSAL_IN      In method org.springframework.boot.loader.jar.Handler.getRootJarFile(String)                             java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input                Check line(s) 314, 84, 299, 304, 305, 313, 314
    java-find-secbugs  medium  java-find-secbugs-URLCONNECTION_SSRF_FD  In method org.springframework.boot.loader.jar.Handler.openConnection(URLStreamHandler, URL)              This web server request could be used by an attacker to expose internal services and filesystem.                     Check line(s) 147, 87, 101, 147

Expected behavior: I'd like a way to exclude those specific findings. Does it make sense to add the class and method name to the error code? Or maybe the instanceHash that's part of the report-xml can be used instead?

Version

Latest docker container

Additional Information

I'm happy to submit a PR for this, I'm just wondering what the best approach for this should be. Or maybe what I want is already possible and I just couldn't figure it out.

[felixhammerl]

We could add the class name or file name to the code?