Static Code Analysis using FindBugs Plugin.

What is static analysis?

Analyzing code without executing it. Generally used to find bugs or ensure conformance to coding guidelines. The classic example is a compiler which finds lexical, syntactic and even some semantic mistakes.

When should you use it, and when shouldn’t it be used?

Static analysis tools should be used when they help maintain code quality. If they’re used, they should be integrated into the build process, otherwise they will be ignored.

What are potential gotchas regarding proper and improper usage/application of static analysis?

Two common pathologies occur when using static analysis tools:

  1. The tools produces spurious warnings/errors that the developers cannot silence. Eventually, most of the warnings are spurious and the developers stop paying attention to the output. This is why many teams require that code compile cleanly. If developers feel comfortable ignoring compiler warnings, the compile phase will eventually be filled with warning nobody ever pays attention to, even though they may be bugs.
  2. The tools take too long to run and developers never bother to run them.

Any languages that don’t have a good static analysis tool, and what do you do when you don’t have an option for automated analysis?

For a number of reasons, many of the dynamic languages (ruby, python, perl) don’t have static analysis tools that are as strong as those available in static languages. The standard method of finding bugs and making sure the code is working in dynamic languages are unit tests which help build confidence that the code actually works (hat-tip: Chris Conway).

What is FindBugs Plugin?

FindBugs is an open source tool for static code analysis of Java programs. It scans byte code for so called bug pattern to find defects and/or suspicious code. Although FindBugs needs the compiled class files it is not necessary to execute the code for the analysis. Working with FindBugs helps to prevent from shipping avoidable issues. It is also an excellent motivation for improving the skills of development teams to write better code in the first place.

In this post I will be showing how to install FindBugs plugin in IntelliJ IDEA and perform a code analysis. I will also show how to use the FindSecurityBugs [3] plugin that comes within FindBugs for identifying the security weaknesses and bugs in your code

Once you open IntelliJ IDEA, you can go to Configure -> Plugins in the opening window.

1

Next window we can see the configure menu, so now we need to go to the plugins. If you have already opened a project in IntelliJ IDEA, you can go to file -> Settings and in the left panel of the Settings window, select Plugins.

2

You can install the FindBugs plugin in two ways. If you have an internet connection, you can click on Browser repositories button and get the plugin installed. If not you can download the FindBugs plugin for IntelliJ IDEA and go with Install plugin from disk option where you can browse and provide the already downloaded plugin.

We can go through the Browser repositories button and get the plugin install and the second one is, if we can download the plugin, we can use Install plugin form disk button.

I used first option.

3

When you go with Browse repositories option, you can search for the FindBugs plugin and select FindBugs-IDEA and get it installed.

4

After complete the installation we need to restart the IDEA.

5

After restart the IDEA, in bottom of the IDEA we can see the FindBugs-IDEA button. Once you have installed the FindBugs plugin in IntelliJ IDEA, in the bottom of the IDE you will see the FindBugs-IDEA button. Upon clicking on it you can see all the settings of it in a panel.

6

Now we have to enable the FindSecurityBugs plugin which comes with FindBugs. This is for finding the security bugs in your code. Click on Plugin Preferences button.

7

Under the Plugins section of the General tab, click on the + button and select Add Find Security Bugs. Once the FindSecurityBugs plugin is added, click on apply and then OK.

8

Now we have successfully installed FindBugs plugin in IntelliJ IDEA and also have enabled the FindSecurityBugs plugin in it. Let’s perform a static code analysis and get to know all the bugs we have in the code.

For this demonstration, I am using the OWASP Web Goat project which is a Java web application developed for security testing purposes which is plagued with lots and lots of security bugs.

I have opened the Web Goat project in IDEA and for running FindBugs on the project, I right click on the project and go to FindBugs -> Analyze Scope Files. With this, the scanning will happen only under the selected folder. You can also go with Analyze Module Files which would scan the particular module you have selected and also

Analyze Project Files which would scan the entire project.

9

Once the static scan is completed, you can see the identified bugs in FindBugs-IDEA panel. Since we have enabled the FindSecurityBugs plugin, it will list all the identified security issues under the Security category.

10

According to my project that identified security bugs divided in to two main categories. First one is Dubious Method Used and the other one is Potential SQL Problem. These Categories differ from project wise. In this analysis it is describe only two main Security issues as below.

1) So in the first category contains one security bug it showed as following image.

11

♠ Solutions

There are many solution for above identified “Hardcoded Constant database Password”

  1. The best one is use separate file with user name, password and other critical information related to the connection string and reads the file when the application starts. That is the only real way to prevent the password from leaking as a result of de-compilation.
  2. Other one is org.jasypt.properties.EncryptableProperties class this for loading, managing and transparently decrypting encrypted values. http://www.jasypt.org/encrypting-configuration.html.

2) Now go through the second main category, in this category contains 189 bugs and its divide in to two categories again. First category “a prepared statement is generated from a non-constant string” contains 34 bug. In this every location has the same bug, but class and the code line is differ.

12

♠ Solutions

In this case we can’t ignore the warning because the priority is high. So the main issue for this code create SQL prepared statement from a Non-constant String.

We need to declare the string as,

  **Private static final

We can export the reported bugs for further analysis, for that click the Export Bug Collection to XML/HTML button.

13

A generated report would look like below.

14

15

When writing code, it is important to use these kind of tools to identify potentials risks in your code and produce high quality code that is safe to use.

Reference

  1. https://www.owasp.org/index.php/Static_Code_Analysis
  2. http://findbugs.sourceforge.net
  3. http://find-sec-bugs.github.io/

By S.H.M Lahiru Prabath Balasuriya.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s