Fix the profile and rules inconsistency with the rule XSS_REQUEST_PAR…

…AMETER_TO_JSP_WRITER spotbugs#32
VinodAnandan · Jul 5, 2016 · cee2e3d · cee2e3d
1 parent 8974feb
commit cee2e3d
Show file tree

Hide file tree

Showing 12 changed files with 36 additions and 2,995 deletions.
diff --git a/generate_profiles/BuildXmlFiles.groovy b/generate_profiles/BuildXmlFiles.groovy
@@ -202,7 +202,7 @@ CONTRIB = new Plugin(groupId: 'com.mebigfatguy.fb-contrib' , artifactId: 'fb-con
  * @param includedBugs Bug type to include
  * @return
  */
-def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBugs) {
+def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBugs,List<String> excludedBugs = []) {
 
 
     //Output file
@@ -223,7 +223,7 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
 
             //if(rulesSetName == 'jsp') println pattern.attribute("type")
 
-            if(includedBugs.isEmpty() || includedBugs.contains(pattern.attribute("type"))) {
+            if((includedBugs.isEmpty() || includedBugs.contains(pattern.attribute("type"))) && !excludedBugs.contains(pattern.attribute("type"))) {
                 //if(rulesSetName == 'jsp') println "-INCLUDED"
 
                 rule(key: pattern.attribute("type"),
@@ -309,17 +309,19 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
     }
 }
 
+def excludedJspRules = ["XSS_REQUEST_PARAMETER_TO_JSP_WRITER"];
+
 //FindBugs
-writeRules("findbugs", [FB], [])
+writeRules("findbugs", [FB], [], excludedJspRules)
 //Find Security Bugs
 writeRules("findsecbugs", [FSB], informationnalPatterns + cryptoBugs + majorBugs + criticalBugs)
-writeRules("jsp", [FSB], majorJspBugs + criticalJspBugs)
+writeRules("jsp", [FSB,FB], majorJspBugs + criticalJspBugs)
 //FB-contrib
 writeRules("fbcontrib", [CONTRIB], [])
 
 ////////////// Generate the profile files
 
-def writeProfile(String profileName,List<String> includedBugs) {
+def writeProfile(String profileName,List<String> includedBugs,List<String> excludedBugs = []) {
 
     File f = new File("out_sonar","profile-"+profileName+".xml")
     printf("Building profile %s (%s)%n",profileName,f.getCanonicalPath())
@@ -333,8 +335,10 @@ def writeProfile(String profileName,List<String> includedBugs) {
 
         includedBugs.forEach { patternName ->
 
-            Match {
-                Bug(pattern: patternName)
+            if(!excludedBugs.contains(patternName)) {
+                Match {
+                    Bug(pattern: patternName)
+                }
             }
         }
 
@@ -360,8 +364,8 @@ def getAllPatternsFromPlugin(Plugin plugin) {
 }
 
 
-writeProfile("findbugs-only", getAllPatternsFromPlugin(FB));
-writeProfile("findbugs-and-fb-contrib", getAllPatternsFromPlugin(FB) + getAllPatternsFromPlugin(CONTRIB));
+writeProfile("findbugs-only", getAllPatternsFromPlugin(FB), excludedJspRules);
+writeProfile("findbugs-and-fb-contrib", getAllPatternsFromPlugin(FB) + getAllPatternsFromPlugin(CONTRIB), excludedJspRules);
 writeProfile("findbugs-security-audit", informationnalPatterns + cryptoBugs + majorBugs + majorBugsAuditOnly + criticalBugs + findBugsPatterns)
 writeProfile("findbugs-security-minimal", cryptoBugs + majorBugs + criticalBugs + findBugsPatterns)
 writeProfile("findbugs-security-jsp", majorJspBugs + criticalJspBugs)
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
   <groupId>org.sonarsource.sonar-findbugs-plugin</groupId>
   <artifactId>sonar-findbugs-plugin</artifactId>
-  <version>3.4.0</version>
+  <version>3.4.2</version>
   <packaging>sonar-plugin</packaging>
 
   <name>SonarQube Findbugs Plugin</name>

diff --git a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml
@@ -44,9 +44,6 @@
   <Match>
     <Bug pattern='XSS_REQUEST_PARAMETER_TO_SEND_ERROR' />
   </Match>
-  <Match>
-    <Bug pattern='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' />
-  </Match>
   <Match>
     <Bug pattern='SW_SWING_METHODS_INVOKED_IN_SWING_THREAD' />
   </Match>

diff --git a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml
@@ -44,9 +44,6 @@
   <Match>
     <Bug pattern='XSS_REQUEST_PARAMETER_TO_SEND_ERROR' />
   </Match>
-  <Match>
-    <Bug pattern='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' />
-  </Match>
   <Match>
     <Bug pattern='SW_SWING_METHODS_INVOKED_IN_SWING_THREAD' />
   </Match>

diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml
@@ -161,22 +161,6 @@ consider using a commercial static analysis or pen-testing tool.
     <tag>owasp-a3</tag>
     <tag>security</tag>
   </rule>
-  <rule key='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' priority='MAJOR'>
-    <name>Security - JSP reflected cross site scripting vulnerability</name>
-    <configKey>XSS_REQUEST_PARAMETER_TO_JSP_WRITER</configKey>
-    <description>&lt;p&gt;This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting
-vulnerability. See &lt;a href="http://en.wikipedia.org/wiki/Cross-site_scripting"&gt;http://en.wikipedia.org/wiki/Cross-site_scripting&lt;/a&gt;
-for more information.&lt;/p&gt;
-&lt;p&gt;FindBugs looks only for the most blatant, obvious cases of cross site scripting.
-If FindBugs found &lt;em&gt;any&lt;/em&gt;, you &lt;em&gt;almost certainly&lt;/em&gt; have more cross site scripting
-vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously
-consider using a commercial static analysis or pen-testing tool.
-&lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
-    <tag>jsp</tag>
-    <tag>security</tag>
-    <status>DEPRECATED</status>
-  </rule>
   <rule key='SW_SWING_METHODS_INVOKED_IN_SWING_THREAD' priority='MAJOR'>
     <name>Bad practice - Certain swing methods needs to be invoked in Swing thread</name>
     <configKey>SW_SWING_METHODS_INVOKED_IN_SWING_THREAD</configKey>

diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml
@@ -172,4 +172,20 @@ Path traversal &lt;sup&gt;[3][4]&lt;/sup&gt; are not possible.
     <tag>jsp</tag>
     <tag>security</tag>
   </rule>
+  <rule key='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' priority='MAJOR'>
+    <name>Security - JSP reflected cross site scripting vulnerability</name>
+    <configKey>XSS_REQUEST_PARAMETER_TO_JSP_WRITER</configKey>
+    <description>&lt;p&gt;This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting
+vulnerability. See &lt;a href="http://en.wikipedia.org/wiki/Cross-site_scripting"&gt;http://en.wikipedia.org/wiki/Cross-site_scripting&lt;/a&gt;
+for more information.&lt;/p&gt;
+&lt;p&gt;FindBugs looks only for the most blatant, obvious cases of cross site scripting.
+If FindBugs found &lt;em&gt;any&lt;/em&gt;, you &lt;em&gt;almost certainly&lt;/em&gt; have more cross site scripting
+vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously
+consider using a commercial static analysis or pen-testing tool.
+&lt;/p&gt;</description>
+    <tag>owasp-a3</tag>
+    <tag>jsp</tag>
+    <tag>security</tag>
+    <status>DEPRECATED</status>
+  </rule>
 </rules>