Tuesday, October 22, 2013

Security starts with finding bugs

Finding bugs proactively in your application is not a matter of good practices for the sake of following them. It actually has a big impact in risk management. That is the reason I believe no build should be possible if the application is not bug free.

As usual there is a trade-off though. Ranking the bug is important, you know, severity, impact, service class you name it.

FindBugs is an open source project which we have used for ages in the Java world. Together with Maven it allows us to break the build if the code is not bug free. Here is all you need in pom.xml:
            <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>findbugs-maven-plugin</artifactId>
          <configuration>
            <maxRank>15</maxRank>
          </configuration>
          <executions>
            <execution>
              <phase>verify</phase> 
              <goals>
                <goal>check</goal> 
              </goals>
            </execution>
          </executions>
            </plugin>
        </plugins>
        <pluginManagement>
Note that I use maxRank=15 which is the one by default used in the findbugs Eclipse plugin and which I confirmed myself reveals real issues we should not ignore in our code base (The selection of rank will depend on your goals and controls for risk management). As per the documentation "This element matches warnings with a particular bug rank. The value attribute should be an integer value between 1 and 20, where 1 to 4 are scariest, 5 to 9 scary, 10 to 14 troubling, and 15 to 20 of concern bugs". The threshold is another important parameter to setup for this BTW.

Now your typical maven build will fail with information about potential bugs:
...
[INFO] [findbugs:findbugs {execution: findbugs}]
[INFO] Fork Value is true
[INFO] Done FindBugs Analysis....
[INFO] [findbugs:check {execution: default}]
[INFO] BugInstance size is 1
[INFO] Error size is 0
[INFO] Total bugs: 1
[INFO] Dead store to message in com.sample.sayHi(String, Errors, Errors) ["com.sample.HelloWorld"] At HelloWorld.java:[lines 44-267]
...
The above is just saying that the variable "message" is a "dead store". Of course you can skip findbugs to speed up development like in:
mvn clean install -Dfindbugs.skip=true
You might want to exclude some warnings like in the case of generated stubs that provide code you know that works but that follows bad coding practices. In those cases you have XML or annotations available. To use annotations you need to include findbugs as a compile scope dependency.
<dependency>
 <groupId>com.google.code.findbugs</groupId>
 <artifactId>annotations</artifactId>
 <version>2.0.2</version>
 <scope>compile</scope>
</dependency>
Now you can use exclusions like in:
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "NM_SAME_SIMPLE_NAME_AS_SUPERCLASS", justification = "Stub autogenerated classes")
@WebServiceClient(name = "Service", targetNamespace = "http://geneva.advent.com", wsdlLocation = "file:/geneva-jax-ws.wsdl")
public class Service extends javax.xml.ws.Service {

    private final static URL SERVICE_WSDL_LOCATION;
...

No comments:

Followers