Findbugs

Recently, I have used and researched several commonly used IDE development tools plugins for code security auditing:

Findbugs

Findbugs is a static analysis tool that checks classes or JAR files, comparing bytecode with a set of defect patterns to discover potential issues.

Based on bytecode analysis, extensively using data flow analysis technology, focusing onruntime errorsdetection, such as null pointer references, etc.

Findbugs comes with built-in detectors, including over 60 types of Bad practice, over 80 types of Correctness, 1 type of Internationalization, 12 types of Malicious code vulnerability, 27 types of Multithreaded correctness, 23 types of Performance, and 43 types of Dodgy.

We can also configure the check rules ourselves (what checks to perform, what not to perform), and can also implement unique verification rules (users who need to define specific bug patterns need to inherit its interface, write their own verification classes, which is an advanced technique).

SpotBugs

SpotBugs is the successor to Findbugs (Findbugs is no longer maintained), used for static analysis of Java code to find related vulnerabilities, with more verification rules than Findbugs.

SpotBugs requires a JDK environment of 1.8 or above, but can check code from 1.0 to 1.9. SpotBugs scans .class files, so the project must be successfully compiled and .class files generated. Spotbugs can be used in the following ways: Ant, Maven, Gradle, Eclipse

SpotBugs is extensible and can add new detectors through plugins

SpotBugs mainly includes 10 major types of bugs:

Currently, SpotBugs 3.1.3 comes with built-in detectors, including over 90 types of Bad practice, over 155 types of Correctness, 9 types of Experimental, 2 types of Internationalization, 17 types of Malicious code vulnerability, 46 types of Multithreaded correctness, 4 types of Bogus random noise, 37 types of Performance, 11 types of Security, and 87 types of Dodgy.

1. Bad practice (more than 90 types) Poor practices, violating common sense or necessary code conventions, such as rewriting equals without rewriting hashCode

2. Correctness (more than 150 types) The code here may cause errors at runtime, not consistent with expectations, such as null pointer exceptions

3. Experimental (9 types) Spotbugs is not applicable here, perhaps the matching pattern is not suitable here

4. Internationalization (2 types) The original text is: code flaws having to do with internationalization and locale, have not encountered similar errors

5. Malicious code vulnerability (17 types) code has the risk of being attacked by malicious code. For example, returning a mutable type reference and storing it in an object field

6. Multithreaded correctness (46 types) thread safety, such as code that may cause deadlocks

7. Bogus random noise (4 types) is not an actual error in the software

8. Performance (37 types) code with poor performance, such as using '+' to concatenate strings in iterations

9. Security (11 types) uses unsafe external inputs, which may lead to remote control vulnerabilities

10. Dodgy (87 types) code that causes confusion to itself

This can improve the scanning efficiency, not scanning all rules, focusing on the top 10 rules of concern for analysis, set as follows:

Plugins can also be added

For example, Find Security Bugs is a plugin for SpotsBug

It is mainly used for code security testing of web and Android applications. Currently, it can detect 141 different types of security vulnerabilities. It supports a large number of code detection using mainstream frameworks and libraries, such as including Spring-MVC, Struts, Tapestry, and can be integrated with IDEs, such as Eclipse, IntelliJ, Android Studio, and NetBeans, providing findbug in them and providing command-line interfaces for use with maven and ant, supporting continuous integration with systems such as Jenkins and SonarQube. It has performed OWASP TOP 10 and CWE coverage classification for detected vulnerabilities and provided repair references.

The commonly used security inspection items are shown in the figure below, and we just need to match and check the corresponding columns configured in the IDE.

SonarLint

It is more biased towards code quality, but it will also include some rules related to code security

SonarLint is a free and open-source IDE extension that can identify and help you resolve quality and security issues while writing code. Like a spell checker, SonarLint will display defects and provide real-time feedback and clear repair guidance to ensure clean code from the start.

You can scan the quality of the current file directly by pressing Ctrl + Shift + S
Or right-click on the folder to scan the quality of the entire package or module project

There will be a prompt below after scanning
The icons displayed in the headers below indicate problems of varying severity, from serious to minor. A bug is detected as a small worm, and a lock is displayed for vulnerability issues.

Also select and disable certain rules: