find-sec-bugs / find-sec-bugs Goto Github PK

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page: https://find-sec-bugs.github.io/

License: GNU Lesser General Public License v3.0

Java 96.59% Groovy 0.58% HTML 1.13% CSS 0.35% JavaScript 0.01% Batchfile 0.01% Shell 0.04% XSLT 0.07% Kotlin 1.22%

findbugs java security-audit owasp taint-analysis code-analysis security bytecode cwe static-analysis

find-sec-bugs's Introduction

OWASP Find Security Bugs

Find Security Bugs is the SpotBugs plugin for security audits of Java web applications.

Website : http://find-sec-bugs.github.io/

Main developers

Notable contributions

David Formánek
- Major improvements and refactoring on the taint analysis for injections.
- The creation of a detector for hard coded passwords and cryptographic keys.
Tomáš Polešovský
- Improvements and bug fixes related to the taint analysis.
Maxime Nadeau
- New detectors surrounding the Play Framework and improvements related to Scala.
Naoki Kimura
- Detector for injection in custom API
- Translation of messages in Japanese
Dave Wichers
- Improvement to vulnerability descriptions

Project Sponsors

The development of Find Security Bugs is supported by GoSecure since 2016. The support includes the development of new detectors and the research for new vulnerability classes.

Screenshots

Eclipse

IntelliJ / Android Studio

SonarQube

License

This software is release under LGPL.

find-sec-bugs's People

Contributors

Stargazers

Watchers

Forkers

uhafner dbaxa flanfl thomashartm missdiog hairyfotr qiezi168 cnbird1999 naokikimura xastraea monits yaoyi2008 spoint42 formanek obilodeau chubbymaggie pscadiz frankswu crudbug cyberintruder winsday bb33bb safe3 mcgoran espreto minlex dipsec h3xstream mcwww wflk zhuyue1314 lucabongiorni magnologan programming086 coca1ne mkornipati mkienenb ganbarutobi khalidiq phulc vallihall haderer s-tikhomirov antonini maxnad topolik nagyistge c4rt cyber-forensic drizzlerisk callmesteve kuhnmi dnoach myzhan pandadao t8pjm3ei86jfjapv peng1916 machadoit bryonglodencissp plr0man parabellum1905y fabiopetrillo dileepkanta stian-sigvartsen jacek99 jerry0226 byteways jijicanyu av1080p t0data gcf0082 5up3rc bmoar kbahaxor aaa2015 kelthuz4d xsun12 prakhash odin1314 pombredanne freegit9527 wanglifeng johnhawes yoonki7 dreis2211 dejan2609 sanwenkit h3arts gredler skirge ajrulez 0x13337 hktalent ll2b ln2v zzhznx bongbongco deepthihari1 z-u-k solq360

find-sec-bugs's Issues

New Android Security detectors

Various Android specific rules :

Storage on SD card
Ask for user geolocation sampling
WebView with JavaScript enabled
WebView with JavaScript Interface bridge
File written with MODE_WORLD_READABLE
Guideline on using Broadcast

RFE: detect XSS in Freemarker templates

Where I work, we tend to use Freemarker for our view technology, rather than JSP, and unfortunately, while Freemarker certainly has built-in escaping capabilities, they can't be set as a global default.

How feasible is it for the checks that currently work on JSP pages to be adapted to Freemarker templates? I would be happy to do some work on this if it seems feasible.

Move command injection to the main injection detector mecanism

Code to move : https://github.com/h3xstream/find-sec-bugs/blob/master/plugin/src/main/java/com/h3xstream/findsecbugs/CommandInjectionDetector.java

Parent POM referenced but not published to Maven Central

plugin-1.1.0.pom references a parent POM:

<parent>
  <groupId>com.h3xstream.findsecbugs</groupId>
  <artifactId>root-pom</artifactId>
  <version>1.1.0</version>
</parent>

But com.h3xstream.findsecbugs:root-pom:1.1.0 does not exist in Maven Central. This is a problem for the Gradle build tool, which attempts to resolve the parent POM:

FAILURE: Build failed with an exception.

* What went wrong:
Could not resolve all dependencies for configuration ':myProjectName:findbugs'.
    > Could not resolve com.h3xstream.findsecbugs:plugin:1.1.0.
      Required by:
          com.example.myproject:0.3-SNAPSHOT
       > Could not find any version that matches com.h3xstream.findsecbugs:root-pom:1.1.0.

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug
option to get more log output.

BUILD FAILED

Total time: 8.377 secs

NullPointerException at BadHexadecimalConversionDetector.java:65

I get the attached stacktrace when running FindBugs through Maven.
To run find-sec-bugs I have:

checked out the git repository
deployed the 1.1-SNAPSHOT version to a local repository
added the following to my project pom.xml (note the artifact plugin):

<reporting>
    <plugins>
        <!-- Use a special findbugs extension plugin to find security bugs. -->
        <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>findbugs-maven-plugin</artifactId>
            <version>2.5.2</version>
            <configuration>
                <effort>Max</effort>
                <threshold>High</threshold>
                <failOnError>true</failOnError>
                <includeFilterFile>${session.executionRootDirectory}/findbugs-security-include.xml</includeFilterFile>
                <plugins>
                    <plugin>
                        <groupId>com.h3xstream.findsecbugs</groupId>
                        <artifactId>plugin</artifactId>
                        <version>1.1-SNAPSHOT</version>
                    </plugin>
                </plugins>
            </configuration>
        </plugin>
    </plugins>
</reporting>

and ran FindBugs through Maven using: mvn clean compile site

[java] Apr 22, 2013 12:04:39 PM edu.umd.cs.findbugs.TextUIBugReporter reportAnalysisError
[java] SEVERE: Exception analyzing ..... using detector com.h3xstream.findsecbugs.crypto.BadHexadecimalConversionDetector
[java] java.lang.NullPointerException
[java]  at com.h3xstream.findsecbugs.crypto.BadHexadecimalConversionDetector.visitClassContext(BadHexadecimalConversionDetector.java:65)
[java]  at edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:74)
[java]  at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1193)
[java]  at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
[java]  at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
[java]  at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)
[java]   Exception analyzing ..... using detector com.h3xstream.findsecbugs.crypto.BadHexadecimalConversionDetector
[java]     java.lang.NullPointerException
[java]       At com.h3xstream.findsecbugs.crypto.BadHexadecimalConversionDetector.visitClassContext(BadHexadecimalConversionDetector.java:65)
[java]       At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:74)
[java]       At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1193)
[java]       At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
[java]       At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
[java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)

Can you explain the error message I'm getting and how to resolve this issue?

Improve taint analysis to avoid SQL Injection detected when StringBuilder is used

Hi,

As soon as I see a StringBuilder in JPA EntityManager.createQuery(), an SQL injection is detected:

StringBuilder buff = new StringBuilder("from Tiers t");
// add conditional where clauses

TypedQuery<Tiers> query1 = em.createQuery(buff.toString(), Tiers.class); // SQL injection detected
query1.getResultList();

Is it possible to improve detector by checking that no input parameter (method parameter or attribute) has been added to the StringBuilder?

On the code I try to verify, there are a lot of where clauses added if a parameter is not null (and the developper uses setParameter() method)

New Rule : RSA/ECB/PKCS1Padding is vulnerable to padding oracle attack

Apparently, PKCS1Padding is vulnerable to padding oracle attack. A simple rule should be made to recommend RSA OEAP.

Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

References:

Thanks to Tor Bjørstad for the hint.

Detector hard coded Spring OAuth secret key

Code sample to target :

clients.inMemory().withClient("client")
    .resourceIds(RESOURCE_ID)
    .authorizedGrantTypes("authorization_code", "implicit")
    .authorities("ROLE_CLIENT")
    .scopes("read", "write")
    .secret("secret");

Create a japanese page on the micro-website for the bug patterns

Following the contribution #38 #49, it would be totally justify to create an online version of the message.
The IDE links (BugsUrl and AllBugsUrl) should point to this page.

How to analyze JSP?

It's so simple.

compile JSP to servlet by jasper.
then, analysis it!

CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups

javax.crypto.Cipher.getInstance permits lookups using only the algorithm name; however, CipherWithNoIntegrityDetector expects a slash to be present in the argument, leading to an ArrayIndexOutOfBoundsException at line 94 when code like the following is used:

Cipher cipher = Cipher.getInstance("RSA");

 [java]   Exception analyzing TokenEncryptor using detector com.h3xstream.findsecbugs.crypto.CipherWithNoIntegrityDetector
 [java]     java.lang.ArrayIndexOutOfBoundsException: 1
 [java]       At com.h3xstream.findsecbugs.crypto.CipherWithNoIntegrityDetector.sawOpcode(CipherWithNoIntegrityDetector.java:94)
 [java]       At edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:883)
 [java]       At edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:218)
 [java]       At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:229)
 [java]       At edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:63)
 [java]       At org.apache.bcel.classfile.Code.accept(Code.java:135)
 [java]       At edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:301)
 [java]       At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:389)
 [java]       At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:215)
 [java]       At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
 [java]       At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
 [java]       At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1089)
 [java]       At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:283)
 [java]       At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:402)
 [java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1200)

Update the documentation for Sonar Qube

The Sonar Qube dedicated plugin (developped by Porsche Informatik) is no longer require since its included in the FindBugs plugin.

Clarify the informational log message about CustomInjectionSource.properties

When I run findbugs on a maven project, I see the following in the output:

[INFO] --- findbugs-maven-plugin:3.0.1:findbugs (findbugs) @ cas-server-webapp-support ---
[INFO] Fork Value is true
     [java] Jul 19, 2015 7:55:33 AM com.h3xstream.findsecbugs.injection.custom.CustomInjectionSource getInjectionSourceProperties
     [java] INFO: com/h3xstream/findsecbugs/injection/custom/CustomInjectionSource.properties not found.
[INFO] Done FindBugs Analysis....

Could this perhaps be logged at DEBUG level?

Add supports for the new URL specification for bug reference

<MessageCollection>
    <Plugin>
        [...]
        <BugsUrl>http://</BugsUrl>
        <AllBugsUrl>http://</AllBugsUrl>
    </Plugin>
    [...]

New feature: http://sourceforge.net/p/findbugs/bugs/1342/
New XSD: https://findbugs.googlecode.com/git/findbugs/etc/messagecollection.xsd

Create a tutorial for IntelliJ IDE

Feature create for the auto-generation of the CHANGELOG.

New wiki page (tutorial):
https://github.com/h3xstream/find-sec-bugs/wiki/IntelliJ-Tutorial

TODO : Add a link in the micro website

JDO PersistenceManager - Potential Injections

PersistenceManager.newQuery(java.lang.Class cls, java.util.Collection cln, java.lang.String filter)
PersistenceManager.newQuery(java.lang.Class cls, java.lang.String filter)
PersistenceManager.newQuery(Extent cln, java.lang.String filter)

Reference: https://db.apache.org/jdo/api21/apidocs/javax/jdo/PersistenceManager.html

Remove ESAPI references in messages

https://github.com/h3xstream/find-sec-bugs/blob/master/plugin/src/main/resources/metadata/messages.xml

Replace ESAPI by OWASP Java Encoder in the resolution..

Tag 1.2.1 release

I like following repositories by their Tags (with RSS).
Would you please Tag the latest (and future) release(s).

Btw. really appreciate your work.

CustomInjectionSource.properties not found

Getting a weird error when running findbugs with findsecbugs:

[INFO] >>> findbugs-maven-plugin:3.0.0:check (default) > :findbugs @ rrCommon >>>
[INFO] 
[INFO] --- findbugs-maven-plugin:3.0.0:findbugs (findbugs) @ rrCommon ---
[INFO] Fork Value is true
     [java] Apr 23, 2015 4:50:12 PM com.h3xstream.findsecbugs.injection.custom.CustomInjectionSource getInjectionSourceProperties
     [java] SEVERE: com/h3xstream/findsecbugs/injection/custom/CustomInjectionSource.properties not found.
[INFO] Done FindBugs Analysis....

Relevant parts of my configuration

    <plugin.codehaus.findbugs.version>3.0.0</plugin.codehaus.findbugs.version>                       
    <!-- and related plugins -->                                                                     
    <plugin.h3xstream.findsecbugs.version>1.4.0</plugin.h3xstream.findsecbugs.version>               
    <plugin.mebigfatguy.fb-contrib.version>6.0.0</plugin.mebigfatguy.fb-contrib.version>             

        <plugin>                                                                                     
          <groupId>org.codehaus.mojo</groupId>                                                       
          <artifactId>findbugs-maven-plugin</artifactId>                                             
          <version>${plugin.codehaus.findbugs.version}</version>                                     
          <configuration>                                                                            
            <plugins>                                                                                
              <plugin>                                                                               
                <groupId>com.h3xstream.findsecbugs</groupId>                                         
                <artifactId>findsecbugs-plugin</artifactId>                                          
                <version>${plugin.h3xstream.findsecbugs.version}</version>                           
              </plugin>                                                                              
              <plugin>                                                                               
                <groupId>com.mebigfatguy.fb-contrib</groupId>                                        
                <artifactId>fb-contrib</artifactId>                                                  
                <version>${plugin.mebigfatguy.fb-contrib.version}</version>                          
              </plugin>                                                                              
            </plugins>                                                                               
          </configuration>                                                                           
        </plugin>

Issue with AES / CBC error detection - STATIC IV implementation

In Java.
When I initialize a cipher for AES / CBC I get a STATIC IV error.

For encryption: I get this error even if the initialization vector is initialized from a SecureRandom object, provided the initialization is done in a dedicated method. Example of code:

private final SecureRandom  random                     = new SecureRandom();

protected byte[] generateInitVector(int length) {
    byte[] array = new byte[length];
    random.nextBytes(array);
    return array;
}

public String encrypt(String key, String clearText) throws MyException {
    try {
        // Code to generate the SecretKey from the key
        SecretKey secKey = ...;

        Security.addProvider(new BouncyCastleProvider());

        byte[] iv = generateInitVector(int length);
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
        cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
[... do stuff]
     }
}

I have no error raised if I replace:
byte[] iv = generateInitVector(int length);
with:
byte[] iv = new byte[16];
random.nextBytes(iv);

==> this error is not really pretty, but not critical.

There is another case where this error is reported, and in this case it should not be: when instanciating a cipher in DECRYPT_MODE. In that case the IV must be the one which was used to encrypt the message, so by definition it cannot be random.

So: the expected behavior for this check is:

when the cipher is initialised in DECRYPT mode: the error must not be reported (unless my understanding of the process is wrong, which may still be possible...)
when the cipher is initialised in ENCRYPT mode: if possible the detection of random IV initialisation should be improved to let use a dedicated function for that.

The IV generation should only be verified for the encryption mode

I've created an OpenID RP implementation, and I had this message

Initialization vector must be regenerated for each message to be encrypted.
However, I was not planning to use the IV for encryption but decryption.

From
https://github.com/trajano/openid-connect/blob/master/openid-connect-core/src/main/java/net/trajano/openidconnect/internal/JcaJsonWebTokenCrypto.java#L288

final IvParameterSpec spec = new IvParameterSpec(initializationVector);
contentCipher.init(Cipher.DECRYPT_MODE, contentEncryptionKey, spec);

As noted it is on DECRYPT_MODE, perhaps there should be a check to prevent a false positive on this parameter.

Add CWE references to messages (few missing)

Few messages are missing CWE id.

Higher priority for injections

https://github.com/h3xstream/find-sec-bugs/blob/master/plugin/src/main/java/com/h3xstream/findsecbugs/injection/InjectionDetector.java#L136

Rise the priority to HIGH for most Injection type SQL, script eval, etc.

Fix links in the descriptions

rsalabs link is broken (http://www.emc.com/domains/rsa/index.htm?id=2218 -> http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/how-large-a-key-should-be-used.htm)
Links to owasp pages are unrelated in the XXE description.
Add link to blog post on Struts CSRF token (http://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html)
Add link to Rhino and SpEL malicious samples (http://blog.h3xstream.com/2014/11/remote-code-execution-by-design.html)

Integration with findbugs-maven-plugin

From the webpage/documentation I can't yet figure out how to integrate this plugin with the findbugs-maven-plugin at http://mojo.codehaus.org/findbugs-maven-plugin/. I'd very much like to run these extensions as part of my Maven build, so I can make the reports available through Jenkins/Sonar.

Is it possible to integrate this project with the findbugs-maven-plugin, and if so how? Would this need additional code or merely documentation on how to achieve this?

XXE - Identify Parser Factory

Currently the parse operations are flagged. It would be nice to also identify the instantiation (in case the parser is passed to a library).

Suggested by @davewichers

XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser)

The remediation should be specific to each api. This would require to separate XMLReader/SaxParser/DocumentParser description.

References:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (ParserConfigurationException e) { //handle error }

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
    dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (ParserConfigurationException e) { //handle error }

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

New Rule : Seam Logger usage could lead to remote code execution

The Seam framework accepts expression language in its log statements, so concatenating strings to pass to the logger is a very bad idea.

https://issues.jboss.org/browse/JBSEAM-5130

Is it easy enough to add a detector for this?

How to run find-sec-bugs in Jenkins and Ant script?

How can I run this plugin in Ant script?

I desire your help.

example)

<target name="findbugs" depends="init-findbugs">
    <findbugs home="${basedir}/lib/findbugs"
              workHard="true"
              output="xml:withMessages"
              outputFile="${report.findbugs.dir}/findbugs.xml"
    >
        <class location="${lib.build.classes.dir}" />
        <!-- sourcepath location="${lib.project.dir}/src/java/**/*.java" /-->
        <!-- class location="${basedir}/lib/findbugs/*.jar" / -->
        <auxClasspath>
            <fileset file="${basedir}/lib/junit/junit.jar" />
        </auxClasspath>
    </findbugs>
</target>

ant run findbugs ==>

[FINDBUGS] Collecting findbugs analysis files...
FATAL: null
java.lang.ExceptionInInitializerError
    at edu.umd.cs.findbugs.DetectorFactoryCollection.getCoreResource(DetectorFactoryCollection.java:360)
    at edu.umd.cs.findbugs.SystemProperties.loadPropertiesFromConfigFile(SystemProperties.java:72)
    at edu.umd.cs.findbugs.SystemProperties.(SystemProperties.java:55)
    at edu.umd.cs.findbugs.SortedBugCollection.(SortedBugCollection.java:189)
    at hudson.plugins.findbugs.parser.FindBugsParser.readXml(FindBugsParser.java:266)
    at hudson.plugins.findbugs.parser.FindBugsParser.parse(FindBugsParser.java:208)
    at hudson.plugins.findbugs.parser.FindBugsParser.parse(FindBugsParser.java:145)
    at hudson.plugins.findbugs.parser.FindBugsParser.parse(FindBugsParser.java:105)
    at hudson.plugins.analysis.core.FilesParser.parseFile(FilesParser.java:261)
    at hudson.plugins.analysis.core.FilesParser.parseFiles(FilesParser.java:220)
    at hudson.plugins.analysis.core.FilesParser.invoke(FilesParser.java:169)
    at hudson.plugins.analysis.core.FilesParser.invoke(FilesParser.java:31)
    at hudson.FilePath.act(FilePath.java:865)
    at hudson.FilePath.act(FilePath.java:838)
    at hudson.plugins.findbugs.FindBugsPublisher.perform(FindBugsPublisher.java:161)
    at hudson.plugins.analysis.core.HealthAwarePublisher.perform(HealthAwarePublisher.java:144)
    at hudson.plugins.analysis.core.HealthAwareRecorder.perform(HealthAwareRecorder.java:329)
    at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:798)
    at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:770)
    at hudson.model.Build$BuildExecution.post2(Build.java:183)
    at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:720)
    at hudson.model.Run.execute(Run.java:1600)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
    at hudson.model.ResourceController.execute(ResourceController.java:88)
    at hudson.model.Executor.run(Executor.java:237)
Caused by: java.lang.IllegalStateException: Unable to load core plugin
    at edu.umd.cs.findbugs.PluginLoader.loadCorePlugin(PluginLoader.java:1423)
    at edu.umd.cs.findbugs.PluginLoader.loadInitialPlugins(PluginLoader.java:1373)
    at edu.umd.cs.findbugs.PluginLoader.(PluginLoader.java:156)
    ... 26 more
Caused by: edu.umd.cs.findbugs.PluginDoesntContainMetadataException: Core pluginlibrary-2.0.1.jar doesn't contain findbugs.xml; got jar:file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/find-sec-bugs-1.0.1-confoo-edition.jar!/findbugs.xml from java.net.URLClassLoader[file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/classes/, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/annotations-2.0.0.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/find-sec-bugs-1.0.1-confoo-edition.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/jsr305-2.0.0.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/library-2.0.1.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/pluginlibrary-2.0.1.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/xercesImpl-2.9.1.jar, file:/C:/engn1d1/jenkins/plugins/findbugs-4.48/WEB-INF/lib/xml-apis-1.3.04.jar]
    at edu.umd.cs.findbugs.PluginLoader.getPluginDescriptor(PluginLoader.java:1112)
    at edu.umd.cs.findbugs.PluginLoader.init(PluginLoader.java:611)
    at edu.umd.cs.findbugs.PluginLoader.(PluginLoader.java:357)
    at edu.umd.cs.findbugs.PluginLoader.loadCorePlugin(PluginLoader.java:1419)
    ... 28 more

Add release notes

Hi there,

I am using FindSecBugs for a while now, its very cool and helpful.
But as there are now more than 60 bug pattern, It would be nice to have release notes,
to see which patterns are new since v1.4.0

NetBeans tutorial

Thanks @dansdrivers for the NetBeans tutorial

The tutorial will be linked on the micro-website soon.

Hibernate Restrictions API - Potential Injections

Cover the following signature :

Restrictions.sqlRestriction(String sql, Object[] values, Type[] types)
Restrictions.sqlRestriction(String sql, Object value, Type type)

Reference : http://docs.jboss.org/hibernate/core/3.3/api/org/hibernate/criterion/Restrictions.html

Findbugs Security Plugin

Hi,

 Im trying to run the FindBugs security plugin version findsecbugs-1.1.0-SNAPSHOT through maven on my project. I have the following dependencies in my pom.xml ,

    junit-3.8.1
    spring-2.5.6
    jaxws-rt-2.2.3
    hamcrest-core-1.3
    objenesis-1.3
    mockito-core-1.9.5
    servlet-api-2.3
    jaxws-spring-1.8
    findbugs-maven-plugin-2.5.2

At first i faced the NullPointerException which was fixed in https://github.com/h3xstream/find-sec-bugs. However im facing the following issue now,

  Exception in thread "main" java.lang.IllegalArgumentException: Error: missing bug code for keySECSHR
at edu.umd.cs.findbugs.DetectorFactoryCollection.getBugCode(DetectorFactoryCollection.java:562)
at edu.umd.cs.findbugs.SortedBugCollection.writeBugCodes(SortedBugCollection.java:676)
at edu.umd.cs.findbugs.SortedBugCollection.writeEpilogue(SortedBugCollection.java:579)
at edu.umd.cs.findbugs.SortedBugCollection.writeXML(SortedBugCollection.java:558)
at edu.umd.cs.findbugs.SortedBugCollection.writeXML(SortedBugCollection.java:475)
at edu.umd.cs.findbugs.XMLBugReporter.finish(XMLBugReporter.java:46)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:81)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:81)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:81)
at edu.umd.cs.findbugs.DelegatingBugReporter.finish(DelegatingBugReporter.java:81)
at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1239)
at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)

Pleae guide in solving the issue.

Thanks & Regards
Raghuveer Singh

JDO Query - Potential Injections

Query.setFilter(java.lang.String filter)
Query.setGrouping(java.lang.String group)

Reference : https://db.apache.org/jdo/api21/apidocs/javax/jdo/Query.html

New Rule : Detect Spring Eval JSP taglib

Hi folks,

In regards to http://h3xstream.github.io/find-sec-bugs/bugs.htm#SPEL_INJECTION I think there is an update needed:

<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>

<html lang="en">

<body>
    Spring Expression Language Injection Test - Eval
    <spring:eval expression="${param.input}" />
</body>

</html>

Here is the git:

https://github.com/aabashkin/web-security-testbed/blob/master/src/main/webapp/WEB-INF/views/spring-eval.jsp

http://localhost:8080/websecuritytestbed/code-injection/spring-eval?input=T%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22cmd.exe%22%29.toString%28%29

ACEGI Security: avoid temporary calls to SecurityContextHolder.getContext().setAuthentication(…)

When using org.acegisecurity.context.HttpSessionContextIntegrationFilter, a SecurityContext will be associated with a session and thus used in multiple theads. Therefore the idiom

Authentication old = SecurityContextHolder.getContext().getAuthentication();
try {
    SecurityContextHolder.getContext().setAuthentication(…);
    // …privileged operation…
} finally {
    SecurityContextHolder.getContext().setAuthentication(old);
}

is unsafe: another thread handling a different request from the same user might momentarily get elevated permissions while performing unrelated operations.

For this reason, Jenkins encourages a different idiom:

SecurityContext old = SecurityContextHolder.getContext();
SecurityContextHolder.setContext(…);
try {
    // …privileged operation…
} finally {
    SecurityContextHolder.setContext(old);
}

Probably a detector could look for temporary calls to setAuthentication on the current context, and suggest replacing them with a temporary switch of context. If this sounds promising, I can try to submit a pull request.

XXE - reader False Positive

I came across XXE_XMLREADER and used the recommended solution from http://h3xstream.github.io/find-sec-bugs/bugs.htm, but the bugs persist in my Eclipse Luna IDE.

I made two methods with exactly that recommended code, and they still show up as bugs.

How to analyze JaxRS (CXF) code?

How to analyze JaxRS (CXF) code?

XXE Bug Patterns update

Hello,

I'd like to submit a pattern update for XXE bugs. This provides a way to disable external entities without completely restricting DOCTYPE

        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);

        XMLReader reader = XMLReaderFactory.createXMLReader();

        GenericInputParserHandler handler = new GenericInputParserHandler();
        reader.setFeature("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
        reader.setContentHandler(handler);

False positive on Static IV when using Cipher.getIv()

Static IV detector should support Cipher.getIV().

This api is probably the thing to use in most case. Maybe the solution example could be enhanced.

This false positive came up when analyzing the library Apache Camel.

XXE - Avoid false positive when secure features are set.

Xerces parser supports feature to disable entity. Which is the easiest way to patch vulnerable code.

Security warning should be remove when the following feature are sets:

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Unsafe instructions iteration

Hi,

I've tried to integrate your plugin to the EAP findbugs tests in jenkins but then I've got into some troubles. When I run the tests without the find-sec-bugs plugin, it ends with a couple of warnings but when I run it with the plugin then I get 42 analysis errors and a really long stack trace.

I run the tests inside the Jenkins and I use the Findbugs in the version 2.0.1. Find-sec-bugs is in the version 1.2.1. Are there any version compability notes? Are these version compatible?

I also didn't find any settings recommendation. I've just put your plugin inside the Findbugs plugin directory. Does it need any additionally settings?

Here is the stack:
https://drive.google.com/file/d/0ByAl3ieZYVnXRWZsbHB6UWFYaGM/view?usp=sharing

Nov 03, 2014 5:20:56 AM edu.umd.cs.findbugs.TextUIBugReporter reportAnalysisError
SEVERE: Oops
edu.umd.cs.findbugs.ba.DataflowAnalysisException: Accessing TOP or BOTTOM frame!
    at edu.umd.cs.findbugs.ba.Frame.getStackValue(Frame.java:235)
    at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.visitPUTFIELD(IsNullValueFrameModelingVisitor.java:323)
    at org.apache.bcel.generic.PUTFIELD.accept(PUTFIELD.java:79)
    at edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84)
    at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.analyzeInstruction(IsNullValueFrameModelingVisitor.java:104)
    at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:326)
    at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:71)
[...]

Do you have any suggestions how to solve this?

Regards,
Lukas Kubik

em.createNativeQuery(
                String.format("select * from Users where name = %s", username),
                UserEntity.class);

(Maybe you prefer a fork with pull request to manage this kingd of enhancement request?)

Regards

The BAD_HEXA_CONVERSION detector seems to have issues when UnconditionalValueDerefAnalysis is run later

I am not sure what is occurring, but the code in https://github.com/h3xstream/find-sec-bugs/blob/master/plugin/src/main/java/com/h3xstream/findsecbugs/crypto/BadHexadecimalConversionDetector.java seems to somehow cause an error later in UnconditionalValueDerefAnalysis.checkNonNullParams. The code where this error is occurring has a method that receives an instance of an implementing class of an interface (where the interface has been implemented at least twice) which calls theInterface.someMethodThatReturnsAMap() (where the someMethodThatReturnsAMap method returns some kind of map).

build   02-Oct-2013 05:39:36         [java] Oct 02, 2013 5:39:36 AM edu.umd.cs.findbugs.TextUIBugReporter reportAnalysisError
build   02-Oct-2013 05:39:36         [java] SEVERE: Error looking up nonnull parameters for invoked method
build   02-Oct-2013 05:39:36         [java] edu.umd.cs.findbugs.ba.DataflowAnalysisException: Accessing TOP or BOTTOM frame!
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.Frame.getStackValue(Frame.java:235)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.Frame.getArgument(Frame.java:392)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.deref.UnconditionalValueDerefAnalysis.checkNonNullParams(UnconditionalValueDerefAnalysis.java:580)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.deref.UnconditionalValueDerefAnalysis.checkAllNonNullParams(UnconditionalValueDerefAnalysis.java:532)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.handleInvoke(IsNullValueFrameModelingVisitor.java:180)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.visitINVOKEINTERFACE(IsNullValueFrameModelingVisitor.java:501)
build   02-Oct-2013 05:39:36         [java]     at org.apache.bcel.generic.INVOKEINTERFACE.accept(INVOKEINTERFACE.java:131)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.analyzeInstruction(IsNullValueFrameModelingVisitor.java:104)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:326)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:71)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:131)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transfer(IsNullValueAnalysis.java:272)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transfer(IsNullValueAnalysis.java:71)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.getFactAtLocation(AbstractDataflowAnalysis.java:84)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.ba.Dataflow.getFactAtLocation(Dataflow.java:487)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.detect.LoadOfKnownNullValue.analyzeMethod(LoadOfKnownNullValue.java:115)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.detect.LoadOfKnownNullValue.visitClassContext(LoadOfKnownNullValue.java:52)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:74)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1193)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
build   02-Oct-2013 05:39:36         [java]     at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)
build   02-Oct-2013 05:39:36         [java]   Error looking up nonnull parameters for invoked method
build   02-Oct-2013 05:39:36         [java]     edu.umd.cs.findbugs.ba.DataflowAnalysisException: Accessing TOP or BOTTOM frame!
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.Frame.getStackValue(Frame.java:235)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.Frame.getArgument(Frame.java:392)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.deref.UnconditionalValueDerefAnalysis.checkNonNullParams(UnconditionalValueDerefAnalysis.java:580)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.deref.UnconditionalValueDerefAnalysis.checkAllNonNullParams(UnconditionalValueDerefAnalysis.java:532)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.handleInvoke(IsNullValueFrameModelingVisitor.java:180)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.visitINVOKEINTERFACE(IsNullValueFrameModelingVisitor.java:501)
build   02-Oct-2013 05:39:36         [java]       At org.apache.bcel.generic.INVOKEINTERFACE.accept(INVOKEINTERFACE.java:131)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.AbstractFrameModelingVisitor.analyzeInstruction(AbstractFrameModelingVisitor.java:84)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueFrameModelingVisitor.analyzeInstruction(IsNullValueFrameModelingVisitor.java:104)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:326)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transferInstruction(IsNullValueAnalysis.java:71)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.transfer(AbstractDataflowAnalysis.java:131)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transfer(IsNullValueAnalysis.java:272)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.npe.IsNullValueAnalysis.transfer(IsNullValueAnalysis.java:71)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.AbstractDataflowAnalysis.getFactAtLocation(AbstractDataflowAnalysis.java:84)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.ba.Dataflow.getFactAtLocation(Dataflow.java:487)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.detect.LoadOfKnownNullValue.analyzeMethod(LoadOfKnownNullValue.java:115)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.detect.LoadOfKnownNullValue.visitClassContext(LoadOfKnownNullValue.java:52)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:74)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1193)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
build   02-Oct-2013 05:39:36         [java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)

Remove slash from XXE short message

Remove prefix slash in the message of XXE issue.

The usage of /DocumentBuilder.parse(...) is vulnerable to XML External Entity attacks

Issue with mvn findbugs:gui

I followed the steps to add the maven deps at https://github.com/h3xstream/find-sec-bugs/wiki/Maven-configuration

When I run mvn findbugs:gui (after running findbugs:findbugs) I get the following issue (using windows)

   [INFO] [findbugs:gui {execution: default-cli}]
[INFO] File Encoding is UTF-8
java.lang.NoClassDefFoundError: Platform
Caused by: java.lang.ClassNotFoundException: Platform
        at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Could not find the main class: Platform.  Program will exit.
Exception in thread "main"
[INFO] ------------------------------------------------------------------------
[ERROR] FATAL ERROR
[INFO] ------------------------------------------------------------------------
[INFO] Java returned: 1
[INFO] ------------------------------------------------------------------------
[INFO] Trace
: Java returned: 1
        at org.apache.tools.ant.taskdefs.Java.execute(Java.java:111)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
        at org.apache.tools.ant.Task.perform(Task.java:348)
        at groovy.util.AntBuilder.nodeCompleted(AntBuilder.java:199)
        at groovy.util.BuilderSupport.doInvokeMethod(BuilderSupport.java:147)
        at groovy.util.AntBuilder.doInvokeMethod(AntBuilder.java:149)
        at groovy.util.BuilderSupport.invokeMethod(BuilderSupport.java:64)
        at org.codehaus.groovy.runtime.InvokerHelper.invokePogoMethod(InvokerHelper.java:756)
        at org.codehaus.groovy.runtime.InvokerHelper.invokeMethod(InvokerHelper.java:730)
        at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodN(ScriptBytecodeAdapter.java:170)
        at org.codehaus.mojo.findbugs.FindBugsGui.execute(FindBugsGui.groovy:152)
        at org.apache.maven.plugin.DefaultPluginManager.executeMojo(DefaultPluginManager.java:490)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoals(DefaultLifecycleExecutor.java:694)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeStandaloneGoal(DefaultLifecycleExecutor.java:569)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycleExecutor.java:539)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures(DefaultLifecycleExecutor.java:387)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultLifecycleExecutor.java:348)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExecutor.java:180)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:328)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:138)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:362)
        at org.apache.maven.cli.compat.CompatibleMain.main(CompatibleMain.java:60)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
        at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
        at org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)

New Rule: Detect SSL disabler (Java + Scala implementation)

Detect those utility classes (Scala/Java)
https://github.com/tferega/scala-ssl-disabler

MethodUnprofitableException throwing could be suppressed

Hi,
as @amaembo said here https://github.com/h3xstream/find-sec-bugs/issues/19#issuecomment-68827294 this exception could be ignored.

I run into this exception while analyzing WildFly code.
Stacktrace:

  Exception analyzing org.apache.xalan.xslt.Process using detector com.h3xstream.findsecbugs.xxe.SaxParserXxeDetector
    java.lang.RuntimeException: edu.umd.cs.findbugs.ba.MethodUnprofitableException: Appears unprofitable to analyze org.apache.xalan.xslt.Process.main(String[])
      At com.h3xstream.findsecbugs.xxe.SaxParserXxeDetector.sawOpcode(SaxParserXxeDetector.java:106)
      At edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:808)
      At edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:217)
      At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:223)
      At edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:55)
      At org.apache.bcel.classfile.Code.accept(Code.java:133)
      At edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:293)
      At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:373)
      At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:214)
      At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:37)
      At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:74)
      At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1193)
      At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:279)
      At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:391)
      At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1300)
      At sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      At sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      At sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      At java.lang.reflect.Method.invoke(Method.java:606)
      At edu.umd.cs.findbugs.FindBugsMain.invoke(FindBugsMain.java:61)
      At edu.umd.cs.findbugs.workflow.FB.main(FB.java:50)

Source of the method unprofitable to analyze is here:
http://svn.apache.org/viewvc/xalan/java/trunk/src/org/apache/xalan/xslt/Process.java?view=markup
If you run this shell script (in some empty folder for a better cleaning of the temporary files), it will reproduce that exception:
https://drive.google.com/file/d/0ByAl3ieZYVnXenpyQUo2aDVjUXM/view?usp=sharing