Removing FindBugs sub module dependency + README

edwardsamuel · Sep 30, 2014 · 4fbedcd · 4fbedcd
1 parent 750908c
commit 4fbedcd
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 40 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,33 +1,5 @@
 *.class
-findbugs/annotationJavaDoc/
-findbugs/apiJavaDoc/
-findbugs/bin/
-findbugs/build/
-findbugs/classesEclipse/
-findbugs/doc/
-findbugs/jnlp/appengine.jnlp
-findbugs/lib/annotations.jar
-findbugs/lib/findbugs-ant.jar
-findbugs/lib/findbugs.jar
-findbugs/local.properties
-findbugs/optionalPlugin/
-findbugs/plugin/findbugsCommunalCloud.jar
-findbugs/plugin/webCloudClient.jar
-findbugs/src/doc/allBugDescriptions.html
-findbugs/src/doc/bugDescriptions.html
-findbugs/web/
-findbugsTestCases/build/
-findbugsTestCases/classesEclipse/
-findbugsTestCases/history/
+findbugs/
 findbugs-injection-detector/bin
 findbugs-injection-detector/injection-detector.jar
-out/
-
-# if you remove the above rule, at least ignore user-specific stuff:
-.idea/workspace.xml
-.idea/tasks.xml
-# and these sensitive or high-churn files:
-.idea/dataSources.ids
-.idea/dataSources.xml
-.idea/sqlDataSources.xml
-.idea/dynamic.xml
+out/
diff --git a/.gitmodules b/.gitmodules
diff --git a/README.md b/README.md
@@ -0,0 +1,31 @@
+#Injection Detector Plug-In for FindBugs
+
+Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. 
+
+The input injection detector is done by extending an existing static analysis tool, namely **FindBugs** (currently we only support **FindBugs 2.0.3**). The detection uses dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers.
+
+## Vulnerabilities
+This plug-in can detect following vulnerabilities:
+
+ 1. SQL injection
+ 2. Shell/command injection
+ 3. XPath injection
+ 4. LDAP injection
+ 5. Cross-site scripting (XSS) type-1
+ 6. Cross-site scripting (XSS) type-2
+ 7. Unvalidated redirects
+ 8. Unvalidated forwards
+ 9. HTTP response splitting
+ 10. Path traversal
+ 11. Remote file inclusion
+
+## Build
+
+ 1. Clone this repository.
+ 2. Download **FindBugs 2.0.3** source code (You can download it from [SourceForge](http://sourceforge.net/projects/findbugs/files/findbugs/2.0.3/findbugs-2.0.3-source.zip/download)).
+ 3. Extract `findbugs-2.0.3-source.zip` to root directory of this repositories. In the root directory, you should have 3 (three) directories: `findbugs-2.0.3`, `findbugs-injection-detector`, and `vulnerable-sites`.
+ 4. Rename `findbugs-2.0.3` to `findbugs`.
+ 5. In terminal, change current directory to `findbugs`, and then run `ant build` to compile and build **FindBugs**.
+ 6. In terminal, change current directory to `findbugs-injection-detector`, and then run `ant install` to compile, build, and install the detector to **FindBugs** in `findbugs` directory.
+
+You should have `injection-detector.jar` in `findbugs-injection-detector` after building the plug-in. This file is plug-in for **FindBugs**. To install to another copy of **FindBugs**, you could copy `injection-detector.jar` to `plugin` directory in **FindBugs**.
diff --git a/findbugs b/findbugs
diff --git a/vulnerable-sites/src/main/java/id/ac/itb/cs/vuln/ExampleServlet.java b/vulnerable-sites/src/main/java/id/ac/itb/cs/vuln/ExampleServlet.java
@@ -16,17 +16,17 @@ public class ExampleServlet extends HttpServlet {
     private final static MySQLCodec MY_SQL_CODEC = new MySQLCodec(MySQLCodec.Mode.STANDARD);
 
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-        String uname = request.getParameter("uname");
-
         PrintWriter out = response.getWriter();
-        Employee employee = getEmployee(uname);
+
+        String uname = request.getParameter("uname");
+        Employee employee = getEmployee(uname);	
         out.write("Hello, " + employee.getName() + "!");
     }
 
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-        String uname = ESAPI.encoder().encodeForSQL(MY_SQL_CODEC, request.getParameter("uname"));
-
         PrintWriter out = response.getWriter();
+
+        String uname = ESAPI.encoder().encodeForSQL(MY_SQL_CODEC, request.getParameter("uname"));
         Employee employee = getEmployee(uname);
         out.write("Hello, " + employee.getName() + "!");
     }