Static Code Checks for Security

After I published the Dependency Checking article, I got a flurry of questions about what else should organizations be doing in order to achieve better cybersecurity. And if you read my other article about the Cybersecurity Mindmap, you can see that there are many things to be done in an organization to become more secure. I firmly believe that in today's world, Cybersecurity will come from a collaborating set of products and processes. So, this article addresses another small piece of the puzzle: Static Code Checking - specifically for security related bugs.

There are many free/paid tools that perform static code checking - i.e. they scan through your source code and try to identify issues. These could be simple stylistic issues to just bad coding practices. Some of these tools are (and there are plenty others):

• SonarQube
• Xanitizer
• PMD
• Veracode
• Fortify

I'm going to pick an open source one - SpotBugs. SpotBugs calls itself the spiritual successor to FindBugs. FindBugs was pretty popular in its days before it was abandoned and then the community took over and reincarnated it as SpotBugs. SpotBugs is super easy to use with various plugins that integrate with the most common development/build tools: ant, maven, gradle, eclipse, intellij, etc. It checks for over 400 bug patterns including the ones that we're interested in: malicious and security related bugs. You can find the full list here. And the full documentation of SpotBugs here.

The other reason I like SpotBugs is that it is extensible with other free/open source plugins to do additional checks on your source code. For example, you can add to the list of checks by using fb-contrib - an auxiliary detector plugin developed for the original FindBugs project. And for security issues, Find Security Bugs. Find Security Bugs is a plugin that specifically checks for over 127 vulnerability types. The full list is here. It also integrates with all the popular IDEs and continuous integration tools.

But enough with the fluff :), let's see how easy it is to integrate a tool like this into your build process and make your codebase a whole lot more secure. You really have no excuse - I mean seriously people :).

I'm going to use one of my favorite java libraries as a test bed: Mokito. If you're not familiar with Mokito, it is a Java object/interface mocking library that lets you isolate unit tests in a really cool way. Since Mokito is a framework that isn't a production runtime library, which means it isn't ever run in the production environment, it is a safe one to use. You won't panic if we find issues :).

So, you can clone the entire project using Git from here and it uses the Gradle build tool. Once you've cloned the git repository, and if you have your basic Java development environment setup on your system, you can make sure everything builds correctly by running (depending on if you're on the dark side or not ;) ):

./gradlew clean build

or 

gradlew clean build

In order to add the SpotBugs plugin, you simply add the following lines in your build.gradle file (in bold). This adds the SpotBugs plugin and also makes it create the HTML version of the report vs. the XML one.

plugins {

  id 'com.gradle.build-scan' version '1.12.1'

  id "com.github.spotbugs" version "1.6.2"

}

tasks.withType(com.github.spotbugs.SpotBugsTask) {

  reports {

    xml.enabled false

    html.enabled true

  }

}

Then we add the Find Security Bugs plugin simply by adding the following lines in the "dependencies" section of the build.gradle file (again in bold).

dependencies {

<...>

  spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1'

<...>

}

That's it - literally. Now you can have it check for all the SpotBugs + FindSecurityBugs bugs in one shot by running:

./gradlew spotbugsMain

or

gradlew spotbugsMain

This will run all the checks and generate an HTML report with all the issues that it finds. The report for Mockito is shown below. If you take a look at the "contents" section, you'll see all the categories of bugs it found. The "security warnings" section is contributed by the FindSecurityBugs plugin and the rest are by SpotBugs.

That's it! Now what excuse do you have to not add this to your build process?

Note: The content and summary tables in this report do not work correctly when embedded in an iframe. But you can scroll to the relevant sections. Sorry about that!