edu.umd.cs.findbugs.detect.FindVulnerableSecurityCheckMethods

All Implemented Interfaces:: Detector, Priorities, org.apache.bcel.classfile.Visitor

public class FindVulnerableSecurityCheckMethods extends OpcodeStackDetector

This detector finds all the vulnerable methods which uses Security Manager to perform some security check but are declared non-final and non-private in a non-final class. Please see @see SEI CERT MET03-J

Nested Class Summary

Nested classes/interfaces inherited from class OpcodeStackDetector
OpcodeStackDetector.WithCustomJumpInfo
Field Summary

Fields

Modifier and Type

Field

Description

private static final Set<String>

badMethodNames

private final BugReporter

bugReporter

Fields inherited from class OpcodeStackDetector
stack

Fields inherited from class DismantleBytecode
codeBytes, lineNumberTable, M_BR, M_CP, M_INT, M_PAD, M_R, M_UINT

Fields inherited from interface Priorities
EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY
Constructor Summary

Constructors

Constructor

Description

FindVulnerableSecurityCheckMethods(BugReporter bugReporter)
Method Summary

Modifier and Type

Method

Description

private boolean

isMethodCall(int seen)

Returns true if the opcode is a method invocation false otherwise

void

sawOpcode(int seen)

By default, this method will not be called when stack is TOP.

void

visitClassContext(ClassContext classContext)

Only interested in non-final classes

Methods inherited from class OpcodeStackDetector
afterOpcode, beforeOpcode, getStack, isUsingCustomUserValue, visitCode

Methods inherited from class BytecodeScanningDetector
getClassContext, report, shouldVisitCode

Methods inherited from class DismantleBytecode
areOppositeBranches, atCatchBlock, getBranchFallThrough, getBranchOffset, getBranchTarget, getClassConstantOperand, getClassDescriptorOperand, getCodeByte, getConstantRefOperand, getDefaultSwitchOffset, getDottedClassConstantOperand, getFieldDescriptorOperand, getIntConstant, getLongConstant, getMaxPC, getMethodDescriptorOperand, getNameConstantOperand, getNextCodeByte, getNextOpcode, getNextPC, getOpcode, getPC, getPrevOpcode, getRefConstantOperand, getRefFieldIsStatic, getRegisterOperand, getSigConstantOperand, getStringConstantOperand, getSwitchLabels, getSwitchOffsets, getXClassOperand, getXFieldOperand, getXMethodOperand, isBranch, isMethodCall, isRegisterLoad, isRegisterStore, isRegisterStore, isReturn, isShift, isSwitch, isWideOpcode, printOpCode, sawBranchTo, sawClass, sawDouble, sawField, sawFloat, sawIMethod, sawInt, sawLong, sawMethod, sawRegister, sawString, visit

Methods inherited from class AnnotationVisitor
getAnnotationParameterAsEnum, getAnnotationParameterAsString, getAnnotationParameterAsStringArray, visitAnnotation, visitAnnotation, visitParameterAnnotation, visitParameterAnnotation, visitSyntheticParameterAnnotation

Methods inherited from class PreorderVisitor
amVisitingMainMethod, asUnsignedByte, doVisitMethod, getClassDescriptor, getClassName, getCode, getConstantPool, getDottedClassName, getDottedFieldSig, getDottedMethodSig, getDottedSuperclassName, getField, getFieldDescriptor, getFieldIsStatic, getFieldName, getFieldSig, getFullyQualifiedFieldName, getFullyQualifiedMethodName, getMethod, getMethodDescriptor, getMethodName, getMethodSig, getMethodVisitOrder, getNumberArguments, getNumberMethodArguments, getPackageName, getSizeOfSurroundingTryBlock, getSizeOfSurroundingTryBlock, getSourceFile, getStringFromIndex, getSuperclassName, getSurroundingCaughtExceptions, getSurroundingCaughtExceptions, getSurroundingCaughtExceptionTypes, getSurroundingTryBlock, getSurroundingTryBlock, getThisClass, getXClass, getXField, getXMethod, hasInterestingClass, hasInterestingMethod, isVisitMethodsInCallOrder, setupVisitorForClass, setVisitMethodsInCallOrder, shouldVisit, toString, visitAfter, visitAfter, visitAnnotationDefault, visitAnnotationEntry, visitBootstrapMethods, visitConstantInvokeDynamic, visitConstantMethodHandle, visitConstantMethodType, visitConstantModule, visitConstantPackage, visitConstantPool, visitEnclosingMethod, visitingField, visitingMethod, visitInnerClasses, visitJavaClass, visitLineNumberTable, visitLocalVariableTable, visitMethodParameters, visitParameterAnnotationEntry, visitStackMap, visitStackMapEntry

Methods inherited from class BetterVisitor
clone, report, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visitCodeException, visitConstantClass, visitConstantDouble, visitConstantFieldref, visitConstantFloat, visitConstantInteger, visitConstantInterfaceMethodref, visitConstantLong, visitConstantMethodref, visitConstantNameAndType, visitConstantString, visitConstantUtf8, visitConstantValue, visitDeprecated, visitExceptionTable, visitField, visitInnerClass, visitLineNumber, visitLocalVariable, visitLocalVariableTypeTable, visitMethod, visitSignature, visitSourceFile, visitSynthetic, visitUnknown

Methods inherited from class Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.bcel.classfile.Visitor
visitConstantDynamic, visitMethodParameter, visitModule, visitModuleExports, visitModuleMainClass, visitModuleOpens, visitModulePackages, visitModuleProvides, visitModuleRequires, visitNestHost, visitNestMembers, visitRecord, visitRecordComponent, visitStackMapType

Field Details
- bugReporter
  
  private final BugReporter bugReporter
- badMethodNames
  
  private static final Set<String> badMethodNames
Constructor Details
- FindVulnerableSecurityCheckMethods
  
  public FindVulnerableSecurityCheckMethods(BugReporter bugReporter)
Method Details
- visitClassContext
  
  public void visitClassContext(ClassContext classContext)
  
  Only interested in non-final classes
  
  Specified by:
  
  visitClassContext in interface Detector
  
  Overrides:
  
  visitClassContext in class BytecodeScanningDetector
  
  Parameters:
  
  classContext - the ClassContext
- isMethodCall
  
  private boolean isMethodCall(int seen)
  
  Returns true if the opcode is a method invocation false otherwise
- sawOpcode
  public void sawOpcode(int seen)
  
  Description copied from class: OpcodeStackDetector
  
  By default, this method will not be called when stack is TOP. To change this behavior, override #beforeOpcode(int) and change to return true even if stack is TOP.
  
  see Using FindBugs for Research to learn lattice and what TOP means.
  
  Specified by:
  
  sawOpcode in class OpcodeStackDetector
  
  See Also:
  
  OpcodeStackDetector.beforeOpcode(int)

Class FindVulnerableSecurityCheckMethods

Nested Class Summary

Nested classes/interfaces inherited from class OpcodeStackDetector

Field Summary

Fields inherited from class OpcodeStackDetector

Fields inherited from class DismantleBytecode

Fields inherited from interface Priorities

Constructor Summary

Method Summary

Methods inherited from class OpcodeStackDetector

Methods inherited from class BytecodeScanningDetector

Methods inherited from class DismantleBytecode

Methods inherited from class AnnotationVisitor

Methods inherited from class PreorderVisitor

Methods inherited from class BetterVisitor

Methods inherited from class Object

Methods inherited from interface org.apache.bcel.classfile.Visitor

Field Details

bugReporter

badMethodNames

Constructor Details

FindVulnerableSecurityCheckMethods

Method Details

visitClassContext

isMethodCall

sawOpcode