Using FindBugs to look for vulnerabilities

michael · February 26, 2015, 3:51pm

Today (2015-02-26) in the Developers Forum, @skoussa led a discussion about utilizing FindBugs to evaluate vulnerabilities in the OpenMRS code base. Our plan is to evaluate this tool in comparison to a commercial tool to which Sherif has access.

According to @raff we are running FindBugs already as part of our SonarQube installation at: https://ci.openmrs.org/sonar/

If anyone is interested in joining the efforts on evaluating these tools (and learning more about them) please reply to this topic and add your voice here.

Thanks for joining our work team to address these important issues!

raff · February 26, 2015, 3:55pm

We would like to get installed this set of rules: http://h3xstream.github.io/find-sec-bugs/ (there’s a specific plugin for sonar: http://h3xstream.github.io/find-sec-bugs/tutorials.htm#Sonar )

k.joseph · February 26, 2015, 3:59pm

Am interested in being part of the learning and investigation or evaluation team, just to be sure how i need to join, “we shall be joining efforts”, does that mean we shall work together or do personal testing work? i hope to hear more details about how i can be of help in this.

Thanks @michael for this invitation

ryan · February 26, 2015, 4:17pm

Might be useful to get a test instance to test out the new version 4.5.2 LTS or 5.X and see if they offer any advantages. Also for plugin support it would be useful to get on an LTS release as some of the newer plugin versions don’t support our current release of 4.3.2.

raff · March 26, 2015, 5:10pm

So @ryan or @k_joseph are you interested in installing and testing the plugin for sonar I mentioned above?

k.joseph · March 26, 2015, 6:16pm

Sure @raff, i am interested

raff · March 27, 2015, 9:53am

@k_joseph, thanks! I sent you credentials to use for https://ci.openmrs.org/sonar You should be able to install the plugin and play with it. You’ll need to build the plugin from https://github.com/porscheinformatik/sonar-find-sec-bugs-plugin

raff · April 1, 2015, 11:16am

@ryan, would you take care of trying to upgrade sonar to the latest version?

ryan · April 1, 2015, 1:09pm

Sure, are we in agreement that using the LTS is the best option? I plan on installing 4.5.4 (LTS) unless anyone has objections.

raff · April 1, 2015, 2:02pm

Yes, let’s move to 4.5.4 for now. I looked at projects listed here http://www.sonarqube.org/resources/public-sonarqube-instances/ and there’s just one instance of 5.x. Let’s wait until it gets more mature.

ryan · April 2, 2015, 1:45pm

Sonarqube 4.5.4 is now installed. I haven’t updated any of the plugins yet as I see there are a lot of dependencies on other plugins.

k.joseph · April 2, 2015, 9:27pm

I had just started downloading 5.1, when i read here of the one you guys had pefereffed, nevertheless i will finish and load my installation which is as of now the latest release. I understand that for now our task is evaluating the tool. Are we going to be reporting any vulnerabilities to JIRA that sonar may have traced down that are of value to look into?

I will be evaluating both the plugin and the standard release!

raff · April 3, 2015, 11:30am

@ryan, thanks! I’ve updated plugins. Could you please restart sonar for the chanes to take effect?

raff · April 3, 2015, 11:35am

@k_joseph, yes, we are going to report vulnerabilities in JIRA, but first we have to have the plugin running on https://ci.openmrs.org/sonar. Once you get the plugin running on your local instance, please report back examples of issues that it finds for openmrs-core so we can see if they are of any value for us.

ryan · April 3, 2015, 1:38pm

I restarted and it crashed on startup, with this error. Looks like we need to get the correct versions of the plugins synced together.

    2015.04.03 13:28:47 ERROR web[o.a.c.c.C.[.[.[/sonar]]  Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener
org.sonar.updatecenter.common.exception.IncompatiblePluginVersionException: The plugins 'findbugs' and 'java' must have exactly the same version as they belong to the same group.
        at org.sonar.updatecenter.common.PluginReferential.getParentRelease(PluginReferential.java:136) ~[sonar-update-center-common-1.11.jar:na]
        at org.sonar.updatecenter.common.PluginReferential.setParent(PluginReferential.java:124) ~[sonar-update-center-common-1.11.jar:na]
        at org.sonar.updatecenter.common.PluginReferentialManifestConverter.fromPluginManifests(PluginReferentialManifestConverter.java:54) ~[sonar-update-center-common-1.11.jar:na]
        at org.sonar.server.plugins.PluginReferentialMetadataConverter.getInstalledPluginReferential(PluginReferentialMetadataConverter.java:40) ~[sonar-server-4.5.4.jar:na]
        at org.sonar.server.plugins.InstalledPluginReferentialFactory.init(InstalledPluginReferentialFactory.java:54) ~[sonar-server-4.5.4.jar:na]
        at org.sonar.server.plugins.InstalledPluginReferentialFactory.start(InstalledPluginReferentialFactory.java:38) ~[sonar-server-4.5.4.jar:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_75]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_75]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
        at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
        at org.picocontainer.lifecycle.ReflectionLifecycleStrategy.invokeMethod(ReflectionLifecycleStrategy.java:110) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.lifecycle.ReflectionLifecycleStrategy.start(ReflectionLifecycleStrategy.java:89) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.behaviors.Stored.start(Stored.java:110) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1015) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1008) ~[picocontainer-2.14.3.jar:na]
        at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:766) ~[picocontainer-2.14.3.jar:na]
        at org.sonar.api.platform.ComponentContainer.startComponents(ComponentContainer.java:92) ~[sonar-plugin-api-4.5.4.jar:na]
        at org.sonar.server.platform.Platform.startLevel2Container(Platform.java:106) ~[sonar-server-4.5.4.jar:na]
        at org.sonar.server.platform.Platform.init(Platform.java:73) ~[sonar-server-4.5.4.jar:na]
        at org.sonar.server.platform.PlatformServletContextListener.contextInitialized(PlatformServletContextListener.java:42) ~[sonar-server-4.5.4.jar:na]
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4973) [tomcat-embed-core-7.0.54.jar:7.0.54]
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5467) [tomcat-embed-core-7.0.54.jar:7.0.54]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [tomcat-embed-core-7.0.54.jar:7.0.54]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559) [tomcat-embed-core-7.0.54.jar:7.0.54]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549) [tomcat-embed-core-7.0.54.jar:7.0.54]
        at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_75]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_75]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_75]
        at java.lang.Thread.run(Thread.java:745) [na:1.7.0_75]
Caused by: java.util.NoSuchElementException: Unable to find a release of plugin java with version 2.3
        at org.sonar.updatecenter.common.Artifact.getRelease(Artifact.java:86) ~[sonar-update-center-common-1.11.jar:na]
        at org.sonar.updatecenter.common.PluginReferential.getParentRelease(PluginReferential.java:134) ~[sonar-update-center-common-1.11.jar:na]
        ... 31 common frames omitted

ryan · April 3, 2015, 1:50pm

I have reverted the java plugin to allow it to start again.

raff · April 8, 2015, 12:19pm

@ryan, I can’t remember now, but did we try java 3.1? https://ci.openmrs.org/sonar/updatecenter/updates reports it is compatible.

raff · April 8, 2015, 12:42pm

Also sonar needs to be restarted as I needed to uninstall the security rules plugin which is not compatible with the new version of sonar.

ryan · April 8, 2015, 2:03pm

I believe so, It looks like when updating to 3.1 it is not updating the included plugins, such as jacoco, findbugs, surefire, squid. Are those included now or do we need to update those separately(Looks like they need to be the exact same version as well)?

raff · April 8, 2015, 2:18pm

Version 2.4 moves Java from being an “ecosystem” of multiple plugins to a single, stand-along plugin that encompasses most of the functionality formerly contained in the ecosystem. Unfortunately, SonarQube’s update center cannot handle the switch gracefully. You may use the update center to download the new version of the plugin. However, you must manually remove the Surefire, JaCoCo, and Squid for Java plugins from $SONARQUBE_HOME/extensions/plugins.

is what http://docs.sonarqube.org/display/SONAR/Java+Plugin says you have to do when upgrading from versions lower than 2.4 (which is ture in our case)