Sunday, March 20, 2016

Static Source Code Analysis with OWASP LAPSE for Java

Code analysis is the process of analyzing the source code of software to verify the quality and identify weaknesses that can be exploited. This is achieved in two ways; static and dynamic. In Static code analysis, the code is inspected without executing the code. This can be done through a peer to peer code review or else using automated tools. The benefit of performing static code analysis is that the vulnerabilities can be detected early and addressed before deploying the software. In Software Development Life Cycle, it is important that the developers perform code analysis for every piece of code they write.

Static code analysis functionality is integrated into the development environments as well (IDEs) where the developers can simply analyze their code while writing code and see how much secure their code is. However when using such tools for analyzing source code, there is a high chance that they produce false positives where the developer has handled the security of code but still these tools would complain.

OWASP [1] has defined top 10 vulnerabilities [2] related to Web Application security where the developers have to pay attention to write secure code that are not open to such vulnerabilities. For analyzing code statically to identify such issues, we can use OWASP’s LAPSE [3] tool which comes as a plugin for Eclipse IDE.

Installation of LAPSE on Eclipse

You can download the tool from [4] and by the time of this writing, the latest version is LapsePlus 2.8.1.

Once you download the jar file (LapsePlus_2.8.1.jar), copy it to the plugins directory of eclipse installation.

After that run eclipse.

Go to Window -> Show View -> Other



In the Show View window, type ‘Vulnerability’ and you can see the Lapse’s Vulnerability Sinks and Vulnerability Sources options.


LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability. The source of a vulnerability refers to the injection of untrusted data, e.g. in the parameters of an HTTP request or a Cookie. The sink of a vulnerability refers to the process of data modification to manipulate the behaviour of the application, such as a servlet response or a HTML page. The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing. When it is possible to reach a vulnerability sink from a vulnerability source then we have a vulnerability in our application [1].

Vulnerability Sources

From the Show View window, you can select Vulnerability Sources and you will see a panel in Eclipse as shown below.

You can import your project to Eclipse for analyzing the source code. Here I am using the Webgoat [5] sample application for static code analysis.

Once you have imported the project, right click on the Vulnerability Sources panel and click on Find sources.



This will scan the source code and display all possible vulnerabilities of the code.

You can double click on a specific vulnerability in the panel and it will open and highlight the source code related to that issue.

Vulnerability Sinks

Similar to Vulnerability Sources, you can select Vulnerability Sinks from the Show View window.

Then from the Vulnerability Sinks panel, right click and select Find sinks option.


It will list down all the vulnerability sinks if found.
You can double click on a specific vulnerability and view the code that is responsible for the issue.

Although this tool complains vulnerabilities, there can be false positives where we have handled the security from code even though the tool complains that there is a problem. In such cases we can ignore those warnings. However there can be possible actual vulnerabilities as well and therefore it is always better to check the code you write to verify the quality of it in terms of security.

References


Tharindu Edirisinghe
Platform Security Team
WSO2

7 comments:

  1. Hello,

    Could you please tell me what version of JDK, Eclipse and Linux did you use? I cannot get the tool to work, crashes with NullPointerException every time.

    Thank you!

    Daniel

    ReplyDelete
    Replies
    1. Hi Daniel,

      Here are the details.

      java version "1.7.0_80"
      Ubuntu 15.04
      Eclipse Java EE IDE for Web Developers. Version: Mars.1 Release (4.5.1)
      LapsePlus 2.8.1

      I had used Lapse for evaluation but later stopped using it as I found FindSecBugs that comes with FindBugs plugin does the job well. i've written about it in following blog post. Give it a try.

      http://tharindue.blogspot.com/2016/06/static-code-analysis-for-java-using.html

      Delete
    2. Hello,

      I've tried the installation with the versions you provided and it worked, thank you very much!

      I have to a hold a presentation on LAPSE+ that's why I was particularly interested in making it work.

      I will for sure have a look on the FindBugs blog post as well.

      Thanks again,
      Daniel

      Delete
    3. Glad to hear this was useful to you ! Good luck :)

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Could you please tell me what version of JDK, Eclipse and Linux did you use? I cannot get the tool to work, crashes with NullPointerException every time.

    ios static code analysis

    ReplyDelete
    Replies
    1. java version "1.7.0_80"
      Ubuntu 15.04
      Eclipse Java EE IDE for Web Developers. Version: Mars.1 Release (4.5.1)
      LapsePlus 2.8.1

      Delete