Static Code Analysis for Java using FindBugs Plugin and Identifying Security Bugs with FindSecurityBugs Plugin

When writing code, it is important to make sure that your code is bug free and secure. When the size of the code base increases, it is difficult to manually go through each and every line of code to verify that the code is safe and written following the best practices. In such cases, we can get help from tools that would do this for you. FindBugs [1] is one such tool for static code analysis to look for bugs in Java code and it is also free. FindBugs is available as plugins for the IDEs you use (i.e Eclipse, IntelliJ IDEA etc.), so that while writing code, you can run an analysis and spot the bugs and fix immediately.

In this post I will be showing how to install FindBugs plugin in IntelliJ IDEA and perform a code analysis. I will also show how to use the FindSecurityBugs [2] plugin that comes within FindBugs for identifying the security weaknesses and bugs in your code.

Once you open IntelliJ IDEA, you can go to Configure -> Plugins in the opening window. 

If you have already opened a project in IntelliJ IDEA, you can go to File -> Settings and in the left panel of the Settings window, select Plugins.

You can install the FindBugs plugin in two ways. If you have an internet connection, you can click on Browser repositories button and get the plugin installed. If not you can download the FindBugs plugin for IntelliJ IDEA [3] and go with Install plugin from disk option where you can browse and provide the already downloaded plugin.

When you go with Browse repositories option, you can search for the findbugs plugin and select FindBugs-IDEA and get it installed. 

Once you have installed the FindBugs plugin in IntelliJ IDEA, in the bottom of the IDE you will see the FindBugs-IDEA button. Upon clicking on it you can see all the settings of it in a panel.  

Now we have to enable the FindSecurityBugs plugin which comes with FindBugs. This is for finding the security bugs in your code. Click on Plugin Preferences button.

Under the Plugins section of the General tab, click on the + button and select Add Find Security Bugs.

Once the FindSecurityBugs plugin is added, click on Apply and then OK.

Now we have successfully installed FindBugs plugin in IntelliJ IDEA and also have enabled the FindSecurityBugs plugin in it. Let’s perform a static code analysis and get to know all the bugs we have in the code.

For this demonstration, I am using the OWASP Web Goat [4] project which is a Java web application developed for security testing purposes which is plagued with lots and lots of security bugs.

I have opened the Web Goat project in IDEA and for running FindBugs on the project, I right click on the project and go to FindBugs -> Analyze Scope Files. With this, the scanning will happen only under the selected folder. You can also go with Analyze Module Files which would scan the particular module you have selected and also Analyze Project Files which would scan the entire project. 

Once the static scan is completed, you can see the identified bugs in FindBugs-IDEA panel. Since we have enabled the FindSecurityBugs plugin, it will list all the identified security issues under the Security category. 

The security issues will be categorized from the type of vulnerability. You can expand each category and double click on a particular issue to find more information about it.

It would show the piece of code that is having the vulnerability and also it would suggest the solution. In the right hand side panel, you can click on the link describes the vulnerability and it would open the detailed web page in the browser. In that, you can find references to the associated CVE (Common Vulnerability Exposures) [5] or CWE (Common Weakness Enumeration) [6] as well.

You can export the reported bugs for further analysis. For that, click on the Export Bug Collection to XML/HTML button.

You have to provide a file path to store the exported files. You can export the reports in HTML and/or XML format.

A generated report would look like below.

In you go to the Security Warnings section, you can see a detailed explanation for each identified security issue. 

When writing code, it is important to use these kind of tools to identify potentials risks in your code and produce high quality code that is safe to use.

References

[1] http://findbugs.sourceforge.net/

[2] http://find-sec-bugs.github.io/

[3] https://plugins.jetbrains.com/plugin/3847?pr=idea

[4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

[5] https://cve.mitre.org/

[6] https://cwe.mitre.org/

Tharindu Edirisinghe

Platform Security Team

WSO2

Java Web Application for Retrieving User Profile Information from LinkedIn using OAuth 2.0 Authorization Code Grant Type

In my previous article “ Retrieving User Profile Information from LinkedIn using OAuth 2.0 Authorization Code Grant Type” [1], I discussed how to improve the usability of websites for Identity Management. When there is a lengthy form for the visitors to fill in and get registered in a website, you can provide the option for them to login to an existing Identity Provider website (i.e facebook, linkedin, twitter etc.) so your website can retrieve the personal details of the user from that Identity Provider (i.e linkedin). With the user profile details received, you can auto fill your web form for the user and let them register in your website easily.

In this blog post, I am demonstrating how to write a java web application to retrieve user profile data from LinkedIn. This is a maven project and the built war file is hosted in tomcat running in port 8080.

Once the website is opened in the browser, it shows the registration page. Here, instead of filling out all the fields in the form, you can simple click on ‘Login with LinkedIn’ button.

Then the user will be redirected to the LinkedIn website where it will show that there is a third party application requesting your permission to access your profile information. We call this as the User Consent in OAuth terminology. You can provide your LinkedIn credentials and Allow access. (Here you enter your LinkedIn credentials to LinkedIn itself, therefore you do not need to worry about your credentials being leaked)

Upon allowing access, the web application will be able to retrieve your LinkedIn profile information and auto fill the form.

The source code of the java sample application can be found at [2].

The maven project structure is as following.

The registration page is in index.jsp and profile.jsp is the registration page that is auto filled with LinkedIn user profile information.

In the project resources, I have a java keystore with name truststore.jks. In this keystore, I have imported the public certificates of LinkedIn because from the code we are making a back channel call using HTTP client for retrieving user profile information from LinkedIn API. This call is an https call and therefore for creating the SSLContext, we need to have a truststore where the public certificate/s of the LinkedIn API added. (password of truststore.jks is wso2carbon). OAuthTLSUtil class in the sample handles this https call.

The two LinkedIn API certificates are as following. (What I have done is simply visiting the www.linkedin.com and tablet.linkedin.com websites from the browser and downloaded the certificate from browser. These downloaded certificates are then imported to the java keystore which I created)

When you try out the sample, you should have registered your own OAuth application in LinkedIn developer account and the clientId and clientSecret values should be obtained from that. The clientId value you have should be added in [3] and [4]. The clientSecret value should be added in [5] in the sample.

Once we have retrieved the access token, using it we can call LinkedIn API for retrieving user profile information. We need to request each user attribute in a comma separate list as below.

https://api.linkedin.com/v1/people/~:(first-name,last-name,email-address,picture-url,public-profile-url,summary,industry)?format=json"

The complete list of user profile fields in available in [6].

Then we receive the user profile information as a JSON object as following. In the code we have to parse the JSON object and retrieve each field.

{   "emailAddress": "XXXXXXXXXX",   "firstName": "Tharindu",   "industry": "Information Technology and Services",   "lastName": "Edirisinghe",   "pictureUrl": "https://media.licdn.com/mpr/mprx/0_tahxOFyLNhWT7h7xcoNtrzJL9bkh7ru1t4nxR1RXzXhT7hgxOa4lPzJLPvuToAr-toNxrks5MGP32qRORgL_91cWpGP82qJ1YgLyj-GkciQ26GG7-2P-gQ2vyBWK5qmGcOTPs2BTxn3",   "publicProfileUrl": "https://www.linkedin.com/in/ediri",   "summary": "XXXXXXXXXXXXXXXXX"}

Similarly you can provide login with Facebook, Twitter etc. capability to your websites to improve the usability of the website.

References

[1] http://tharindue.blogspot.com/2016/04/retrieving-user-profile-information.html

[2] https://github.com/thariyarox/OAuth2Samples/tree/master/LinkedIn/mylinkedinoauthapp

[3] https://github.com/thariyarox/OAuth2Samples/blob/master/LinkedIn/mylinkedinoauthapp/src/main/webapp/index.jsp#L18

[4] https://github.com/thariyarox/OAuth2Samples/blob/master/LinkedIn/mylinkedinoauthapp/src/main/java/com/tharindu/oauth/linkedin/LinkedInOAuthAppConstants.java#L8

[5] https://github.com/thariyarox/OAuth2Samples/blob/master/LinkedIn/mylinkedinoauthapp/src/main/java/com/tharindu/oauth/linkedin/LinkedInOAuthAppConstants.java#L9

[6] https://developer.linkedin.com/docs/fields/basic-profile

Tharindu Edirisinghe

Platform Security Team

WSO2