Remove low-value Java semgrep rules
Remove:
- java/cookie/rule-CookiePersistent.yml - should be removed to be consistent with C# and we have no idea if this cookie contains sensitive information
- java/cookie/rule-CookieUsage.yml - should be removed to be consistent with C# and we have no idea if this cookie contains sensitive information
- java/cookie/rule-RequestParamToCookie.yml - Same as rule-HttpResponseSplitting.yml should be removed
- java/cookie/rule-TrustBoundaryViolation.yml - This seems like an unnecessary check
- java/cors/rule-PermissiveCORS.yml - should be removed, the risks of setting
*
in a CORS response is minimal since credentials will not be sent - java/crypto/rule-DefaultHTTPClient.yml - deprecated for many years now, and it actually connects just fine to a TLS1.3 only server
- java/endpoint/rule-UnencryptedSocket.yml - this should be removed using a non-tls socket is perfectly acceptable
- java/endpoint/rule-InsecureServlet.yml - Should be removed as it's perfectly acceptable to accesss the data from these methods. There's no way a customer could 'fix' this.
- java/endpoint/rule-JaxRsEndpoint.yml - This rule doesn't make any sense, it's also some what copied from the rule-HttpResponseSplitting in that it's doing the incorrect check for
CRLF
sequence. Also calling unescapeJava maybe acceptable in some circumstances, but not all. - java/endpoint/rule-JaxWsEndpoint.yml - This rule doesn't make any sense, it's also some what copied from the rule-HttpResponseSplitting in that it's doing the incorrect check for
CRLF
sequence. Also calling unescapeJava maybe acceptable in some circumstances, but not all. - java/file/rule-FileUploadFileName.yml - this is a source not a sink, maybe could be enhanced?
- java/form/rule-FormValidate.yml - don't know what this rule is trying to say or how to fix it. Looks like ActionForm/ValidatorForm is from struts 1.1 which is EoL'd 2013.
- java/inject/rule-AWSQueryInjection.yml - SimpleDB, while still technically supported, is deprecated and no longer available to new accounts, consider removing
- java/inject/rule-BeanPropertyInjection.yml - should probably be removed, you can't even download apache commons collections 3 any more longer thread: "references apache beanutils https://commons.apache.org/proper/commons-beanutils/
populate
method as being vulnerable. So I download and build a project with that. Butpopulate
fails due to aException in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/collections/FastHashMap
. So I download apache-commons collections from https://commons.apache.org/proper/commons-collections. Re-run and i get the same exception, because collections4 is a separate namespace. So I go to download apache collections 3 from https://dlcdn.apache.org//commons/collections/binaries/commons-collections-3.2.2-bin.zip (which says it requires java 1.3!!!!) but guess what the link is dead" - java/inject/rule-CustomInjectionSQLString.yml - Highly FP prone, does not necessarily mean the string will be used in sql at all
- java/inject/rule-ELInjection.yml - COuld not get a JSF 2.3 app even rujnning in 2023. It's now called Jakarta and checking our FP resolved/dismissal rates this finding only showed up once
- java/inject/rule-PathTraversalIn.yml - This is just checking if a file is opened. Either we should remove this file for noise it causes, or add some guards such as sources from servlets/popular web frameworks. Looks like java/inject/rule-SpotbugsPathTraversalAbsolute.yml is the better version of this.
- java/inject/rule-PathTraversalOut.yml - This is just checking if a file is opened. java/inject/rule-SpotbugsPathTraversalAbsolute.yml is the better version of this.
- java/inject/rule-SpotbugsPathTraversalRelative.yml - basically the same thing as java/inject/rule-SpotbugsPathTraversalAbsolute.yml, remove it.
- java/ldap/rule-EntryPoisoning.yml - I don't think this rule is correct, $SCOPE could legitimately have a value here. I'm also not convinced not having a scope set is what this rule is trying to check?
- java/password/rule-HardcodeKeySuspiciousName.yml remove and use secrets scanning instead
- java/password/rule-HardcodeKeySuspiciousValue.yml remove and use secrets scanning instead
- java/perm/rule-OverlyPermissiveFilePermissionObj.yml - probably safe to remove this rule or at least enhance it to see if all permissions are added for owner/group/other
- java/strings/rule-ImproperUnicode.yml - I don't think this rule is necessary / security related
- java/unsafe/rule-InformationExposure.yml - this is a stretch.. should probably remove this as it's totally fine ot print stack information during debugging. This is going to be super noisey.
- java/unsafe/rule-InformationExposureVariant2.yml - same
- java/xml/rule-ApacheXmlRpc.yml deprecated in 2013
- java/xss/rule-RequestWrapper.yml poor rule, should be removed
- java/xss/rule-XSSServlet.yml same as java/xss/rule-XSSReqParamToServletWriter.yml
- /java/xss/rule-XSSServletParameter.yml poor rule, this is a source, not a sink
- java/xxe/rule-XPathXXE.yml poor rule matches a hardcoded variable name, and has no namespace/import associated with it (code would need to match 'df' exactly)
- java/xxe/rule-Trans.yml is the same as java/xml/rule-XsltTransform.yml with less information
Edited by Isaac Dawson