fluidasserts.lang.java module

This module allows to check Java code vulnerabilities.

fluidasserts.lang.java.does_not_handle_exceptions(java_dest, should_have, use_regex=False, exclude=None)

Search for catch blocks that do not handle the exception.

See REQ.161.

See CWE-755.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • should_have (typing.List[str]) – List of expected exception handlers.

  • use_regex (bool) – Use regular expressions instead of literals to search.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.has_generic_exceptions(java_dest, exclude=None)

Search for generic exceptions in a Java source file or package.

See CWE-396.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.has_if_without_else(java_dest, conditions, use_regex=False, exclude=None)

Check if all ifs have an else clause.

See REQ.161.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • conditions (list) – List of texts between parentheses of the if (condition) statement.

  • use_regex (bool) – Use regular expressions instead of literals to search.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.has_insecure_randoms(java_dest, exclude=None)

Check if code uses insecure random generators.

  • java.util.Random().

  • java.lang.Math.random().

See REQ.224.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.has_log_injection(java_dest, exclude=None)

Search code injection.

Check if the code does not neutralize or incorrectly neutralizes output that is written to logs.

See CWE-117.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.has_switch_without_default(java_dest, exclude=None)

Check if all switches have a default clause.

See REQ.161.

See CWE-478.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.swallows_exceptions(java_dest, exclude=None)

Search for catch blocks that are empty or only have comments.

See REQ.161.

See CWE-391.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.throws_generic_exceptions(java_dest, exclude=None)

Check if the code throws generic exceptions.

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_broken_password_encryption(java_dest, exclude=None)

Check if code use insecure methods to encrypt passwords.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_catch_for_null_pointer_exception(java_dest, exclude=None)

Search for the use of NullPointerException “catch” in a path.

See CWE-395.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_catch_for_runtime_exception(java_dest, exclude=None)

Search for the use of RuntimeException “catch” in a path.

See CWE-544.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_cipher_in_ecb_mode(java_dest, exclude=None)

Check if ECB cipher mode is being used.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_des_algorithm(java_dest, exclude=None)

Check if code uses DES as encryption algorithm.

See REQ.149.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_insecure_aes(java_dest, exclude=None)

Check if code uses an insecure AES mode.

AES should not be used with ECB or CBC/PKCS5Padding.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_insecure_cipher(java_dest, algorithm, exclude=None)

Check if code uses an insecure cipher algorithm.

See REQ.148. See REQ.149.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • algorithm (str) – Insecure algorithm.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_insecure_hash(java_dest, algorithm, exclude=None)

Check if code uses an insecure hashing algorithm.

See REQ.150.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • algorithm (str) – Insecure algorithm.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_insecure_key_pair_length(java_dest, exclude=None)

Check if the code uses an insecure length to generate key pairs.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_insecure_rsa(java_dest, exclude=None)

Check if RSA algorithm uses an insecure padding.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

Returns

  • UNKNOWN on errors.

  • OPEN if an OAEP padding is not used or ECB mode is used.

  • CLOSED otherwise.

fluidasserts.lang.java.uses_insecure_ssl_context(java_dest, exclude=None)

Check if code uses insecure SSL context.

The secure versions are:

  • TLS.

  • DTLS.

  • TLSv1.2.

  • DTLSv1.2.

  • TLSv1.3.

  • DTLSv1.3.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_md5_hash(java_dest, exclude=None)

Check if code uses MD5 as hashing algorithm.

See REQ.150.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_print_stack_trace(java_dest, exclude=None)

Search for printStackTrace calls in a path.

See CWE-209.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_sha1_hash(java_dest, exclude=None)

Check if code uses MD5 as hashing algorithm.

See REQ.150.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_system_exit(java_dest, exclude=None)

Search for System.exit calls in a or package.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result

fluidasserts.lang.java.uses_various_verbs_in_request_mapping(java_dest, exclude=None)

Check if code uses various HTTP verbs in a RequestMapping.

Parameters

  • java_dest (str) – Path to a Java source file or package.

  • exclude (typing.Optional[list]) – Paths that contains any string from this list are ignored.

Return type

fluidasserts.Result