http://findbugs.sourceforge.net/eclipse/
CLI Tutorial
Download
Get from the latest release the package including the tool.
The content should look like this:
> unzip findsecbugs-cli.zip
> cd findsecbugs-cli
> ls
findsecbugs.bat findsecbugs.sh include.xml lib
Simple example of usage
> findsecbugs.bat -high C:/Java/jenkins/WEB-INF/lib/remoting-2.53.jar
H S CIPINT: The cipher does not provide data integrity At HandshakeCiphers.java:[line 111]
H S CIPINT: The cipher does not provide data integrity At HandshakeCiphers.java:[line 113]
H S CIPINT: The cipher does not provide data integrity At ChannelCiphers.java:[line 89]
H S CIPINT: The cipher does not provide data integrity At ChannelCiphers.java:[line 91]
H S SECOBDES: Object deserialization is used in hudson.remoting.Capability.read(InputStream) At Capability.java:[line 139]
H S SECOBDES: Object deserialization is used in hudson.remoting.Command.readFrom(Channel, ObjectInputStream) At Command.java:[line 92]
H S SECOBDES: Object deserialization is used in hudson.remoting.UserRequest.deserialize(Channel, byte[], ClassLoader) At UserRequest.java:[line 184]
H S SECOBDES: Object deserialization is used in hudson.remoting.RemoteInputStream.readObject(ObjectInputStream) At RemoteInputStream.java:[line 179]
H S SECOBDES: Object deserialization is used in hudson.remoting.ClassLoaderHolder.readObject(ObjectInputStream) At ClassLoaderHolder.java:[line 35]
H S CIPINT: The cipher does not provide data integrity At Launcher.java:[line 289]
H S SECPTI: File(...) reads a file whose location might be specified by user input At CmdLineParser.java:[line 552]
HTML report
The following command will redirect all the result in a HTML report.
> findsecbugs.bat -progress -html -output report.htm C:/Java/jenkins/WEB-INF/lib/remoting-2.53.jar
Scanning archives (1 / 1)
2 analysis passes to perform
Pass 1: Analyzing classes (1010 / 1010) - 100% complete
Pass 2: Analyzing classes (349 / 349) - 100% complete
Done with analysis
Scanning multiple jars
On linux:
> find /some/application/ -name /*.jar > libs.txt
> cat libs.txt | findsecbugs.sh -xargs -progress -html -output report.htm
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete
On Windows:
> dir "C:/Some/Application/" /s /b | findstr /.jar$ > libs.txt
> cat libs.txt | findsecbugs.bat -xargs -progress -html -output report.htm
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete
Additional arguments
To see the available option use the argument -help.
> findsecbugs
No files to be analyzed
Usage: findbugs [general options] -textui [command line options...] [jar/zip/class files, directories...]
General options:
-jvmArgs args Pass args to JVM
-maxHeap size Maximum Java heap size in megabytes (default=768)
-javahome <dir> Specify location of JRE
General FindBugs options:
-project <project> analyze given project
-home <home directory> specify FindBugs home directory
-pluginList <jar1[;jar2...]> specify list of plugin Jar files to load
-effort[:min|less|default|more|max] set analysis effort level
-adjustExperimental lower priority of experimental Bug Patterns
-workHard ensure analysis effort is at least 'default'
-conserveSpace same as -effort:min (for backward compatibility)
-showPlugins show list of available detector plugins
-userPrefs <filename> user preferences file, e.g /path/to/project/.settings/edu.umd.cs.findbugs.core.prefs for Eclipse projects
Output options:
-timestampNow set timestamp of results to be current time
-quiet suppress error messages
-longBugCodes report long bug codes
-progress display progress in terminal window
-release <release name> set the release name of the analyzed application
-experimental report of any confidence level including experimental bug patterns
-low report warnings of any confidence level
-medium report only medium and high confidence warnings [default]
-high report only high confidence warnings
-maxRank <rank> only report issues with a bug rank at least as scary as that provided
-dontCombineWarnings Don't combine warnings that differ only in line number
-sortByClass sort warnings by class
-xml[:withMessages] XML output (optionally with messages)
-xdocs xdoc XML output to use with Apache Maven
-html[:stylesheet] Generate HTML output (default stylesheet is default.xsl)
-emacs Use emacs reporting format
-relaxed Relaxed reporting mode (more false positives!)
-train[:outputDir] Save training data (experimental); output dir defaults to '.'
-useTraining[:inputDir] Use training data (experimental); input dir defaults to '.'
-redoAnalysis <filename> Redo analysis using configureation from previous analysis
-sourceInfo <filename> Specify source info file (line numbers for fields/classes)
-projectName <project name> Descriptive name of project
-reanalyze <filename> redo analysis in provided file
-output <filename> Save output in named file
-nested[:true|false] analyze nested jar/zip archives (default=true)
Output filtering options:
-bugCategories <cat1[,cat2...]> only report bugs in given categories
-onlyAnalyze <classes/packages> only analyze given classes and packages; end with .* to indicate classes in a package, .- to indicate a package prefix
-excludeBugs <baseline bugs> exclude bugs that are also reported in the baseline xml output
-exclude <filter file> exclude bugs matching given filter
-include <filter file> include only bugs matching given filter
-applySuppression Exclude any bugs that match suppression filter loaded from fbp file
Detector (visitor) configuration options:
-visitors <v1[,v2...]> run only named visitors
-omitVisitors <v1[,v2...]> omit named visitors
-chooseVisitors <+v1,-v2,...> selectively enable/disable detectors
-choosePlugins <+p1,-p2,...> selectively enable/disable plugins
-adjustPriority <v1=(raise|lower)[,...]> raise/lower priority of warnings for given visitor(s)
Project configuration options:
-auxclasspath <classpath> set aux classpath for analysis
-auxclasspathFromInput read aux classpath from standard input
-auxclasspathFromFile <filepath> read aux classpaths from a designated file
-sourcepath <source path> set source path for analyzed classes
-exitcode set exit code of process
-noClassOk output empty warning file if no classes are specified
-xargs get list of classfiles/jarfiles from standard input rather than command line
-analyzeFromFile <filepath> get the list of class/jar files from a designated file
-cloud <id> set cloud id
-cloudProperty <key=value> set cloud property
-bugReporters <name,name2,-name3> bug reporter decorators to explicitly enable/disable
-printConfiguration print configuration and exit, without running analysis
-version print version, check for updates and exit, without running analysis
More information
To get more information, visit FindBugs official documentation. http://findbugs.sourceforge.net/manual/running.html
Using Find Security Bugs on a large number of jars: http://blog.h3xstream.com/2016/01/deserialization-vulnerability.html
原创文章,作者:kirin,如若转载,请注明出处:https://blog.ytso.com/275659.html