Spotbugs+findBugs辅助挖掘漏洞
date
Feb 9, 2022
slug
spotbugs-findbugs-dig-bugs
status
Published
tags
Java安全
安全研究
summary
第一次使用这个工具记录一下
type
Post
如何使用?力哥说不需要使用IDEA里面的插件,直接启动bin目录下的二进制文件
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fc989f116-417d-470c-9b29-7654e3ef273a%2FUntitled.png%3Fid%3Dae950a28-1f45-40a0-b39f-7333998b3346%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3DQDgKgltRH9LYccm_6yhr4Nx9NAn88uj4gu0zSmq_ZwQ?table=block&id=ae950a28-1f45-40a0-b39f-7333998b3346&cache=v2)
新建一个检测项目,项目名字随意起,然后把相关的jar包添加到需要分析的这个框框中
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Ff014bf70-c586-4329-be96-f15d71949f9e%2FUntitled.png%3Fid%3D14a66b55-0d95-4727-b0b5-eb40071991e3%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3DvdAxTrjPr5-cMh1Y7uPMNUCtrFiNLjYdBvJx-nPRVgQ?table=block&id=14a66b55-0d95-4727-b0b5-eb40071991e3&cache=v2)
分析出来左下角就是可能会出现漏洞的点了,以及文件的位置,包括source和sink点,可能分析的时候会出现一些列的bug,说包找不到,点击OK还是可以分析的
后面我升级了IDEA 最后能使用上插件了,还是很好用的,但是也只是针对存在源码的情况,好像新打开一个项目都得重新配一下下面的内容
然后需要对这个插件进行相关设置,找到全局设置
下载官网上的插件,然后导入IDEA,这里可以选择从磁盘里面导入jar,也可以在线导入
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fc8f1285f-3b79-45ba-b7e0-de70b9093d3b%2FUntitled.png%3Fid%3D0c143e84-5495-45a6-a41e-56ec64851c32%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3Dnr3KMZ4-FkT9VJQS9ilITwCbJBKroVRZZK8p0XbAbRI?table=block&id=0c143e84-5495-45a6-a41e-56ec64851c32&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F7e388134-004b-48ec-a44e-cf7051606a28%2FUntitled.png%3Fid%3Dddf966f5-99c1-4c9d-b7af-54412b55ac40%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3D1-qBkD9A3MOB_sGT0kUFomfJRvixo4EFoKKFVkqHG2M?table=block&id=ddf966f5-99c1-4c9d-b7af-54412b55ac40&cache=v2)
直接线上导入好像是这样的,点击这个选项即可
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F18cab88a-e2aa-480e-bdc8-b741ae8ef332%2FUntitled.png%3Fid%3D2302019e-8a83-4c14-9d44-7fc91d698d1c%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3DoK96YGFSw6FmHixQtRi0-Am5ad8LNSnxROvto020854?table=block&id=2302019e-8a83-4c14-9d44-7fc91d698d1c&cache=v2)
然后选择模块或者文件右键进行analyse就可以
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fbf952be2-983c-4dc1-a717-6bd1cf2d7879%2FUntitled.png%3Fid%3D6cf37a36-6fe1-4cde-a3e5-9f0d9661c04f%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3DC4MdkVAqw65HDsD5uZSrIfdJWCc7kYhQCruOaNObM5Q?table=block&id=6cf37a36-6fe1-4cde-a3e5-9f0d9661c04f&cache=v2)
可以在报告里面选择需要汇报的内容:
一般挖漏洞我们只选择安全相关的就好,太多分析结果容易影响分析
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F683671f7-941b-4674-a4f4-f0d3ffe10d44%2FUntitled.png%3Fid%3D8193a1c3-0b06-4172-84f6-0130122b22f5%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722146400000%26signature%3DC7twRCwtY-d5-IQbzbDEJVcylJbdNcRVQejen0Raw3U?table=block&id=8193a1c3-0b06-4172-84f6-0130122b22f5&cache=v2)