OWASP Find Security Bugs Files

This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:

• Supports for JDK 17
• Important fixes regarding signatures' files (Bug with generic )

In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup() method risks. [#670] for more info.

What's Changed

• Version changes by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/615
• Add support for Vert.x web Oauth2 + CSRF handlers by @pmlopes in https://github.com/find-sec-bugs/find-sec-bugs/pull/621
• Add new detector for MODIFICATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
• Add new detector for NORMALIZATION_AFTER_VALIDATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/633
• Fix solution for XXE with TransformerFactory by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/641
• Quick fix for NormalizationAfterValidation by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/643
• Remove verbose logging from test case by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/644
• Add Paths.get(Uri) as source for Path traversal by @deepsan in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
• New detector FindDangerousPermissionCombination for new bug type DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/652
• Fix the examples in the documentation of DANGEROUS_PERMISSION_COMBINATION by @baloghadamsoftware in https://github.com/find-sec-bugs/find-sec-bugs/pull/654
• Fallback when classNameLength is too long [#651] by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/653
• Update data in script generator by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/658
• Update test dependencies by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/659
• ReDOS detection for the Pattern annotation [#426] by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/660
• Fix unescape tag [#661] by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/662
• Correctly parse method signatures with generic types by @scottsteen in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
• Fixing LDAP/JNDI sink method signature by @h3xstream in https://github.com/find-sec-bugs/find-sec-bugs/pull/670
• updated links to plugins on website by @winne42 in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
• Add JDK17 support by @jlstephens89 in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

New Contributors

• @baloghadamsoftware made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/635
• @deepsan made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/645
• @scottsteen made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/669
• @winne42 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/671
• @jlstephens89 made their first contribution in https://github.com/find-sec-bugs/find-sec-bugs/pull/672

Full Changelog: https://github.com/find-sec-bugs/find-sec-bugs/compare/version-1.11.0...version-1.12.0

>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip

>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip