zhongwei/gh-openrewrite-rewrite-docs-openrewrite-recipe-writer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:45:33 +08:00
commit 480d09eec9
27 changed files with 8336 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
skills/writing-openrewrite-recipes/references/recipes-security-common.csv Normal file
View File

@@ -0,0 +1,31 @@
Fully Qualified Recipe Name,Recipe Name,Description
io.moderne.cryptography.FindSecurityModifications,Find Security class modifications,Finds invocations of java.security.Security methods that modify security configuration such as removeProvider addProvider insertProviderAt setProperty and removeProperty.
io.moderne.cryptography.FindSecuritySetProperties,Find `Security.setProperty(..)` calls for certain properties,There is a defined set of properties that should not be set using `Security.setProperty(..)` as they can lead to security vulnerabilities.
org.openrewrite.analysis.java.security.FindSecurityVulnerabilities,Find security vulnerabilities using taint analysis,Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization.
org.openrewrite.analysis.java.security.FindCommandInjection,Find command injection vulnerabilities,Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder which could allow attackers to execute arbitrary commands.
org.openrewrite.analysis.java.security.FindLdapInjection,Find LDAP injection vulnerabilities,Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
org.openrewrite.analysis.java.security.FindPathTraversal,Find path traversal vulnerabilities,Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
org.openrewrite.analysis.java.security.FindSqlInjection,Find SQL injection vulnerabilities,Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage,Find unencrypted PII storage,Identifies when personally identifiable information (PII) is stored in databases files or other persistent storage without encryption.
org.openrewrite.analysis.java.security.FindXssVulnerability,Find XSS vulnerabilities,Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
org.openrewrite.analysis.java.security.FindXxeVulnerability,Find XXE vulnerabilities,Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
io.moderne.vulncheck.FixVulnCheckVulnerabilities,Use [VulnCheck Exploit Intelligence](https://docs.vulncheck.com/products/exploit-and-vulnerability-intelligence/exploit-intelligence) to fix vulnerabilities,This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest **patch** version. If a minor or major upgrade is required to reach the fixed version this can be controlled using the `maximumUpgradeDelta` option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.
org.openrewrite.xml.security.AddOwaspDateBoundSuppressions,Add date bounds to OWASP suppressions,Adds an expiration date to all OWASP suppressions in order to ensure that they are periodically reviewed. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html.
org.openrewrite.xml.security.IsOwaspSuppressionsFile,Find OWASP vulnerability suppression XML files,These files are used to suppress false positives in OWASP [Dependency Check](https://jeremylong.github.io/DependencyCheck).
org.openrewrite.xml.security.RemoveOwaspSuppressions,Remove out-of-date OWASP suppressions,Remove all OWASP suppressions with a suppression end date in the past as these are no longer valid. For use with the OWASP `dependency-check` tool. More details on OWASP suppression files can be found [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html).
org.openrewrite.xml.security.UpdateOwaspSuppressionDate,Update OWASP suppression date bounds,Updates the expiration date for OWASP suppressions having a matching cve tag. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html.
org.openrewrite.github.security.InsecureCommandsRecipe,Find insecure commands configuration,Detects when insecure workflow commands are enabled via `ACTIONS_ALLOW_UNSECURE_COMMANDS`. This environment variable enables dangerous workflow commands that can lead to code injection vulnerabilities. Based on [zizmor's insecure-commands audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/insecure_commands.rs).
org.openrewrite.github.security.TemplateInjectionRecipe,Find template injection vulnerabilities,Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable input (like pull request titles issue bodies or commit messages) is used directly in `run` commands or `script` inputs without proper escaping. Attackers can exploit this to execute arbitrary code. Based on [zizmor's `template-injection` audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/template_injection.rs).
org.openrewrite.java.security.PartialPathTraversalVulnerability,Partial path traversal vulnerability,"Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath()` which is vulnerable to partial path traversal attacks with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability consider `""/usr/outnot"".startsWith(""/usr/out"")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example on Linux `println(new File(""/var""))` will print `/var` but `println(new File(""/var"" ""/"")` will print `/var/`; however `println(new File(""/var"" ""/"").getCanonicalPath())` will print `/var`."
org.openrewrite.java.security.marshalling.InsecureJmsDeserialization,Insecure JMS deserialization,JMS `Object` messages depend on Java Serialization for marshalling/unmarshalling of the message payload when `ObjectMessage#getObject` is called. Deserialization of untrusted data can lead to security flaws.
org.openrewrite.java.security.servlet.CookieSetSecure,Insecure cookies,Check for use of insecure cookies. Cookies should be marked as secure. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
org.openrewrite.java.security.XmlParserXXEVulnerability,XML parser XXE vulnerability,Avoid exposing dangerous features of the XML parser by updating certain factory settings.
org.openrewrite.java.security.spring.CsrfProtection,Enable CSRF attack prevention,Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site email blog instant message or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full [OWASP cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
org.openrewrite.java.security.OwaspTopTen,Remediate vulnerabilities from the OWASP Top Ten,[OWASP](https://owasp.org) publishes a list of the most impactful common security vulnerabilities. These recipes identify and remediate vulnerabilities from the OWASP Top Ten.
org.openrewrite.java.security.OwaspA01,Remediate OWASP A01:2021 Broken access control,OWASP [A01:2021](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) describes failures related to broken access control.
org.openrewrite.java.security.OwaspA02,Remediate OWASP A02:2021 Cryptographic failures,OWASP [A02:2021](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) describes failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. This recipe seeks to remediate these vulnerabilities.
org.openrewrite.java.security.OwaspA03,Remediate OWASP A03:2021 Injection,OWASP [A03:2021](https://owasp.org/Top10/A03_2021-Injection/) describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. This recipe seeks to remediate these vulnerabilities.
org.openrewrite.java.security.OwaspA05,Remediate OWASP A05:2021 Security misconfiguration,OWASP [A05:2021](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) describes failures related to security misconfiguration.
org.openrewrite.java.security.OwaspA06,Remediate OWASP A06:2021 Vulnerable and outdated components,OWASP [A06:2021](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) describes failures related to vulnerable and outdated components.
org.openrewrite.java.security.OwaspA08,Remediate OWASP A08:2021 Software and data integrity failures,OWASP [A08:2021](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) software and data integrity failures.
org.openrewrite.java.spring.security6.PropagateAuthenticationServiceExceptions,Remove calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)`,Remove any calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)`. See the corresponding [Sprint Security 6.0 migration step](https://docs.spring.io/spring-security/reference/6.0.0/migration/servlet/authentication.html#_propagate_authenticationserviceexceptions) for details.
1 Fully Qualified Recipe Name Recipe Name Description
2 io.moderne.cryptography.FindSecurityModifications Find Security class modifications Finds invocations of java.security.Security methods that modify security configuration such as removeProvider addProvider insertProviderAt setProperty and removeProperty.
3 io.moderne.cryptography.FindSecuritySetProperties Find `Security.setProperty(..)` calls for certain properties There is a defined set of properties that should not be set using `Security.setProperty(..)` as they can lead to security vulnerabilities.
4 org.openrewrite.analysis.java.security.FindSecurityVulnerabilities Find security vulnerabilities using taint analysis Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization.
5 org.openrewrite.analysis.java.security.FindCommandInjection Find command injection vulnerabilities Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder which could allow attackers to execute arbitrary commands.
6 org.openrewrite.analysis.java.security.FindLdapInjection Find LDAP injection vulnerabilities Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
7 org.openrewrite.analysis.java.security.FindPathTraversal Find path traversal vulnerabilities Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
8 org.openrewrite.analysis.java.security.FindSqlInjection Find SQL injection vulnerabilities Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
9 org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage Find unencrypted PII storage Identifies when personally identifiable information (PII) is stored in databases files or other persistent storage without encryption.
10 org.openrewrite.analysis.java.security.FindXssVulnerability Find XSS vulnerabilities Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
11 org.openrewrite.analysis.java.security.FindXxeVulnerability Find XXE vulnerabilities Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
12 io.moderne.vulncheck.FixVulnCheckVulnerabilities Use [VulnCheck Exploit Intelligence](https://docs.vulncheck.com/products/exploit-and-vulnerability-intelligence/exploit-intelligence) to fix vulnerabilities This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest **patch** version. If a minor or major upgrade is required to reach the fixed version this can be controlled using the `maximumUpgradeDelta` option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.
13 org.openrewrite.xml.security.AddOwaspDateBoundSuppressions Add date bounds to OWASP suppressions Adds an expiration date to all OWASP suppressions in order to ensure that they are periodically reviewed. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html.
14 org.openrewrite.xml.security.IsOwaspSuppressionsFile Find OWASP vulnerability suppression XML files These files are used to suppress false positives in OWASP [Dependency Check](https://jeremylong.github.io/DependencyCheck).
15 org.openrewrite.xml.security.RemoveOwaspSuppressions Remove out-of-date OWASP suppressions Remove all OWASP suppressions with a suppression end date in the past as these are no longer valid. For use with the OWASP `dependency-check` tool. More details on OWASP suppression files can be found [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html).
16 org.openrewrite.xml.security.UpdateOwaspSuppressionDate Update OWASP suppression date bounds Updates the expiration date for OWASP suppressions having a matching cve tag. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html.
17 org.openrewrite.github.security.InsecureCommandsRecipe Find insecure commands configuration Detects when insecure workflow commands are enabled via `ACTIONS_ALLOW_UNSECURE_COMMANDS`. This environment variable enables dangerous workflow commands that can lead to code injection vulnerabilities. Based on [zizmor's insecure-commands audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/insecure_commands.rs).
18 org.openrewrite.github.security.TemplateInjectionRecipe Find template injection vulnerabilities Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable input (like pull request titles issue bodies or commit messages) is used directly in `run` commands or `script` inputs without proper escaping. Attackers can exploit this to execute arbitrary code. Based on [zizmor's `template-injection` audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/template_injection.rs).
19 org.openrewrite.java.security.PartialPathTraversalVulnerability Partial path traversal vulnerability Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath()` which is vulnerable to partial path traversal attacks with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example on Linux `println(new File("/var"))` will print `/var` but `println(new File("/var" "/")` will print `/var/`; however `println(new File("/var" "/").getCanonicalPath())` will print `/var`.
20 org.openrewrite.java.security.marshalling.InsecureJmsDeserialization Insecure JMS deserialization JMS `Object` messages depend on Java Serialization for marshalling/unmarshalling of the message payload when `ObjectMessage#getObject` is called. Deserialization of untrusted data can lead to security flaws.
21 org.openrewrite.java.security.servlet.CookieSetSecure Insecure cookies Check for use of insecure cookies. Cookies should be marked as secure. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
22 org.openrewrite.java.security.XmlParserXXEVulnerability XML parser XXE vulnerability Avoid exposing dangerous features of the XML parser by updating certain factory settings.
23 org.openrewrite.java.security.spring.CsrfProtection Enable CSRF attack prevention Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site email blog instant message or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full [OWASP cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
24 org.openrewrite.java.security.OwaspTopTen Remediate vulnerabilities from the OWASP Top Ten [OWASP](https://owasp.org) publishes a list of the most impactful common security vulnerabilities. These recipes identify and remediate vulnerabilities from the OWASP Top Ten.
25 org.openrewrite.java.security.OwaspA01 Remediate OWASP A01:2021 Broken access control OWASP [A01:2021](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) describes failures related to broken access control.
26 org.openrewrite.java.security.OwaspA02 Remediate OWASP A02:2021 Cryptographic failures OWASP [A02:2021](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) describes failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. This recipe seeks to remediate these vulnerabilities.
27 org.openrewrite.java.security.OwaspA03 Remediate OWASP A03:2021 Injection OWASP [A03:2021](https://owasp.org/Top10/A03_2021-Injection/) describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. This recipe seeks to remediate these vulnerabilities.
28 org.openrewrite.java.security.OwaspA05 Remediate OWASP A05:2021 Security misconfiguration OWASP [A05:2021](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) describes failures related to security misconfiguration.
29 org.openrewrite.java.security.OwaspA06 Remediate OWASP A06:2021 Vulnerable and outdated components OWASP [A06:2021](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) describes failures related to vulnerable and outdated components.
30 org.openrewrite.java.security.OwaspA08 Remediate OWASP A08:2021 Software and data integrity failures OWASP [A08:2021](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) software and data integrity failures.
31 org.openrewrite.java.spring.security6.PropagateAuthenticationServiceExceptions Remove calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)` Remove any calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)`. See the corresponding [Sprint Security 6.0 migration step](https://docs.spring.io/spring-security/reference/6.0.0/migration/servlet/authentication.html#_propagate_authenticationserviceexceptions) for details.