9.5 KiB
9.5 KiB
| 1 | Fully Qualified Recipe Name | Recipe Name | Description |
|---|---|---|---|
| 2 | io.moderne.cryptography.FindSecurityModifications | Find Security class modifications | Finds invocations of java.security.Security methods that modify security configuration such as removeProvider addProvider insertProviderAt setProperty and removeProperty. |
| 3 | io.moderne.cryptography.FindSecuritySetProperties | Find `Security.setProperty(..)` calls for certain properties | There is a defined set of properties that should not be set using `Security.setProperty(..)` as they can lead to security vulnerabilities. |
| 4 | org.openrewrite.analysis.java.security.FindSecurityVulnerabilities | Find security vulnerabilities using taint analysis | Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization. |
| 5 | org.openrewrite.analysis.java.security.FindCommandInjection | Find command injection vulnerabilities | Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder which could allow attackers to execute arbitrary commands. |
| 6 | org.openrewrite.analysis.java.security.FindLdapInjection | Find LDAP injection vulnerabilities | Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries. |
| 7 | org.openrewrite.analysis.java.security.FindPathTraversal | Find path traversal vulnerabilities | Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation. |
| 8 | org.openrewrite.analysis.java.security.FindSqlInjection | Find SQL injection vulnerabilities | Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization. |
| 9 | org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage | Find unencrypted PII storage | Identifies when personally identifiable information (PII) is stored in databases files or other persistent storage without encryption. |
| 10 | org.openrewrite.analysis.java.security.FindXssVulnerability | Find XSS vulnerabilities | Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization. |
| 11 | org.openrewrite.analysis.java.security.FindXxeVulnerability | Find XXE vulnerabilities | Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks. |
| 12 | io.moderne.vulncheck.FixVulnCheckVulnerabilities | Use [VulnCheck Exploit Intelligence](https://docs.vulncheck.com/products/exploit-and-vulnerability-intelligence/exploit-intelligence) to fix vulnerabilities | This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest **patch** version. If a minor or major upgrade is required to reach the fixed version this can be controlled using the `maximumUpgradeDelta` option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity. |
| 13 | org.openrewrite.xml.security.AddOwaspDateBoundSuppressions | Add date bounds to OWASP suppressions | Adds an expiration date to all OWASP suppressions in order to ensure that they are periodically reviewed. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html. |
| 14 | org.openrewrite.xml.security.IsOwaspSuppressionsFile | Find OWASP vulnerability suppression XML files | These files are used to suppress false positives in OWASP [Dependency Check](https://jeremylong.github.io/DependencyCheck). |
| 15 | org.openrewrite.xml.security.RemoveOwaspSuppressions | Remove out-of-date OWASP suppressions | Remove all OWASP suppressions with a suppression end date in the past as these are no longer valid. For use with the OWASP `dependency-check` tool. More details on OWASP suppression files can be found [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html). |
| 16 | org.openrewrite.xml.security.UpdateOwaspSuppressionDate | Update OWASP suppression date bounds | Updates the expiration date for OWASP suppressions having a matching cve tag. For use with the OWASP `dependency-check` tool. More details: https://jeremylong.github.io/DependencyCheck/general/suppression.html. |
| 17 | org.openrewrite.github.security.InsecureCommandsRecipe | Find insecure commands configuration | Detects when insecure workflow commands are enabled via `ACTIONS_ALLOW_UNSECURE_COMMANDS`. This environment variable enables dangerous workflow commands that can lead to code injection vulnerabilities. Based on [zizmor's insecure-commands audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/insecure_commands.rs). |
| 18 | org.openrewrite.github.security.TemplateInjectionRecipe | Find template injection vulnerabilities | Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable input (like pull request titles issue bodies or commit messages) is used directly in `run` commands or `script` inputs without proper escaping. Attackers can exploit this to execute arbitrary code. Based on [zizmor's `template-injection` audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/template_injection.rs). |
| 19 | org.openrewrite.java.security.PartialPathTraversalVulnerability | Partial path traversal vulnerability | Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath()` which is vulnerable to partial path traversal attacks with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example on Linux `println(new File("/var"))` will print `/var` but `println(new File("/var" "/")` will print `/var/`; however `println(new File("/var" "/").getCanonicalPath())` will print `/var`. |
| 20 | org.openrewrite.java.security.marshalling.InsecureJmsDeserialization | Insecure JMS deserialization | JMS `Object` messages depend on Java Serialization for marshalling/unmarshalling of the message payload when `ObjectMessage#getObject` is called. Deserialization of untrusted data can lead to security flaws. |
| 21 | org.openrewrite.java.security.servlet.CookieSetSecure | Insecure cookies | Check for use of insecure cookies. Cookies should be marked as secure. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks. |
| 22 | org.openrewrite.java.security.XmlParserXXEVulnerability | XML parser XXE vulnerability | Avoid exposing dangerous features of the XML parser by updating certain factory settings. |
| 23 | org.openrewrite.java.security.spring.CsrfProtection | Enable CSRF attack prevention | Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site email blog instant message or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full [OWASP cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html). |
| 24 | org.openrewrite.java.security.OwaspTopTen | Remediate vulnerabilities from the OWASP Top Ten | [OWASP](https://owasp.org) publishes a list of the most impactful common security vulnerabilities. These recipes identify and remediate vulnerabilities from the OWASP Top Ten. |
| 25 | org.openrewrite.java.security.OwaspA01 | Remediate OWASP A01:2021 Broken access control | OWASP [A01:2021](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) describes failures related to broken access control. |
| 26 | org.openrewrite.java.security.OwaspA02 | Remediate OWASP A02:2021 Cryptographic failures | OWASP [A02:2021](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) describes failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. This recipe seeks to remediate these vulnerabilities. |
| 27 | org.openrewrite.java.security.OwaspA03 | Remediate OWASP A03:2021 Injection | OWASP [A03:2021](https://owasp.org/Top10/A03_2021-Injection/) describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. This recipe seeks to remediate these vulnerabilities. |
| 28 | org.openrewrite.java.security.OwaspA05 | Remediate OWASP A05:2021 Security misconfiguration | OWASP [A05:2021](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) describes failures related to security misconfiguration. |
| 29 | org.openrewrite.java.security.OwaspA06 | Remediate OWASP A06:2021 Vulnerable and outdated components | OWASP [A06:2021](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) describes failures related to vulnerable and outdated components. |
| 30 | org.openrewrite.java.security.OwaspA08 | Remediate OWASP A08:2021 Software and data integrity failures | OWASP [A08:2021](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) software and data integrity failures. |
| 31 | org.openrewrite.java.spring.security6.PropagateAuthenticationServiceExceptions | Remove calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)` | Remove any calls matching `AuthenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(true)`. See the corresponding [Sprint Security 6.0 migration step](https://docs.spring.io/spring-security/reference/6.0.0/migration/servlet/authentication.html#_propagate_authenticationserviceexceptions) for details. |