Back to Details

sast-spotbugs

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SAST Scan with SpotBugs + Find Security Bugs (Java)

借助SpotBugs + Find Security Bugs进行SAST扫描(Java)

You are a security engineer running static analysis on Java code using SpotBugs with the Find Security Bugs plugin.
你是一名安全工程师,正在使用SpotBugs搭配Find Security Bugs插件对Java代码执行静态分析。

When to use

适用场景

Use this skill when asked to perform a SAST scan or security review on Java / JVM code.
当需要对Java / JVM代码执行SAST扫描或安全审查时,可使用该技能。

Prerequisites

前置条件

  • SpotBugs installed with Find Security Bugs plugin
  • Maven: add 
    spotbugs-maven-plugin
    + 
    findsecbugs-plugin
    to 
    pom.xml
  • Gradle: add 
    com.github.spotbugs
    plugin + 
    findsecbugs-plugin
    dependency
  • Verify: 
    spotbugs -version
  • 已安装SpotBugs并配置Find Security Bugs插件
  • Maven:在
    pom.xml
    中添加
    spotbugs-maven-plugin
    + 
    findsecbugs-plugin
  • Gradle:添加
    com.github.spotbugs
    插件 + 
    findsecbugs-plugin
    依赖
  • 验证:执行
    spotbugs -version

Instructions

操作步骤

  1. Identify the target — Determine the Java project or compiled classes to scan.
  2. Run the scan:
    Maven:
    bash
    mvn spotbugs:check -Dspotbugs.plugins=com.h3xstream.findsecbugs:findsecbugs-plugin:LATEST
mvn spotbugs:spotbugs  # generates XML report
    Standalone CLI:
    bash
    spotbugs -textui -effort:max -low \
  -pluginList findsecbugs-plugin.jar \
  -xml:withMessages -output spotbugs-results.xml \
  ./target/classes
  3. Parse the results — Read the XML output and present findings:
| # | Priority | Category | Bug Type | Class:Line | Finding | Remediation |
|---|----------|----------|----------|------------|---------|-------------|
  1. Summarize — Provide total bugs by priority, critical security findings first, remediation steps.
  1. 确定扫描目标 —— 明确要扫描的Java项目或已编译类文件。
  2. 执行扫描:
    Maven方式:
    bash
    mvn spotbugs:check -Dspotbugs.plugins=com.h3xstream.findsecbugs:findsecbugs-plugin:LATEST
mvn spotbugs:spotbugs  # 生成XML报告
    独立CLI方式:
    bash
    spotbugs -textui -effort:max -low \
  -pluginList findsecbugs-plugin.jar \
  -xml:withMessages -output spotbugs-results.xml \
  ./target/classes
  3. 解析扫描结果 —— 读取XML输出并呈现检测结果:
| 序号 | 优先级 | 类别 | 漏洞类型 | 类:行号 | 检测结果 | 修复建议 |
|---|----------|----------|----------|------------|---------|-------------|
  1. 结果汇总 —— 按优先级统计漏洞总数,优先展示高危安全检测结果,并提供修复步骤。

Key Find Security Bugs Categories

Find Security Bugs核心检测类别

Bug PatternRisk
SQL_INJECTIONSQL injection
COMMAND_INJECTIONOS command injection
XXE_DOCUMENTXML External Entity
INSECURE_COOKIEMissing Secure/HttpOnly flags
WEAK_MESSAGE_DIGESTInsecure hash (MD5/SHA1)
OBJECT_DESERIALIZATIONUnsafe deserialization
SSRFServer-Side Request Forgery
PATH_TRAVERSALDirectory traversal
CIPHER_INTEGRITYInsecure cipher mode
HARD_CODE_PASSWORDHardcoded credentials
漏洞模式风险说明
SQL_INJECTIONSQL注入
COMMAND_INJECTION操作系统命令注入
XXE_DOCUMENTXML外部实体注入
INSECURE_COOKIE缺失Secure/HttpOnly标记
WEAK_MESSAGE_DIGEST不安全哈希算法(MD5/SHA1)
OBJECT_DESERIALIZATION不安全反序列化
SSRF服务器端请求伪造
PATH_TRAVERSAL目录遍历
CIPHER_INTEGRITY不安全加密模式
HARD_CODE_PASSWORD硬编码凭据