5 new issues in Java

5 new issues in the Java analyzer

We have added 5 new issues in the Java analyzer:

JAVA-A1027 - Audit: Setting bean properties with unsanitized input may be a security risk

This issue is raised when an instance of a JavaBean property is set with a value that may be from external data.

Example

class UserDataBean { /*...*/  }

@Override
void method() {
    
    HashMap map = new HashMap();
    Map<String, String[]> params = request.getParameterMap();
    UserDataBean bean = new UserDataBean();
    
    
    BeanUtils.populate(bean, params); // Insecure.
}

JAVA-A1028 - Audit: Web views should not have access to files

This issue is raised when code uses the setAllowFileAccess() or setAllowContentAccess() methods in Android code with true as the argument.

Example

WebView webView = someView.findViewById(R.id.some_web_view);


webView.getSettings().setAllowFileAccess(true);

// OR
webView.getSettings().setAllowContentAccess(true);

JAVA-A1029 - Audit: Enabling JavaScript within a web view is a security risk

This issue is raised when code uses the setJavaScriptEnabled() method in Android code with true as the argument.

Example

WebView webView = someView.findViewById(R.id.some_web_view);
// Only do this if you absolutely need it!
webView.getSettings().setJavaScriptEnabled(true);

JAVA-A1030 - Audit: Biometric authentication should always be used with a cryptographic object

This issue is raised when biometric authentication is used without setting a CryptoObject value as well.

Example

biometricLoginButton.setOnClickListener(view -> {
    // Not useful!
    biometricPrompt.authenticate(promptInfo);
});

JAVA-S1031 - SecureRandom seeds must not be predictable

This issue is raised when a SecureRandom random number generator instance is created with a predictable seed (such as a constant value, or the current system clock value).

Example

SecureRandom notSoRandom = new SecureRandom();
notSoRandom.setSeed(3L); // This is a very predictable seed!
// This uses the SecureRandom(ByteArray seed) constructor:
notSoRandom = new SecureRandom("qwerty".getBytes());