Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Insecure Java Code Snippets

From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 6 May 2009 14:41:32 -0400 (EDT)

On Wed, 6 May 2009, Brad Andrews wrote:


Does anyone know of a source of insecure Java snippets?  I would like
to get some for a monthly meeting of leading technical people.  My
idea was to have a "find the bug" like the old C-Lint ads.


CWE has many snippets like this for various languages, but primarily C and
Java:

1) Load the CWE full dictionary (CWE-2000):

      http://cwe.mitre.org/data/definitions/2000.html

2) Click the "Slice" link in the top right

3) Go get lunch while your browser loads (well it's 10 to 30 seconds but
   that's a lunch in Internet time)

4) Search for "Java Example:"

5) Tell cwe at mitre.org if you notice any errors or oddities

I stopped counting at 50 snippets.

If you speak XSLT, you can easily construct a query to pull out the
Demonstrative_Example elements that look a little like:

   Demonstrative_Example//Example_Body//Block//Code_Example_Language = Java

For a little less data, you can use the CWE Java view (CWE-660):

    http://cwe.mitre.org/data/definitions/660.html

but this doesn't include language-independent issues like XSS and SQL
injection.

I'd love to hear from others who have repositories like this.

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: