Java Security¶
The java-security pack enforces security rules for Java applications across Spring, Jakarta EE, and servlet stacks, covering injection, unsafe deserialization, cryptographic failures, TLS validation, and framework misconfiguration.
Enable¶
Auto-suggested when Sentrik detects pom.xml, build.gradle, or *.java files in your project.
Rules¶
The pack includes 19 rules:
Injection (5)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| JAVA-SQL-001 | SQL Injection | critical | String concatenation in JDBC statements |
| JAVA-SQL-002 | SQL Injection | critical | Concatenation in Spring Data @Query native queries |
| JAVA-CMD-001 | Command Injection | critical | Concatenated input in Runtime.exec/ProcessBuilder |
| JAVA-JNDI-001 | JNDI Injection | high | Dynamic Context.lookup names (Log4Shell attack class) |
| JAVA-XSS-001 | XSS | high | Request parameters written directly to servlet responses |
Deserialization & XML (3)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| JAVA-DESER-001 | Deserialization | high | Native ObjectInputStream on untrusted data |
| JAVA-DESER-002 | Deserialization | high | Jackson polymorphic default typing enabled |
| JAVA-XXE-001 | XXE | medium | XML parser factories without XXE hardening |
Cryptography (4)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| JAVA-CRYPTO-001 | Hashing | high | MD5/SHA-1 via MessageDigest.getInstance |
| JAVA-CRYPTO-002 | Encryption | high | ECB cipher mode |
| JAVA-CRYPTO-003 | Encryption | high | DES/3DES/RC4/Blowfish ciphers |
| JAVA-CRYPTO-004 | Randomness | medium | java.util.Random for tokens/salts/secrets |
TLS validation (2)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| JAVA-TLS-001 | Certificate Validation | critical | Empty checkServerTrusted/checkClientTrusted (trust-all) |
| JAVA-TLS-002 | Hostname Verification | critical | Allow-all hostname verifiers |
Secrets, paths, and Spring configuration (5)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| JAVA-SECRET-001 | Secrets | medium | Hardcoded passwords/API keys in source |
| JAVA-PATH-001 | Path Traversal | high | File paths built from request data |
| JAVA-SPRING-001 | CSRF | high | csrf().disable() in Spring Security config |
| JAVA-SPRING-002 | Actuator | high | All actuator endpoints exposed (exposure.include=*) |
| JAVA-SPRING-003 | Authentication | medium | anyRequest().permitAll() |
Framework mapping¶
Rules carry OWASP Top 10 tags (owasp-a01 through owasp-a08) so findings roll up into OWASP compliance reports alongside the owasp-top-10 pack.
Tier¶
Team tier and above. See pricing.