Skip to content

Java Security

The java-security pack enforces security rules for Java applications across Spring, Jakarta EE, and servlet stacks, covering injection, unsafe deserialization, cryptographic failures, TLS validation, and framework misconfiguration.

Enable

sentrik add-pack java-security

Auto-suggested when Sentrik detects pom.xml, build.gradle, or *.java files in your project.

Rules

The pack includes 19 rules:

Injection (5)

ID Category Severity Description
JAVA-SQL-001 SQL Injection critical String concatenation in JDBC statements
JAVA-SQL-002 SQL Injection critical Concatenation in Spring Data @Query native queries
JAVA-CMD-001 Command Injection critical Concatenated input in Runtime.exec/ProcessBuilder
JAVA-JNDI-001 JNDI Injection high Dynamic Context.lookup names (Log4Shell attack class)
JAVA-XSS-001 XSS high Request parameters written directly to servlet responses

Deserialization & XML (3)

ID Category Severity Description
JAVA-DESER-001 Deserialization high Native ObjectInputStream on untrusted data
JAVA-DESER-002 Deserialization high Jackson polymorphic default typing enabled
JAVA-XXE-001 XXE medium XML parser factories without XXE hardening

Cryptography (4)

ID Category Severity Description
JAVA-CRYPTO-001 Hashing high MD5/SHA-1 via MessageDigest.getInstance
JAVA-CRYPTO-002 Encryption high ECB cipher mode
JAVA-CRYPTO-003 Encryption high DES/3DES/RC4/Blowfish ciphers
JAVA-CRYPTO-004 Randomness medium java.util.Random for tokens/salts/secrets

TLS validation (2)

ID Category Severity Description
JAVA-TLS-001 Certificate Validation critical Empty checkServerTrusted/checkClientTrusted (trust-all)
JAVA-TLS-002 Hostname Verification critical Allow-all hostname verifiers

Secrets, paths, and Spring configuration (5)

ID Category Severity Description
JAVA-SECRET-001 Secrets medium Hardcoded passwords/API keys in source
JAVA-PATH-001 Path Traversal high File paths built from request data
JAVA-SPRING-001 CSRF high csrf().disable() in Spring Security config
JAVA-SPRING-002 Actuator high All actuator endpoints exposed (exposure.include=*)
JAVA-SPRING-003 Authentication medium anyRequest().permitAll()

Framework mapping

Rules carry OWASP Top 10 tags (owasp-a01 through owasp-a08) so findings roll up into OWASP compliance reports alongside the owasp-top-10 pack.

Tier

Team tier and above. See pricing.