JEE Rules - 2.1

Description

This extension provides additional rules for JEE technology and related frameworks supported by com.castsoftware.jee . These rules are compliant with CWE and OWASP TOP 10 Standards for Security. These rules are in addition to other rules provided for JEE.

Isofunctionality

Compared to versions 1.x, the support of the two following rules has been dropped in version 2.1:

• 1039016 “Avoid Unvalidated URL Redirect”
• 1039058 “Avoid generating key with insufficient random generator in cookies”

If you wish to continue monitoring such vulnerabilities in your code, please consider using extension com.castsoftware.securityanalyzer  which contains the following rules:

• 8446 “Avoid URL redirection to untrusted site”
• 8242 “Avoid using insufficient random values for cookies”

Transactions

Transaction support is derived from metamodel concepts used to build CAST Imaging Blueprint and structural transaction flows. Entry Points start transactions; Exit Points include both output/boundary concepts and Data Entities manipulated by transactions.

ISO 5055 Structural Rules

Quality support is based on ISO 5055 structural rules available for the selected extension version. Counts are grouped by ISO 5055 characteristic.

The following rules are provided in the extension:

• 2.1.5-funcrel 
• 2.1.4-funcrel 
• 2.1.3-funcrel 
• 2.1.2-funcrel 
• 2.1.1-funcrel 
• 2.1.0-funcrel 
• 2.1.0-beta1 
• 2.1.0-alpha1 

Download and installation instructions

The extension will be automatically downloaded and installed for you when delivering JEE source code:

Packaging, delivering and analyzing your source code

Once the extension is downloaded and installed, there is nothing specific to do: ensure your code is analyzed with com.castsoftware.jee  and the rules will be triggered.