On Wed, 6 May 2009, Brad Andrews wrote:
> Does anyone know of a source of insecure Java snippets? I would like
> to get some for a monthly meeting of leading technical people. My
> idea was to have a "find the bug" like the old C-Lint ads.
CWE has many snippets like this for various languages, but primarily C and
Java:
1) Load the CWE full dictionary (CWE-2000):
http://cwe.mitre.org/data/definitions/2000.html
2) Click the "Slice" link in the top right
3) Go get lunch while your browser loads (well it's 10 to 30 seconds but
that's a lunch in Internet time)
4) Search for "Java Example:"
5) Tell c...@mitre.org if you notice any errors or oddities
I stopped counting at 50 snippets.
If you speak XSLT, you can easily construct a query to pull out the
Demonstrative_Example elements that look a little like:
Demonstrative_Example//Example_Body//Block//Code_Example_Language = Java
For a little less data, you can use the CWE Java view (CWE-660):
http://cwe.mitre.org/data/definitions/660.html
but this doesn't include language-independent issues like XSS and SQL
injection.
I'd love to hear from others who have repositories like this.
- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
