Cigital Java Security Rulepack, Version 1.0
Cigital developed a set of Java custom rules for the Fortify Source Code Analyzer (version 4.5 or later) to help automate source code review. The taxonomy of vulnerabilities checked by the Cigital Java Security Rulepack can be found here. We used the "Seven Pernicious Kingdoms" classification to classify our Java rules. The rulepack covers specific technology such as J2EE, Struts, Java Cryptography, etc.
This rule pack aims to extend the existing set of supported Java rules by Fortify. It builds upon Fortify's default set of rules by checking for additional security vulnerabilities.
Disclaimer:
The Cigital Java Security Rulepack is distributed as open source and is provided here to the security community for any use that does not compete with Cigital's consulting practice. You are free to distribute, modify (but if you do please give us credit for the initial work), and use in commercial product. The rulepack is provided as is. There are no guarantees that all the specified bugs will be caught while using the rulepack. The rulepack does not cover every possible variant of the vulnerabilities that it checks for.
View Cigital Java Security Rulepack online
Download Cigital Java Security Rulepack - Version 1.0
This product is not supported.
We welcome feedback, comments or ideas for new rules. E-mail securitypack -at- cigital.com.
Contributors to the rule pack: Amanda Lee, Jesse Ou, Amit Seti, Eric Dalci, John Steven, Matt Page, Mike Ware