Skip to the content.

Sensei Cookbook index

This repo contains a list of quality coding pattern cookbooks that you can use with Sensei.

About

Sensei is a free IntelliJ plugin from Secure Code Warrior that helps you create quality coding recipes with Quick Fix transformations to improve your code. Read more about Sensei in the official documentation

Cookbooks

Cookbooks are indexed from the recipes folder.

Android Security rules - 3 recipe(s) - download .zip

Recipes created from security recommendations in the official Android documentation (https://developer.android.com/)

Overview

AWS SDK cookbook - 5 recipe(s) - download .zip

Examples of best practices that can be easily detected and fixed with Sensei

Overview

Java Bad Practices - 1 recipe(s) - download .zip

Examples of Java bad practices

Overview

Basic security set - external recipe(s) -

Cookbook which can be used as a starting point for security

This cookbook contains a set of low effort recipes that can be used to detect, fix and prevent common recurring critical and high severity vulnerabilities. Enabling this cookbook will set a security baseline. The expected outcome from this cookbook is not to fix issues that are currently present in the codebase. Because we expect that these flaws have been detected by existing security measures such as peer reviews, penetration tests, and SAST tools. The main purpose is that we prevent new instances of these issues from being introduced in the codebase. Because catching these typical flaws late during development or even in production would increase the cost and time of fixing the issues significantly. Overall, this cookbook gives you the opportunity to improve the state of security by preventing the reappearance from common flaws.

org.yaml.snakeyaml

Protection against code injection

java.sql

Protection against sql injection

java.xml

Protection against XML External Entities/Entity Expansion

Basic Protection Set Recipes List | See Basic Protection Set Recipes at GitHub

Details

Crypto: Cipher: Insecure Asymmetric Cryptographic Algorithm
This cryptographic algorithm is not recommended
Data Protection - Cryptography: Avoid cryptographic weakness: Use strong symmetric cryptographic algorithm
Could lead to cryptographic weakness
Crypto: KeyAgreement: Insecure Cryptographic Algorithm
This cryptographic algorithm is insecure
Crypto: KeyAgreement: Guide on Approved Cryptographic Algorithm
This cryptographic algorithm is not recommended
Crypto: KeyPair Generation: Insecure Cryptographic Algorithm
This cryptographic algorithm is insecure
Crypto: KeyPair Generation: Non Standard Cryptographic Algorithm
This cryptographic algorithm is not recommended
Crypto: KeyPair Generation: Approved Standard Cryptographic Algorithm
This cryptographic algorithm is not recommended
Crypto: Signature: Insecure Hashing Algorithm
This hashing algorithm is not recommended for cryptographic use
Crypto: Signature: Non Standard Hashing Algorithm
This hashing algorithm is not recommended for cryptographic use
Crypto: Signature: Approved Hashing Algorithm
This hashing algorithm is not recommended for cryptographic use
Data Protection - Cryptography: Avoid brute forcing: Use sufficiently long key sizes: keyGenerator
Could lead to brute forcing or other cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use sufficiently long key sizes: keyGenerator bad value
Could lead to brute forcing or other cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate key pair generation algorithm: insecure
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate key pair generation algorithm: not recommended
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: DES family
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Hmac family
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Hmac family 1
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Other algorithms
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: insecure SecretKeyFactory
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: not recommended SecretKeyFactory
This cryptographic algorithm is not recommended
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: other SecretKeyFactory
Could lead to cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use sufficiently long key sizes: keyPairGenerator
Could lead to brute forcing or other cryptographic weakness
Data Protection - Cryptography: Avoid cryptographic weakness: Use sufficiently long key sizes: keyPairGenerator bad value
Could lead to brute forcing or other cryptographic weakness
Data Protection - Secure Data Storage: Avoid data exposure: Use Cipher instead of NullCipher
Could lead to data exposure
Data: Injection: Parameterize LDAP Filters: DirContext#search
Could lead to LDAP Injection
Portability Flaw: Avoid locale dependent comparisons: equals after case conversion
Could behave differently based on the systems locale
TLS: Weak Encryption: Insecure Version
Could lead to Data Exposure
TLS: Weak Encryption: Outdated Version
Could lead to Data Exposure
Injection: Avoid XML Injection: Use setSchema
Could lead to XML Injection
Injection: Avoid XML Injection: Use setFeature
Could lead to XML Injection
Injection: Avoid XML Injection: setFeature with bad value
Could lead to XML Injection
Input Validation: Avoid XXE: Do not set DocumentBuilderFactory external-parameter-entities to true
Could lead to XXE
Input Validation: Avoid XXE: Do not set DocumentBuilderFactory load-external-dtd to true
Could lead to XXE
Input Validation: Avoid XXE: Do not set DocumentBuilderFactory setXIncludeAware to true
Could lead to XXE
Input Validation: Avoid XXE: Do not set DocumentBuilderFactory setExpandEntityReferences to true
Could lead to XXE
InputValidation: Avoid XXE: Do not set XMLInputFactory Property to true
Could lead to XXE
XML External Entities: DocumentBuilderFactory setExpandEntityReferences: to false
Could lead to XXE
XML External Entities: DocumentBuilderFactory setFeature: dissallow-doctype-decl
Could lead to XXE
XML External Entities: DocumentBuilderFactory setFeature: external-parameter-entities should be set first
Could lead to XXE
XML External Entities: DocumentBuilderFactory setFeature: load-external-dtd
Could lead to XXE
XML External Entities: DocumentBuilderFactory setXIncludeAware
Could lead to XXE
XML External Entities: DocumentBuilderFactory setFeature: dissallow-doctype-decl wrong boolean
Could lead to XXE
XML External Entities: XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES
Could lead to XXE
XML External Entities: XMLInputFactory.SUPPORT_DTD
Could lead to XXE
Injection: Avoid SQL Injection: Use Parameterized Queries (PreparedStatement)
Could lead to SQL Injection
Injection: Avoid SQL Injection: Use Parameterized Queries (Statement)
Could lead to SQL Injection
Injection: Avoid Code Injection: Use SafeConstructor: no arguments
Could lead to Remote Code Execution
Injection: Avoid Code Injection: Use SafeConstructor: 1st argument of type Constructor
Could lead to Remote Code Execution
Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument
Could lead to Remote Code Execution
Java OOP Best Practices - 2 recipe(s) - download .zip

Recipes that inform on OOP best practices

Overview

Java Gotchas - 5 recipe(s) - download .zip

Examples of simple Java mistakes that can be easily detected and fixed with Sensei

Overview

Secure Code Warrior Blog Examples - external recipe(s) -

Recipes used to support the Secure Code Warrior Blog examples which provide Use-Case examples of Sensei. e.g. POJO, JUnit 5, Basic SQL Injection fixing, etc. Install: use .git (How?)

Overview

More Details
JUnit: Make @Disabled @Test from SKIPTHIS
Stop naming methods SKIPTHIS, use @Disabled @Test instead
JUnit: in SkipThisTest remove @Disabled and revert to SKIPTHIS
remove @Disabled and revert to SKIPTHIS for demo purposes in the project
Logger: use logger instead of println
use logger instead of println - remember stop using System.out.println
Logger: add logger
Add logger to class
remember to add disabled description
@Disabled should really have a description explaining why
Junit docs link
Learn about JUnit @Test method
learn about parameterized tests
learn about parameterized tests
Static Classes: create private constructor
create a private constructor for static classes
Test Classes in JUnit 5 do not need to be public
Test Classes in JUnit 5 do not need to be public
JUnit: JUnit 5 test methods do not need to be public
JUnit 5 test methods do not need public visibility
Guice Injected Field Not Public
If the Injected field is not public then the code might not be wired up.
sql injection - use a parameterized query
execute query with untrusted inputs is vulnerable to SQL Injection
Immutable: use final classes to prevent extension
Make the classes final to prevent people extending as mutable
JUnit: Junit 5 Test classes do not need to be public
Junit 5 Test classes do not need to be public
Immutable: Fields should be final and set in the constructor
Making fields final can highlight mutability issues
Immutable: default constructor should set field values from parameters
avoid default constructor and create a private constructor that sets the field values
Immutable: delete public void setters
void setters can be replaced with use of constructor or static factory methods
Immutable: avoid setters that return values
avoid setters methods that return values
Immutable: avoid void methods
void methods have side-effects, return a new object or primitve instead
Spring Boot Cookbook - 10 recipe(s) - download .zip

A cookbook that simplifies Spring Boot development. It aims to automate common routines performed by developers, preventing them to repeat themselves or introduce known issues

It covers the following modules:

Extras