JCSE, vol. 18, no. 4, pp.214-223, December, 2024

DOI: http://dx.doi.org/10.5626/JCSE.2024.18.4.214

Expanding a PMD Ruleset for Mitigating Java Deserialization Vulnerabilities

Jisun Lee, Dongsu Kang
Department of Computer Engineering, Korea National Defense University, Nonsan, Republic of Korea

Abstract: CWE-502 vulnerabilities have been reported over 100 times each year since 2018, comprising more than 1% of all documented vulnerabilities in 2021. However, domestic research on this topic remains scarce. This study applied expanded rules to 4 out of the 6 Rules and Recommendations in the Software Engineering Institute?셲 Computer Emergency Response Team (SEI CERT) Oracle Coding Standard for Java. To mitigate this vulnerability, the PMD ruleset was expanded by referencing the SEI CERT Coding Standard as a static analysis solution. The extended ruleset can be used by utilizing the OWASP Top 10 attack scenarios and the OWASP Deserialization Cheat Sheet. This study emphasizes the significance of deserialization vulnerabilities and aims to enhance the reliability testing and evaluation of system software with Java.

Keyword: Keywords: PMD rule set; Static analysis; Insecure deserialization; CWE-502; Java vulnerability

Full Paper:   45 Downloads, 112 View