Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262826

Add @security javadoc tag

    XMLWordPrintable

    Details

      Description

      A DESCRIPTION OF THE PROBLEM :
      For many classes of the JDK incorrect or careless usage can lead to security vulnerabilities. However, often the documentation of these classes or methods does not mention the security implications and they are not obvious from the class itself.

      Examples for this are:
      - ZipFile: "Zip bomb", Zip quine
      - ZipEntry.getName(): ZipSlip vulnerability
      - XML processing classes: XXE
      - Runtime.exec(String): Command injection
      - Unsafe: Native memory access without bound checks
      - ...

      It would therefore be good to add a block tag `@security` to the Standard Doclet to allow describing security implications or giving security advisories. This tag should be publicly available (and not limited to usage by the JDK) because libraries, especially ones which work with untrusted user data, also have the need to document security implications. The generated HTML should clearly highlight the `@security` content, similar to `@deprecated` (though maybe not as extreme).

      The content of the @security tag could then consist of:
      - Security implications
      - Security advisories
      - References to safer alternatives
      - References to external advisories, e.g.:
        - Oracle Secure Coding Guidelines for Java SE
        - CWE
        - OWASP


        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: