Java 17 not working

[Jeeppler]

Environment

FindSecBugs 1.11.0 Cli
GNU/Linux Ubuntu

Problem

Analyzing classes which were compiled with Java 17 will cause an exception:

Exception in thread "main" edu.umd.cs.findbugs.NoClassesFoundToAnalyzeException: No classes found to analyze in /home/user/pds/java17 *JrtfsCodeBase [file=/usr/lib/jvm/java-17-openjdk-amd64/lib/jrt-fs.jar] 
	at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:304)
	at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
	at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
	at edu.umd.cs.findbugs.LaunchAppropriateUI.launch(LaunchAppropriateUI.java:106)
	at edu.umd.cs.findbugs.LaunchAppropriateUI.main(LaunchAppropriateUI.java:198)

Basically, FindSecBugs is unable to analyze classes which are compiled using Java 17.
Compiling the same code with Java 11 works well. The analysis will find the MD5 weakness.

Code

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MD5 {

	public static void main(String...args) {
		try {
			String password = "Insecure";
			MessageDigest sha1Digest = MessageDigest.getInstance("MD5"); // Weakness: CWE-327
			sha1Digest.update(password.getBytes());
			byte[] hashValue = sha1Digest.digest();

            System.out.println("Password: " + password + "; Digest: " + hashValue);
		} catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		}
	}
}

[Jeeppler]

@h3xstream was this fixed with #672?

[h3xstream]

Please test with the latest release : https://github.com/find-sec-bugs/find-sec-bugs/releases/tag/version-1.12.0 (New from this week)

No classes found to analyze

"No classes found to analyze" generally means that the target jar is not specify correctly.

Command should look like:
./findsecbugs.sh /usr/lib/jvm/java-17-openjdk-amd64/lib/jrt-fs.jar

Also, make sure your target file is readable.
ls -lsh /usr/lib/jvm/java-17-openjdk-amd64/lib/jrt-fs.jar

[Jeeppler]

@h3xstream I used the following command to scan my MD5 class from above:

$ ./findsecbugs.sh ~/java17/MD5.class
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
Exception in thread "main" edu.umd.cs.findbugs.NoClassesFoundToAnalyzeException: No classes found to analyze in /home/user/java17/MD5.class *JrtfsCodeBase [file=/usr/lib/jvm/java-11-openjdk-amd64/lib/jrt-fs.jar] 
	at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:304)
	at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
	at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
	at edu.umd.cs.findbugs.LaunchAppropriateUI.launch(LaunchAppropriateUI.java:106)
	at edu.umd.cs.findbugs.LaunchAppropriateUI.main(LaunchAppropriateUI.java:198)

as a result I got the weird error message about *JrtfsCodeBase [file=/usr/lib/jvm/java-11-openjdk-amd64/lib/jrt-fs.jar]. I did not want to scan /usr/lib/jvm/java-11-openjdk-amd64/lib/jrt-fs.jar.

[Jeeppler]

After downloading the newest release version-1.12.0. I am able to:

1. Run FindSecurity Bugs with Java 17
2. Analyze code which was compiled with JDK 17

findsecbugs-cli-1.12.0$ ./findsecbugs.sh ~/pds/java17/
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue (file:/home/user/Downloads/findsecbugs-cli-1.12.0/lib/spotbugs-4.6.0.jar)
WARNING: Please consider reporting this to the maintainers of edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue
WARNING: System::setSecurityManager will be removed in a future release
H S SECMD5: This API MD5 (MDX) is not a recommended cryptographic hash function  At MD5.java:[line 9]

Problem solved 🥇

[h3xstream]

Thanks for the update 👌