Skip to content

✨ Update unsafeblock probe to detect use of Java's Unsafe classes #4849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Update unsafeblock probe to detect use of Java's Unsafe classes #4849

wants to merge 1 commit into from

Conversation

@thomasleplus
Copy link

@thomasleplus thomasleplus commented Nov 12, 2025
edited
Loading

What kind of change does this PR introduce?

This PR is adding Java support to the probe introduced by #4499. It looks for references to the classes sun.misc.Unsafe or jdk.internal.misc.Unsafe classes which can bypass the JVM's memory safety features (garbage collection, checks against out-of-bound read and write, etc.).

Note that the PR includes a Java source code parser generated with Antlr4 that can be reused to add more Java probes and checks in the future.

What is the current behavior?

The probe looks for unsafe patterns in go and c# code.

What is the new behavior (if this is a feature change)?

The probe also looks for unsafe patterns in Java code.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Contributes to #3736.

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Added Java support to probe for non-memory safe practices by detecting references to the sun.misc.Unsafe and jdk.internal.misc.Unsafe classes.

@thomasleplus thomasleplus requested a review from a team as a code owner November 12, 2025 19:14
@thomasleplus thomasleplus requested review from AdamKorcz and jeffmendoza and removed request for a team November 12, 2025 19:14
@dosubot dosubot bot added the size:XXL This PR changes 1000+ lines, ignoring generated files. label Nov 12, 2025
@thomasleplus
Update probe to detect use of Java's Unsafe classes
3dc68b4 
Looks for references to the classes sun.misc.Unsafe or jdk.internal.misc.Unsafe classes which can bypass the JVM's memory safety features (garbage collection, checks against out-of-bound read and write, etc.).

Signed-off-by: Thomas Leplus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

@AdamKorcz AdamKorcz Awaiting requested review from AdamKorcz AdamKorcz is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XXL This PR changes 1000+ lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomasleplus