jaxb: how to influence malicious code generation

Question

Using SAST tools for static code analysis, we're getting security findings in jaxb generated code, claiming "Passing mutable objects to an untrusted method" (CWE-374) in getter and setter methods. The suggestion is, cloning the objects before passing its references to the caller.

But how can we handle issues like that in generated code? Is there an option in jaxb?

Answer 1

I don't know of a customization option that would affect that particular code generation.

There are two options that I know work well:

1. Implement a JAXB plugin. The plugin could either modify the standard generated code before it is emitted, or alternatively generate additional code to implement the desired functionality. There are lots of examples of JAXB plugins that could get you started, but the details are beyond the scope of a single question here on StackOverflow.
2. Post-process the generated code, for example with the maven replacer plugin. This can be quick and easy if you can write a regular expression that hits the code you want to rewrite across your generated classes.

We currently utilize both of these approaches to manage our generated code.

Another possibility that we have not implemented would be to add an annotation to the methods you are interested in tweaking (which can be done with existing open source JAXB plugins) and use other technologies to affect the code/execution (e.g., annotation processor, AOP tool).