新增准则:慎重考虑写入日志文件信息的隐私性,避免把敏感信息写入日志文件,如文电正文名称、部队编成信息、武器性能参数等。

wuhaoyang
wuhaoyang 10 months ago
parent 1fc05be08f
commit 14e2b4e68b
  1. 58
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json
  4. 20
      sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java
  5. 30
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java

@ -0,0 +1,58 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.*;
import java.util.*;
@Rule(key = "AvoidSensitiveInfoInLogsCheck")
public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor {
private static final List<String> SENSITIVE_KEYWORDS = Arrays.asList("password", "token", "secret");
@Override
public List<Tree.Kind> nodesToVisit() {
return Arrays.asList(Tree.Kind.METHOD_INVOCATION);
}
@Override
public void visitNode(Tree tree) {
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.symbol();
if (isLoggerErrorMethod(methodSymbol)) {
checkLogArguments(methodInvocationTree.arguments());
}
}
private boolean isLoggerErrorMethod(Symbol.MethodSymbol methodSymbol) {
Symbol.TypeSymbol enclosingClass = methodSymbol.owner().enclosingClass();
return enclosingClass != null
&& "org.slf4j.Logger".equals(enclosingClass.type().fullyQualifiedName())
&& "error".equals(methodSymbol.name())
|| "info".equals(methodSymbol.name())
|| "debug".equals(methodSymbol.name())
|| "warn".equals(methodSymbol.name())
|| "trace".equals(methodSymbol.name());
}
private void checkLogArguments(List<? extends ExpressionTree> arguments) {
for (ExpressionTree argument : arguments) {
if (argument.is(Tree.Kind.IDENTIFIER)) {
String identifierName = ((IdentifierTree) argument).name();
if (SENSITIVE_KEYWORDS.contains(identifierName)) {
System.out.println("日志中包含敏感信息: " + identifierName);
reportIssue(argument, "日志中包含敏感信息");
}
}
}
}
}

@ -0,0 +1,9 @@
<p>日志中包含敏感信息</p>
<h2>日志中包含敏感信息</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "日志中包含敏感信息",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,20 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class ExampleClass {
private static final Logger logger = LoggerFactory.getLogger(ExampleClass.class);
public void sensitiveOperation() {
String password = "password";
String token = "password";
String secret = "password";
logger.error(password); // Noncompliant {{日志中包含敏感信息}}
logger.info(token); // Noncompliant {{日志中包含敏感信息}}
logger.debug(secret); // Noncompliant {{日志中包含敏感信息}}
logger.warn(password); // Noncompliant {{日志中包含敏感信息}}
logger.trace(password); // Noncompliant {{日志中包含敏感信息}}
}
}

@ -0,0 +1,30 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
*
* @author WuHaoYang
* @date 2024/1/12
*/
public class AvoidSensitiveInfoInLogsCheckTest {
@Test
void detected() {
CheckVerifier.newVerifier()
.onFile("src/test/files/AvoidSensitiveInfoInLogsCheck.java")
.withCheck(new AvoidSensitiveInfoInLogsCheck())
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save