新增准则：慎重考虑写入日志文件信息的隐私性，避免把敏感信息写入日志文件，如文电正文名称、部队编成信息、武器性能参数等。

9 months ago · 14e2b4e68b
parent 1fc05be08f
commit 14e2b4e68b
5 changed files with 130 additions and 0 deletions
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.semantic.Symbol;
+import org.sonar.plugins.java.api.tree.*;
+
+import java.util.*;
+
+@Rule(key = "AvoidSensitiveInfoInLogsCheck")
+public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor {
+
+
+    private static final List<String> SENSITIVE_KEYWORDS = Arrays.asList("password", "token", "secret");
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return Arrays.asList(Tree.Kind.METHOD_INVOCATION);
+    }
+
+    @Override
+    public void visitNode(Tree tree) {
+        MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
+        Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.symbol();
+        if (isLoggerErrorMethod(methodSymbol)) {
+            checkLogArguments(methodInvocationTree.arguments());
+        }
+    }
+
+    private boolean isLoggerErrorMethod(Symbol.MethodSymbol methodSymbol) {
+        Symbol.TypeSymbol enclosingClass = methodSymbol.owner().enclosingClass();
+        return enclosingClass != null
+                && "org.slf4j.Logger".equals(enclosingClass.type().fullyQualifiedName())
+                && "error".equals(methodSymbol.name())
+                || "info".equals(methodSymbol.name())
+                || "debug".equals(methodSymbol.name())
+                || "warn".equals(methodSymbol.name())
+                || "trace".equals(methodSymbol.name());
+    }
+
+    private void checkLogArguments(List<? extends ExpressionTree> arguments) {
+        for (ExpressionTree argument : arguments) {
+            if (argument.is(Tree.Kind.IDENTIFIER)) {
+                String identifierName = ((IdentifierTree) argument).name();
+                if (SENSITIVE_KEYWORDS.contains(identifierName)) {
+                    System.out.println("日志中包含敏感信息: " + identifierName);
+                    reportIssue(argument, "日志中包含敏感信息");
+                }
+            }
+        }
+    }
+}
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html
@ -0,0 +1,9 @@
+<p>日志中包含敏感信息</p>
+<h2>日志中包含敏感信息</h2>
+<pre>
+
+</pre>
+<h2>合规解决方案</h2>
+<pre>
+
+</pre>
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json
@ -0,0 +1,13 @@
+{
+  "title": "日志中包含敏感信息",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "28suo"
+  ],
+  "defaultSeverity": "Minor"
+}
--- a/sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java
+++ b/sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java
@ -0,0 +1,20 @@
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class ExampleClass {
+    private static final Logger logger = LoggerFactory.getLogger(ExampleClass.class);
+
+    public void sensitiveOperation() {
+        String password = "password";
+        String token = "password";
+        String secret = "password";
+
+
+        logger.error(password);  // Noncompliant {{日志中包含敏感信息}}
+        logger.info(token);  // Noncompliant {{日志中包含敏感信息}}
+        logger.debug(secret);  // Noncompliant {{日志中包含敏感信息}}
+        logger.warn(password);  // Noncompliant {{日志中包含敏感信息}}
+        logger.trace(password);  // Noncompliant {{日志中包含敏感信息}}
+
+    }
+}
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java
@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+/**
+ *
+ * @author WuHaoYang
+ * @date 2024/1/12
+ */
+
+public class AvoidSensitiveInfoInLogsCheckTest {
+
+    @Test
+    void detected() {
+
+        CheckVerifier.newVerifier()
+                .onFile("src/test/files/AvoidSensitiveInfoInLogsCheck.java")
+                .withCheck(new AvoidSensitiveInfoInLogsCheck())
+                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+                .verifyIssues();
+    }
+}