parent
34d97c1d39
commit
1e51d83973
@ -0,0 +1,93 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import org.sonar.check.Rule; |
||||
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
||||
import org.sonar.plugins.java.api.tree.*; |
||||
|
||||
|
||||
import java.util.Arrays; |
||||
import java.util.HashSet; |
||||
import java.util.List; |
||||
import java.util.Set; |
||||
|
||||
/** |
||||
* 在构建路径名前对输入数据进行验证,确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录 |
||||
* |
||||
* @author WuHaoYang |
||||
* @date 2024/1/9 |
||||
*/ |
||||
@Rule(key = "PathAndKeywordCheck") |
||||
public class PathAndKeywordCheck extends IssuableSubscriptionVisitor { |
||||
|
||||
private static final Set<String> TARGET_CLASS_NAMES = new HashSet<>(Arrays.asList("URL","URI","File")); |
||||
|
||||
@Override |
||||
public List<Tree.Kind> nodesToVisit() { |
||||
return Arrays.asList(Tree.Kind.NEW_CLASS); |
||||
} |
||||
|
||||
@Override |
||||
public void visitNode(Tree tree) { |
||||
if (tree.is(Tree.Kind.NEW_CLASS)) { |
||||
NewClassTree newClassTree = (NewClassTree) tree; |
||||
String className = newClassTree.symbolType().name(); |
||||
|
||||
if (TARGET_CLASS_NAMES.contains(className)) { |
||||
checkAndReportIssueIfRequired(newClassTree); |
||||
} |
||||
} |
||||
} |
||||
|
||||
private void checkAndReportIssueIfRequired(NewClassTree newClassTree) { |
||||
Tree parent = findEnclosingMethod(newClassTree); |
||||
if (parent != null && parent.is(Tree.Kind.METHOD)) { |
||||
MethodTree methodTree = (MethodTree) parent; |
||||
methodTree.parameters().forEach(parameter -> { |
||||
if (parameter.type() != null) { |
||||
String parameterType = parameter.type().symbolType().name(); |
||||
if (parameterType.equals("String")) { // 这里假设你关心的参数类型是 String
|
||||
String className = newClassTree.symbolType().name(); |
||||
if (TARGET_CLASS_NAMES.contains(className)) { |
||||
// 获取构造方法的参数
|
||||
List<ExpressionTree> arguments = newClassTree.arguments(); |
||||
if (!arguments.isEmpty()) { |
||||
ExpressionTree firstArgument = arguments.get(0); |
||||
String constructorArgument = getArgumentValue(firstArgument); |
||||
|
||||
// 获取方法的入参名称
|
||||
String parameterName = parameter.simpleName().name(); |
||||
|
||||
if (constructorArgument != null && constructorArgument.equals(parameterName)) { |
||||
System.out.println("避免在参数中使用 " + className + " 对象的构造方法的参数:" + parameterName); |
||||
reportIssue(newClassTree, "避免在参数中使用禁止的关键字"); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
}); |
||||
} |
||||
} |
||||
|
||||
private String getArgumentValue(ExpressionTree argument) { |
||||
if (argument.is(Tree.Kind.STRING_LITERAL)) { |
||||
return ((LiteralTree) argument).value(); |
||||
} else if (argument.is(Tree.Kind.IDENTIFIER)) { |
||||
return ((IdentifierTree) argument).name(); |
||||
} |
||||
return null; |
||||
} |
||||
|
||||
private Tree findEnclosingMethod(Tree tree) { |
||||
while (tree != null && !tree.is(Tree.Kind.METHOD)) { |
||||
tree = tree.parent(); |
||||
} |
||||
return tree; |
||||
} |
||||
} |
@ -0,0 +1,9 @@ |
||||
<p>避免在参数中使用禁止的关键字</p> |
||||
<h2>避免在参数中使用禁止的关键字</h2> |
||||
<pre> |
||||
|
||||
</pre> |
||||
<h2>合规解决方案</h2> |
||||
<pre> |
||||
|
||||
</pre> |
@ -0,0 +1,13 @@ |
||||
{ |
||||
"title": "避免在参数中使用禁止的关键字", |
||||
"type": "CODE_SMELL", |
||||
"status": "ready", |
||||
"remediation": { |
||||
"func": "Constant\/Issue", |
||||
"constantCost": "5min" |
||||
}, |
||||
"tags": [ |
||||
"28suo" |
||||
], |
||||
"defaultSeverity": "Minor" |
||||
} |
@ -0,0 +1,10 @@ |
||||
|
||||
class PathAndKeywordCheckRule { |
||||
|
||||
|
||||
public void getParameter(String arg) { |
||||
URL url = new URL(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
|
||||
URI url = new URI(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
|
||||
File url = new File(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
|
||||
} |
||||
} |
@ -0,0 +1,32 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers;/* |
||||
*@title PathAndKeywordCheckTest |
||||
*@description |
||||
*@author Admin |
||||
*@version 1.0 |
||||
*@create 2024/1/9 15:26 |
||||
*/ |
||||
|
||||
import com.keyware.sonar.java.utils.FilesUtils; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.sonar.java.checks.verifier.CheckVerifier; |
||||
|
||||
public class PathAndKeywordCheckTest { |
||||
|
||||
@Test |
||||
void detected() { |
||||
PathAndKeywordCheck rule = new PathAndKeywordCheck(); |
||||
|
||||
|
||||
CheckVerifier.newVerifier() |
||||
.onFile("src/test/files/PathAndKeywordCheck.java") |
||||
.withCheck(rule) |
||||
.withClassPath(FilesUtils.getClassPath("target/test-jars")) |
||||
.verifyIssues(); |
||||
} |
||||
} |
Loading…
Reference in new issue