commit
2ab2551735
@ -0,0 +1,38 @@ |
|||||||
|
target/ |
||||||
|
!.mvn/wrapper/maven-wrapper.jar |
||||||
|
!**/src/main/**/target/ |
||||||
|
!**/src/test/**/target/ |
||||||
|
|
||||||
|
### IntelliJ IDEA ### |
||||||
|
.idea/modules.xml |
||||||
|
.idea/jarRepositories.xml |
||||||
|
.idea/compiler.xml |
||||||
|
.idea/libraries/ |
||||||
|
*.iws |
||||||
|
*.iml |
||||||
|
*.ipr |
||||||
|
|
||||||
|
### Eclipse ### |
||||||
|
.apt_generated |
||||||
|
.classpath |
||||||
|
.factorypath |
||||||
|
.project |
||||||
|
.settings |
||||||
|
.springBeans |
||||||
|
.sts4-cache |
||||||
|
|
||||||
|
### NetBeans ### |
||||||
|
/nbproject/private/ |
||||||
|
/nbbuild/ |
||||||
|
/dist/ |
||||||
|
/nbdist/ |
||||||
|
/.nb-gradle/ |
||||||
|
build/ |
||||||
|
!**/src/main/**/build/ |
||||||
|
!**/src/test/**/build/ |
||||||
|
|
||||||
|
### VS Code ### |
||||||
|
.vscode/ |
||||||
|
|
||||||
|
### Mac OS ### |
||||||
|
.DS_Store |
@ -0,0 +1,6 @@ |
|||||||
|
[submodule "sonar-dependencies/sonar-cxx"] |
||||||
|
path = sonar-dependencies/sonar-cxx |
||||||
|
url = https://github.com/SonarOpenCommunity/sonar-cxx.git |
||||||
|
[submodule "sonar-dependencies/sonar-java"] |
||||||
|
path = sonar-dependencies/sonar-java |
||||||
|
url = https://github.com/SonarSource/sonar-java.git |
@ -0,0 +1,35 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" |
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
||||||
|
<modelVersion>4.0.0</modelVersion> |
||||||
|
<parent> |
||||||
|
<groupId>org.sonarsource.java</groupId> |
||||||
|
<artifactId>java</artifactId> |
||||||
|
<version>7.30.1.34514</version> |
||||||
|
</parent> |
||||||
|
|
||||||
|
<groupId>com.keyware.sonar</groupId> |
||||||
|
<artifactId>sonar-keyware</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
<packaging>pom</packaging> |
||||||
|
|
||||||
|
<properties> |
||||||
|
<maven.compiler.source>11</maven.compiler.source> |
||||||
|
<maven.compiler.target>11</maven.compiler.target> |
||||||
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> |
||||||
|
</properties> |
||||||
|
|
||||||
|
<modules> |
||||||
|
<module>sonar-dependencies</module> |
||||||
|
<module>sonar-keyware-plugins</module> |
||||||
|
</modules> |
||||||
|
<dependencyManagement> |
||||||
|
<dependencies> |
||||||
|
|
||||||
|
</dependencies> |
||||||
|
</dependencyManagement> |
||||||
|
<dependencies> |
||||||
|
|
||||||
|
</dependencies> |
||||||
|
</project> |
@ -0,0 +1,30 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" |
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
||||||
|
<modelVersion>4.0.0</modelVersion> |
||||||
|
|
||||||
|
<parent> |
||||||
|
<groupId>com.keyware.sonar</groupId> |
||||||
|
<artifactId>sonar-keyware</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
</parent> |
||||||
|
|
||||||
|
<artifactId>sonar-dependencies</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
<packaging>pom</packaging> |
||||||
|
|
||||||
|
<modules> |
||||||
|
<!--<module>sonar-cxx</module>--> |
||||||
|
<module>sonar-java</module> |
||||||
|
</modules> |
||||||
|
|
||||||
|
<properties> |
||||||
|
|
||||||
|
</properties> |
||||||
|
|
||||||
|
<dependencyManagement> |
||||||
|
<dependencies> |
||||||
|
</dependencies> |
||||||
|
</dependencyManagement> |
||||||
|
</project> |
@ -0,0 +1 @@ |
|||||||
|
Subproject commit dd3c88c7343f3a44c5172dc4499b361dda028d85 |
@ -0,0 +1 @@ |
|||||||
|
Subproject commit 0d3165c6aebe18052b1d97893a2e3da85e6d9b41 |
@ -0,0 +1,22 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" |
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
||||||
|
<modelVersion>4.0.0</modelVersion> |
||||||
|
|
||||||
|
<parent> |
||||||
|
<groupId>com.keyware.sonar</groupId> |
||||||
|
<artifactId>sonar-keyware</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
</parent> |
||||||
|
|
||||||
|
<artifactId>sonar-keyware-plugins</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
<packaging>pom</packaging> |
||||||
|
|
||||||
|
<modules> |
||||||
|
<module>sonar-keyware-plugins-java</module> |
||||||
|
<module>sonar-keyware-plugins-cxx</module> |
||||||
|
</modules> |
||||||
|
|
||||||
|
</project> |
Binary file not shown.
Binary file not shown.
@ -0,0 +1,155 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" |
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
||||||
|
<modelVersion>4.0.0</modelVersion> |
||||||
|
|
||||||
|
<parent> |
||||||
|
<groupId>com.keyware.sonar</groupId> |
||||||
|
<artifactId>sonar-keyware-plugins</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
</parent> |
||||||
|
|
||||||
|
<name>C++ 信息安全性设计准则</name> |
||||||
|
<artifactId>sonar-keyware-plugins-cxx</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
<description>用于检查C++源代码的安全性设计准则的Sonarqube插件</description> |
||||||
|
|
||||||
|
<properties> |
||||||
|
<java.version>11</java.version> |
||||||
|
<commons-io.version>2.15.1</commons-io.version> |
||||||
|
<commons-lang.version>2.6</commons-lang.version> |
||||||
|
<!-- we depend on API ${sonar.version} but we keep backward compatibility with LTS --> |
||||||
|
<sonar.version>9.9.0.65466</sonar.version> |
||||||
|
<sonar.plugin.api.version>9.14.0.375</sonar.plugin.api.version> |
||||||
|
<sonarQubeMinVersion>8.9</sonarQubeMinVersion> |
||||||
|
<gson.version>2.10.1</gson.version> |
||||||
|
<guava.version>33.0.0-jre</guava.version> |
||||||
|
<jsr305.version>3.0.2</jsr305.version> |
||||||
|
<mockito-all.version>1.10.19</mockito-all.version> |
||||||
|
<mockito-core.version>5.8.0</mockito-core.version> |
||||||
|
<assertj-core.version>3.24.2</assertj-core.version> |
||||||
|
<junit-jupiter.version>5.10.1</junit-jupiter.version> |
||||||
|
</properties> |
||||||
|
|
||||||
|
<dependencies> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId> |
||||||
|
<artifactId>cxx-sslr-toolkit</artifactId> |
||||||
|
<systemPath>${project.basedir}/libs/cxx-sslr-toolkit-2.1.1.488.jar</systemPath> |
||||||
|
<version>2.1.1.488</version> |
||||||
|
<scope>system</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId> |
||||||
|
<artifactId>sonar-cxx-plugin</artifactId> |
||||||
|
<systemPath>${project.basedir}/libs/sonar-cxx-plugin-2.1.1.488.jar</systemPath> |
||||||
|
<version>2.1.1.488</version> |
||||||
|
<scope>system</scope> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.api.plugin</groupId> |
||||||
|
<artifactId>sonar-plugin-api</artifactId> |
||||||
|
<version>${sonar.plugin.api.version}</version> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.sonarqube</groupId> |
||||||
|
<artifactId>sonar-plugin-api-impl</artifactId> |
||||||
|
<version>${sonar.version}</version> |
||||||
|
<scope>compile</scope> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>commons-io</groupId> |
||||||
|
<artifactId>commons-io</artifactId> |
||||||
|
<version>${commons-io.version}</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>commons-lang</groupId> |
||||||
|
<artifactId>commons-lang</artifactId> |
||||||
|
<version>${commons-lang.version}</version> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>com.google.code.findbugs</groupId> |
||||||
|
<artifactId>jsr305</artifactId> |
||||||
|
<version>${jsr305.version}</version> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>com.google.guava</groupId> |
||||||
|
<artifactId>guava</artifactId> |
||||||
|
<version>${guava.version}</version> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>com.google.code.gson</groupId> |
||||||
|
<artifactId>gson</artifactId> |
||||||
|
<version>${gson.version}</version> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.mockito</groupId> |
||||||
|
<artifactId>mockito-core</artifactId> |
||||||
|
<version>${mockito-core.version}</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.assertj</groupId> |
||||||
|
<artifactId>assertj-core</artifactId> |
||||||
|
<version>${assertj-core.version}</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.junit.jupiter</groupId> |
||||||
|
<artifactId>junit-jupiter-api</artifactId> |
||||||
|
<version>${junit-jupiter.version}</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.junit.jupiter</groupId> |
||||||
|
<artifactId>junit-jupiter-engine</artifactId> |
||||||
|
<version>${junit-jupiter.version}</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
</dependencies> |
||||||
|
|
||||||
|
|
||||||
|
<build> |
||||||
|
<plugins> |
||||||
|
<plugin> |
||||||
|
<groupId>org.sonarsource.sonar-packaging-maven-plugin</groupId> |
||||||
|
<artifactId>sonar-packaging-maven-plugin</artifactId> |
||||||
|
<configuration> |
||||||
|
<sonarQubeMinVersion>${sonarQubeMinVersion}</sonarQubeMinVersion> |
||||||
|
</configuration> |
||||||
|
</plugin> |
||||||
|
|
||||||
|
<plugin> |
||||||
|
<groupId>com.mycila</groupId> |
||||||
|
<artifactId>license-maven-plugin</artifactId> |
||||||
|
<configuration> |
||||||
|
<header>${project.basedir}/src/main/resources/license-header.txt</header> |
||||||
|
<!--排除文件--> |
||||||
|
<excludes> |
||||||
|
<exclude>**/*.properties</exclude> |
||||||
|
<exclude>*.sh</exclude> |
||||||
|
<exclude>*.yml</exclude> |
||||||
|
<exclude>.editorconfig</exclude> |
||||||
|
<exclude>.gitignore</exclude> |
||||||
|
<exclude>**/*.md</exclude> |
||||||
|
<exclude>**/*.xml</exclude> |
||||||
|
</excludes> |
||||||
|
</configuration> |
||||||
|
</plugin> |
||||||
|
</plugins> |
||||||
|
<resources> |
||||||
|
<resource> |
||||||
|
<directory>src/main/resources</directory> |
||||||
|
<excludes> |
||||||
|
<exclude>com/sonar/sqale/cxx-model-project*</exclude> |
||||||
|
<exclude>external/*</exclude> |
||||||
|
</excludes> |
||||||
|
</resource> |
||||||
|
</resources> |
||||||
|
</build> |
||||||
|
</project> |
@ -0,0 +1,25 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:C++ 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.cxx; |
||||||
|
|
||||||
|
import com.keyware.sonar.cxx.rules.CxxSecurityDesignRulesRepository; |
||||||
|
import org.sonar.api.Plugin; |
||||||
|
import org.sonar.plugins.cxx.CxxLanguage; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO CxxSecurityDesignRulesPlugin |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class CxxSecurityDesignRulesPlugin implements Plugin { |
||||||
|
@Override |
||||||
|
public void define(Context context) { |
||||||
|
context.addExtension(CxxLanguage.class); |
||||||
|
context.addExtension(CxxSecurityDesignRulesRepository.class); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,108 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:C++ 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.cxx.rules; |
||||||
|
|
||||||
|
import org.sonar.api.SonarEdition; |
||||||
|
import org.sonar.api.SonarProduct; |
||||||
|
import org.sonar.api.SonarQubeSide; |
||||||
|
import org.sonar.api.SonarRuntime; |
||||||
|
import org.sonar.api.config.internal.MapSettings; |
||||||
|
import org.sonar.api.resources.Language; |
||||||
|
import org.sonar.api.server.rule.RulesDefinition; |
||||||
|
import org.sonar.api.utils.Version; |
||||||
|
import org.sonar.plugins.cxx.CustomCxxRulesDefinition; |
||||||
|
import org.sonar.plugins.cxx.CxxLanguage; |
||||||
|
|
||||||
|
import java.util.Collections; |
||||||
|
import java.util.Objects; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO CxxSecurityDesignRulesRepository |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class CxxSecurityDesignRulesRepository extends CustomCxxRulesDefinition { |
||||||
|
// 不要修改这个值,因为路径在 CheckVerifier 中是硬编码的
|
||||||
|
private static final String RESOURCE_BASE_PATH = "org/sonar/l10n/java/rules/java"; |
||||||
|
|
||||||
|
public static final String REPOSITORY_KEY = "keyware-cxx-security-design"; |
||||||
|
public static final String REPOSITORY_NAME = "C++ 安全性设计准则"; |
||||||
|
|
||||||
|
|
||||||
|
// 添加需要视为模板规则的规则的规则键
|
||||||
|
private static final Set<String> RULE_TEMPLATES_KEY = Collections.emptySet(); |
||||||
|
|
||||||
|
private final SonarRuntime runtime; |
||||||
|
|
||||||
|
public CxxSecurityDesignRulesRepository(SonarRuntime runtime) { |
||||||
|
this.runtime = runtime; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void define(RulesDefinition.Context context) { |
||||||
|
RulesDefinition.NewRepository repository = context.createRepository(REPOSITORY_KEY, "cxx").setName(REPOSITORY_NAME); |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
setTemplates(repository); |
||||||
|
|
||||||
|
repository.done(); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Language getLanguage() { |
||||||
|
return new CxxLanguage(new MapSettings().asConfig()); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public String repositoryName() { |
||||||
|
return REPOSITORY_NAME; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public String repositoryKey() { |
||||||
|
return REPOSITORY_KEY; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Class[] checkClasses() { |
||||||
|
return new Class[0]; |
||||||
|
} |
||||||
|
|
||||||
|
private static void setTemplates(RulesDefinition.NewRepository repository) { |
||||||
|
RULE_TEMPLATES_KEY.stream() |
||||||
|
.map(repository::rule) |
||||||
|
.filter(Objects::nonNull) |
||||||
|
.forEach(rule -> rule.setTemplate(true)); |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
public static class MockedSonarRuntime implements SonarRuntime { |
||||||
|
|
||||||
|
@Override |
||||||
|
public Version getApiVersion() { |
||||||
|
return Version.create(9, 9); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarProduct getProduct() { |
||||||
|
return SonarProduct.SONARQUBE; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarQubeSide getSonarQubeSide() { |
||||||
|
return SonarQubeSide.SCANNER; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarEdition getEdition() { |
||||||
|
return SonarEdition.COMMUNITY; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,39 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:C++ 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.cxx.rules.checkers; |
||||||
|
|
||||||
|
import com.sonar.cxx.sslr.api.AstNode; |
||||||
|
import com.sonar.cxx.sslr.api.Grammar; |
||||||
|
import org.sonar.check.Priority; |
||||||
|
import org.sonar.check.Rule; |
||||||
|
import org.sonar.cxx.parser.CxxGrammarImpl; |
||||||
|
import org.sonar.cxx.squidbridge.SquidAstVisitor; |
||||||
|
import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; |
||||||
|
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO DemoChecker |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
@Rule(key = "DemoChecker", name = "DemoChecker", description = "DemoChecker", priority = Priority.INFO, tags = {"28Suo"}) |
||||||
|
@ActivatedByDefault |
||||||
|
@SqaleConstantRemediation("5min") |
||||||
|
public class DemoChecker extends SquidAstVisitor<Grammar> { |
||||||
|
@Override |
||||||
|
public void init() { |
||||||
|
this.subscribeTo( |
||||||
|
CxxGrammarImpl.functionDefinition |
||||||
|
); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void visitNode(AstNode astNode) { |
||||||
|
super.visitNode(astNode); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,4 @@ |
|||||||
|
Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
项目名称:${project.name} |
||||||
|
项目描述:${project.description} |
||||||
|
版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
@ -0,0 +1,244 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" |
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
||||||
|
<modelVersion>4.0.0</modelVersion> |
||||||
|
|
||||||
|
<parent> |
||||||
|
<groupId>com.keyware.sonar</groupId> |
||||||
|
<artifactId>sonar-keyware-plugins</artifactId> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
</parent> |
||||||
|
|
||||||
|
<name>Java 信息安全性设计准则</name> |
||||||
|
<artifactId>sonar-keyware-plugins-java</artifactId> |
||||||
|
<packaging>sonar-plugin</packaging> |
||||||
|
<version>1.0-SNAPSHOT</version> |
||||||
|
<description>用于检查Java源代码的安全性设计准则的Sonarqube插件</description> |
||||||
|
|
||||||
|
<properties> |
||||||
|
<jacoco.version>0.8.10</jacoco.version> |
||||||
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> |
||||||
|
</properties> |
||||||
|
|
||||||
|
<dependencies> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.java</groupId> |
||||||
|
<artifactId>sonar-java-plugin</artifactId> |
||||||
|
<version>7.30.1.34514</version> |
||||||
|
<type>sonar-plugin</type> |
||||||
|
<scope>compile</scope> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.api.plugin</groupId> |
||||||
|
<artifactId>sonar-plugin-api</artifactId> |
||||||
|
<scope>provided</scope> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.analyzer-commons</groupId> |
||||||
|
<artifactId>sonar-analyzer-commons</artifactId> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<dependency> |
||||||
|
<groupId>org.slf4j</groupId> |
||||||
|
<artifactId>slf4j-api</artifactId> |
||||||
|
<scope>provided</scope> |
||||||
|
</dependency> |
||||||
|
|
||||||
|
<!-- unit tests --> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.api.plugin</groupId> |
||||||
|
<artifactId>sonar-plugin-api-test-fixtures</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.sonarqube</groupId> |
||||||
|
<artifactId>sonar-plugin-api-impl</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.java</groupId> |
||||||
|
<artifactId>test-classpath-reader</artifactId> |
||||||
|
<version>7.30.1.34514</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.sonarsource.java</groupId> |
||||||
|
<artifactId>java-checks-testkit</artifactId> |
||||||
|
<version>7.30.1.34514</version> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.junit.jupiter</groupId> |
||||||
|
<artifactId>junit-jupiter</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.junit.jupiter</groupId> |
||||||
|
<artifactId>junit-jupiter-migrationsupport</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.mockito</groupId> |
||||||
|
<artifactId>mockito-core</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>org.assertj</groupId> |
||||||
|
<artifactId>assertj-core</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
<dependency> |
||||||
|
<groupId>com.google.guava</groupId> |
||||||
|
<artifactId>guava</artifactId> |
||||||
|
<scope>test</scope> |
||||||
|
</dependency> |
||||||
|
</dependencies> |
||||||
|
|
||||||
|
<build> |
||||||
|
<plugins> |
||||||
|
<plugin> |
||||||
|
<groupId>org.sonarsource.sonar-packaging-maven-plugin</groupId> |
||||||
|
<artifactId>sonar-packaging-maven-plugin</artifactId> |
||||||
|
<extensions>true</extensions> |
||||||
|
<configuration> |
||||||
|
<pluginKey>keyware-java-plugin</pluginKey> |
||||||
|
<pluginName>Java 安全性设计准则</pluginName> |
||||||
|
<pluginClass>com.keyware.sonar.java.JavaSecurityDesignRulesPlugin</pluginClass> |
||||||
|
<sonarLintSupported>true</sonarLintSupported> |
||||||
|
<skipDependenciesPackaging>true</skipDependenciesPackaging> |
||||||
|
<pluginApiMinVersion>9.14.0.375</pluginApiMinVersion> |
||||||
|
<requirePlugins>java:${project.version}</requirePlugins> |
||||||
|
</configuration> |
||||||
|
</plugin> |
||||||
|
<plugin> |
||||||
|
<groupId>org.apache.maven.plugins</groupId> |
||||||
|
<artifactId>maven-jar-plugin</artifactId> |
||||||
|
</plugin> |
||||||
|
<plugin> |
||||||
|
<groupId>org.apache.maven.plugins</groupId> |
||||||
|
<artifactId>maven-shade-plugin</artifactId> |
||||||
|
<configuration> |
||||||
|
</configuration> |
||||||
|
<executions> |
||||||
|
<execution> |
||||||
|
<phase>package</phase> |
||||||
|
<goals> |
||||||
|
<goal>shade</goal> |
||||||
|
</goals> |
||||||
|
</execution> |
||||||
|
</executions> |
||||||
|
</plugin> |
||||||
|
|
||||||
|
<plugin> |
||||||
|
<groupId>org.apache.maven.plugins</groupId> |
||||||
|
<artifactId>maven-compiler-plugin</artifactId> |
||||||
|
<configuration> |
||||||
|
<source>11</source> |
||||||
|
<target>11</target> |
||||||
|
</configuration> |
||||||
|
</plugin> |
||||||
|
|
||||||
|
<plugin> |
||||||
|
<groupId>org.jacoco</groupId> |
||||||
|
<artifactId>jacoco-maven-plugin</artifactId> |
||||||
|
<version>${jacoco.version}</version> |
||||||
|
<executions> |
||||||
|
<execution> |
||||||
|
<id>prepare-agent</id> |
||||||
|
<goals> |
||||||
|
<goal>prepare-agent</goal> |
||||||
|
</goals> |
||||||
|
</execution> |
||||||
|
<execution> |
||||||
|
<id>report</id> |
||||||
|
<goals> |
||||||
|
<goal>report</goal> |
||||||
|
</goals> |
||||||
|
</execution> |
||||||
|
</executions> |
||||||
|
</plugin> |
||||||
|
|
||||||
|
<!-- only required to run UT - these are UT dependencies --> |
||||||
|
<plugin> |
||||||
|
<groupId>org.apache.maven.plugins</groupId> |
||||||
|
<artifactId>maven-dependency-plugin</artifactId> |
||||||
|
<executions> |
||||||
|
<execution> |
||||||
|
<id>copy</id> |
||||||
|
<phase>test-compile</phase> |
||||||
|
<goals> |
||||||
|
<goal>copy</goal> |
||||||
|
</goals> |
||||||
|
<configuration> |
||||||
|
<artifactItems> |
||||||
|
<artifactItem> |
||||||
|
<groupId>org.slf4j</groupId> |
||||||
|
<artifactId>slf4j-api</artifactId> |
||||||
|
<version>1.7.30</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>org.apache.commons</groupId> |
||||||
|
<artifactId>commons-collections4</artifactId> |
||||||
|
<version>4.0</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>javax</groupId> |
||||||
|
<artifactId>javaee-api</artifactId> |
||||||
|
<version>6.0</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>org.springframework</groupId> |
||||||
|
<artifactId>spring-webmvc</artifactId> |
||||||
|
<version>4.3.3.RELEASE</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>org.springframework</groupId> |
||||||
|
<artifactId>spring-web</artifactId> |
||||||
|
<version>4.3.3.RELEASE</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>org.springframework</groupId> |
||||||
|
<artifactId>spring-context</artifactId> |
||||||
|
<version>4.3.3.RELEASE</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
<artifactItem> |
||||||
|
<groupId>junit</groupId> |
||||||
|
<artifactId>junit</artifactId> |
||||||
|
<version>4.13.2</version> |
||||||
|
<type>jar</type> |
||||||
|
</artifactItem> |
||||||
|
</artifactItems> |
||||||
|
<outputDirectory>${project.build.directory}/test-jars</outputDirectory> |
||||||
|
</configuration> |
||||||
|
</execution> |
||||||
|
</executions> |
||||||
|
</plugin> |
||||||
|
<plugin> |
||||||
|
<groupId>com.mycila</groupId> |
||||||
|
<artifactId>license-maven-plugin</artifactId> |
||||||
|
<configuration> |
||||||
|
<header>${project.basedir}/src/main/resources/license-header.txt</header> |
||||||
|
<!--排除文件--> |
||||||
|
<excludes> |
||||||
|
<exclude>**/*.properties</exclude> |
||||||
|
<exclude>*.sh</exclude> |
||||||
|
<exclude>*.yml</exclude> |
||||||
|
<exclude>.editorconfig</exclude> |
||||||
|
<exclude>.gitignore</exclude> |
||||||
|
<exclude>**/*.md</exclude> |
||||||
|
<exclude>**/*.xml</exclude> |
||||||
|
</excludes> |
||||||
|
</configuration> |
||||||
|
</plugin> |
||||||
|
</plugins> |
||||||
|
</build> |
||||||
|
</project> |
@ -0,0 +1,29 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java; |
||||||
|
|
||||||
|
import com.keyware.sonar.java.rules.JavaFileCheckRegistrar; |
||||||
|
import com.keyware.sonar.java.rules.JavaSecurityDesignRulesRepository; |
||||||
|
import org.sonar.api.Plugin; |
||||||
|
|
||||||
|
/** |
||||||
|
* Java 安全性设计准则插件 |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class JavaSecurityDesignRulesPlugin implements Plugin { |
||||||
|
@Override |
||||||
|
public void define(Context context) { |
||||||
|
// 服务器扩展 - >对象在服务器启动期间实例化
|
||||||
|
context.addExtension(JavaSecurityDesignRulesRepository.class); |
||||||
|
|
||||||
|
// 批处理扩展 - >对象在代码分析期间实例化
|
||||||
|
context.addExtension(JavaFileCheckRegistrar.class); |
||||||
|
|
||||||
|
} |
||||||
|
} |
@ -0,0 +1,45 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules; |
||||||
|
|
||||||
|
import org.sonar.plugins.java.api.CheckRegistrar; |
||||||
|
import org.sonar.plugins.java.api.JavaCheck; |
||||||
|
import org.sonarsource.api.sonarlint.SonarLintSide; |
||||||
|
|
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
/** |
||||||
|
* 负责将java规则检查器注册到SonarQube中 |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
@SonarLintSide |
||||||
|
public class JavaFileCheckRegistrar implements CheckRegistrar { |
||||||
|
/** |
||||||
|
* 注册将用于在分析期间实例化检查的类。 |
||||||
|
*/ |
||||||
|
@Override |
||||||
|
public void register(RegistrarContext registrarContext) { |
||||||
|
// 调用 registerClassesForRepository 以将类与正确的存储库密钥相关联
|
||||||
|
registrarContext.registerClassesForRepository(JavaSecurityDesignRulesRepository.REPOSITORY_KEY, checkClasses(), testCheckClasses()); |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* 列出插件提供的所有主检查器 |
||||||
|
*/ |
||||||
|
public static List<Class<? extends JavaCheck>> checkClasses() { |
||||||
|
return RulesList.getJavaChecks(); |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* 列出插件提供的所有测试检查器 |
||||||
|
*/ |
||||||
|
public static List<Class<? extends JavaCheck>> testCheckClasses() { |
||||||
|
return RulesList.getJavaTestChecks(); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,87 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules; |
||||||
|
|
||||||
|
import org.sonar.api.SonarEdition; |
||||||
|
import org.sonar.api.SonarProduct; |
||||||
|
import org.sonar.api.SonarQubeSide; |
||||||
|
import org.sonar.api.SonarRuntime; |
||||||
|
import org.sonar.api.server.rule.RulesDefinition; |
||||||
|
import org.sonar.api.utils.Version; |
||||||
|
import org.sonarsource.analyzer.commons.RuleMetadataLoader; |
||||||
|
|
||||||
|
import java.util.ArrayList; |
||||||
|
import java.util.Collections; |
||||||
|
import java.util.Objects; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
/** |
||||||
|
* 用于定义出现在规则页面中规则的元数据 |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class JavaSecurityDesignRulesRepository implements RulesDefinition { |
||||||
|
// 不要修改这个值,因为路径在 CheckVerifier 中是硬编码的
|
||||||
|
private static final String RESOURCE_BASE_PATH = "org/sonar/l10n/java/rules/java"; |
||||||
|
|
||||||
|
public static final String REPOSITORY_KEY = "keyware-java-security-design"; |
||||||
|
public static final String REPOSITORY_NAME = "Java安全性设计准则"; |
||||||
|
|
||||||
|
// 添加需要视为模板规则的规则的规则键
|
||||||
|
private static final Set<String> RULE_TEMPLATES_KEY = Collections.emptySet(); |
||||||
|
|
||||||
|
private final SonarRuntime runtime; |
||||||
|
|
||||||
|
public JavaSecurityDesignRulesRepository(SonarRuntime runtime) { |
||||||
|
this.runtime = runtime; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void define(RulesDefinition.Context context) { |
||||||
|
RulesDefinition.NewRepository repository = context.createRepository(REPOSITORY_KEY, "java").setName(REPOSITORY_NAME); |
||||||
|
|
||||||
|
RuleMetadataLoader ruleMetadataLoader = new RuleMetadataLoader(RESOURCE_BASE_PATH, runtime); |
||||||
|
|
||||||
|
ruleMetadataLoader.addRulesByAnnotatedClass(repository, new ArrayList<>(RulesList.getChecks())); |
||||||
|
|
||||||
|
setTemplates(repository); |
||||||
|
|
||||||
|
repository.done(); |
||||||
|
} |
||||||
|
|
||||||
|
private static void setTemplates(RulesDefinition.NewRepository repository) { |
||||||
|
RULE_TEMPLATES_KEY.stream() |
||||||
|
.map(repository::rule) |
||||||
|
.filter(Objects::nonNull) |
||||||
|
.forEach(rule -> rule.setTemplate(true)); |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
public static class MockedSonarRuntime implements SonarRuntime { |
||||||
|
|
||||||
|
@Override |
||||||
|
public Version getApiVersion() { |
||||||
|
return Version.create(9, 9); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarProduct getProduct() { |
||||||
|
return SonarProduct.SONARQUBE; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarQubeSide getSonarQubeSide() { |
||||||
|
return SonarQubeSide.SCANNER; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarEdition getEdition() { |
||||||
|
return SonarEdition.COMMUNITY; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,54 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules; |
||||||
|
|
||||||
|
import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker; |
||||||
|
import org.sonar.plugins.java.api.JavaCheck; |
||||||
|
|
||||||
|
import java.util.ArrayList; |
||||||
|
import java.util.Arrays; |
||||||
|
import java.util.Collections; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
public final class RulesList { |
||||||
|
|
||||||
|
private RulesList() { |
||||||
|
} |
||||||
|
|
||||||
|
public static List<Class<? extends JavaCheck>> getChecks() { |
||||||
|
List<Class<? extends JavaCheck>> checks = new ArrayList<>(); |
||||||
|
checks.addAll(getJavaChecks()); |
||||||
|
checks.addAll(getJavaTestChecks()); |
||||||
|
return Collections.unmodifiableList(checks); |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* These rules are going to target MAIN code only |
||||||
|
*/ |
||||||
|
public static List<Class<? extends JavaCheck>> getJavaChecks() { |
||||||
|
return Collections.unmodifiableList(Arrays.asList( |
||||||
|
ABCVarNameChecker.class |
||||||
|
/*SpringControllerRequestMappingEntityRule.class, |
||||||
|
AvoidAnnotationRule.class, |
||||||
|
AvoidBrandInMethodNamesRule.class, |
||||||
|
AvoidMethodDeclarationRule.class, |
||||||
|
AvoidSuperClassRule.class, |
||||||
|
AvoidTreeListRule.class, |
||||||
|
MyCustomSubscriptionRule.class, |
||||||
|
SecurityAnnotationMandatoryRule.class*/ |
||||||
|
)); |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* These rules are going to target TEST code only |
||||||
|
*/ |
||||||
|
public static List<Class<? extends JavaCheck>> getJavaTestChecks() { |
||||||
|
return Collections.unmodifiableList(Arrays.asList( |
||||||
|
/*NoIfStatementInTestsRule.class*/ |
||||||
|
)); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,40 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules.checkers; |
||||||
|
|
||||||
|
import org.sonar.check.Rule; |
||||||
|
import org.sonar.java.ast.visitors.SubscriptionVisitor; |
||||||
|
import org.sonar.plugins.java.api.tree.Tree; |
||||||
|
import org.sonar.plugins.java.api.tree.VariableTree; |
||||||
|
|
||||||
|
import java.util.Collections; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO ABCVarNameChecker |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
@Rule(key = "ABCVarNameChecker") |
||||||
|
public class ABCVarNameChecker extends SubscriptionVisitor { |
||||||
|
|
||||||
|
@Override |
||||||
|
public List<Tree.Kind> nodesToVisit() { |
||||||
|
return Collections.singletonList( |
||||||
|
Tree.Kind.VARIABLE |
||||||
|
); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void visitNode(Tree tree) { |
||||||
|
VariableTree node = (VariableTree) tree; |
||||||
|
if (node.simpleName().name().matches("ABC")) { |
||||||
|
context.reportIssue(this, node.simpleName(), "不能使用ABC作为变量名"); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,4 @@ |
|||||||
|
Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
项目名称:${project.name} |
||||||
|
项目描述:${project.description} |
||||||
|
版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
@ -0,0 +1,9 @@ |
|||||||
|
<p>不能使用ABC作为变量名</p> |
||||||
|
<h2>不能使用ABC作为变量名</h2> |
||||||
|
<pre> |
||||||
|
|
||||||
|
</pre> |
||||||
|
<h2>合规解决方案</h2> |
||||||
|
<pre> |
||||||
|
|
||||||
|
</pre> |
@ -0,0 +1,13 @@ |
|||||||
|
{ |
||||||
|
"title": "不能使用ABC作为变量名", |
||||||
|
"type": "CODE_SMELL", |
||||||
|
"status": "ready", |
||||||
|
"remediation": { |
||||||
|
"func": "Constant\/Issue", |
||||||
|
"constantCost": "5min" |
||||||
|
}, |
||||||
|
"tags": [ |
||||||
|
"28suo" |
||||||
|
], |
||||||
|
"defaultSeverity": "Minor" |
||||||
|
} |
@ -0,0 +1,11 @@ |
|||||||
|
class VarNameRule{ |
||||||
|
private static String ABC = "abc"; // Noncompliant {{不能使用ABC作为变量名}}
|
||||||
|
private static String edf = "edf"; |
||||||
|
|
||||||
|
public String getABC(){ |
||||||
|
return ABC; |
||||||
|
} |
||||||
|
public void test(){ |
||||||
|
System.out.println(ABC); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,55 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java; |
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test; |
||||||
|
import org.sonar.api.*; |
||||||
|
import org.sonar.api.utils.Version; |
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO JavaSecurityDesignRulesPluginTest |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class JavaSecurityDesignRulesPluginTest { |
||||||
|
@Test |
||||||
|
void testName() { |
||||||
|
Plugin.Context context = new Plugin.Context(new MockedSonarRuntime()); |
||||||
|
|
||||||
|
new JavaSecurityDesignRulesPlugin().define(context); |
||||||
|
|
||||||
|
assertThat(context.getExtensions()) |
||||||
|
.extracting(ext -> ((Class) ext).getSimpleName()) |
||||||
|
.containsExactlyInAnyOrder("JavaSecurityDesignRulesRepository", "JavaFileCheckRegistrar"); |
||||||
|
} |
||||||
|
|
||||||
|
public static class MockedSonarRuntime implements SonarRuntime { |
||||||
|
|
||||||
|
@Override |
||||||
|
public Version getApiVersion() { |
||||||
|
return Version.create(9, 9); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarProduct getProduct() { |
||||||
|
return SonarProduct.SONARQUBE; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarQubeSide getSonarQubeSide() { |
||||||
|
return SonarQubeSide.SCANNER; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public SonarEdition getEdition() { |
||||||
|
return SonarEdition.COMMUNITY; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,63 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules; |
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test; |
||||||
|
import org.sonar.api.rule.RuleKey; |
||||||
|
import org.sonar.java.checks.verifier.TestCheckRegistrarContext; |
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO JavaFileCheckRegistrarTest |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class JavaFileCheckRegistrarTest { |
||||||
|
|
||||||
|
@Test |
||||||
|
void checkRegisteredRulesKeysAndClasses() { |
||||||
|
TestCheckRegistrarContext context = new TestCheckRegistrarContext(); |
||||||
|
|
||||||
|
JavaFileCheckRegistrar registrar = new JavaFileCheckRegistrar(); |
||||||
|
registrar.register(context); |
||||||
|
|
||||||
|
assertThat(context.mainRuleKeys).extracting(RuleKey::toString).containsExactly( |
||||||
|
/*"mycompany-java:SpringControllerRequestMappingEntity", |
||||||
|
"mycompany-java:AvoidAnnotation", |
||||||
|
"mycompany-java:AvoidBrandInMethodNames", |
||||||
|
"mycompany-java:AvoidMethodDeclaration", |
||||||
|
"mycompany-java:AvoidSuperClass", |
||||||
|
"mycompany-java:AvoidTreeList", |
||||||
|
"mycompany-java:AvoidMethodWithSameTypeInArgument", |
||||||
|
"mycompany-java:SecurityAnnotationMandatory"*/ |
||||||
|
"keyware-java-security-design:ABCVarNameChecker" |
||||||
|
); |
||||||
|
|
||||||
|
assertThat(context.mainCheckClasses).extracting(Class::getSimpleName).containsExactly( |
||||||
|
/*"SpringControllerRequestMappingEntityRule", |
||||||
|
"AvoidAnnotationRule", |
||||||
|
"AvoidBrandInMethodNamesRule", |
||||||
|
"AvoidMethodDeclarationRule", |
||||||
|
"AvoidSuperClassRule", |
||||||
|
"AvoidTreeListRule", |
||||||
|
"MyCustomSubscriptionRule", |
||||||
|
"SecurityAnnotationMandatoryRule"*/ |
||||||
|
"ABCVarNameChecker" |
||||||
|
); |
||||||
|
|
||||||
|
assertThat(context.testRuleKeys).extracting(RuleKey::toString).containsExactly( |
||||||
|
/*"mycompany-java:NoIfStatementInTests"*/ |
||||||
|
); |
||||||
|
|
||||||
|
assertThat(context.testCheckClasses).extracting(Class::getSimpleName).containsExactly( |
||||||
|
/*"NoIfStatementInTestsRule"*/ |
||||||
|
); |
||||||
|
} |
||||||
|
|
||||||
|
} |
@ -0,0 +1,65 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules; |
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test; |
||||||
|
import org.sonar.api.rules.RuleType; |
||||||
|
import org.sonar.api.server.debt.DebtRemediationFunction; |
||||||
|
import org.sonar.api.server.rule.RuleParamType; |
||||||
|
import org.sonar.api.server.rule.RulesDefinition; |
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO JavaSecurityDesignRulesRepositoryTest |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class JavaSecurityDesignRulesRepositoryTest { |
||||||
|
|
||||||
|
@Test |
||||||
|
void test() { |
||||||
|
JavaSecurityDesignRulesRepository rulesDefinition = new JavaSecurityDesignRulesRepository(new JavaSecurityDesignRulesRepository.MockedSonarRuntime()); |
||||||
|
RulesDefinition.Context context = new RulesDefinition.Context(); |
||||||
|
rulesDefinition.define(context); |
||||||
|
RulesDefinition.Repository repository = context.repository(JavaSecurityDesignRulesRepository.REPOSITORY_KEY); |
||||||
|
|
||||||
|
assertThat(repository.name()).isEqualTo(JavaSecurityDesignRulesRepository.REPOSITORY_NAME); |
||||||
|
assertThat(repository.language()).isEqualTo("java"); |
||||||
|
assertThat(repository.rules()).hasSize(RulesList.getChecks().size()); |
||||||
|
assertThat(repository.rules().stream().filter(RulesDefinition.Rule::template)).isEmpty(); |
||||||
|
|
||||||
|
//assertRuleProperties(repository);
|
||||||
|
// assertParameterProperties(repository);
|
||||||
|
// assertAllRuleParametersHaveDescription(repository);
|
||||||
|
} |
||||||
|
|
||||||
|
private static void assertParameterProperties(RulesDefinition.Repository repository) { |
||||||
|
RulesDefinition.Param max = repository.rule("AvoidAnnotation").param("name"); |
||||||
|
assertThat(max).isNotNull(); |
||||||
|
assertThat(max.defaultValue()).isEqualTo("Inject"); |
||||||
|
assertThat(max.description()).isEqualTo("Name of the annotation to avoid, without the prefix @, for instance 'Override'"); |
||||||
|
assertThat(max.type()).isEqualTo(RuleParamType.STRING); |
||||||
|
} |
||||||
|
|
||||||
|
private static void assertRuleProperties(RulesDefinition.Repository repository) { |
||||||
|
RulesDefinition.Rule rule = repository.rule("AvoidAnnotation"); |
||||||
|
assertThat(rule).isNotNull(); |
||||||
|
assertThat(rule.name()).isEqualTo("Title of AvoidAnnotation"); |
||||||
|
assertThat(rule.debtRemediationFunction().type()).isEqualTo(DebtRemediationFunction.Type.CONSTANT_ISSUE); |
||||||
|
assertThat(rule.type()).isEqualTo(RuleType.CODE_SMELL); |
||||||
|
} |
||||||
|
|
||||||
|
private static void assertAllRuleParametersHaveDescription(RulesDefinition.Repository repository) { |
||||||
|
for (RulesDefinition.Rule rule : repository.rules()) { |
||||||
|
for (RulesDefinition.Param param : rule.params()) { |
||||||
|
assertThat(param.description()).as("description for " + param.key()).isNotEmpty(); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,36 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules.checkers; |
||||||
|
|
||||||
|
import com.keyware.sonar.java.utils.FilesUtils; |
||||||
|
import org.junit.jupiter.api.Test; |
||||||
|
import org.sonar.java.checks.verifier.CheckVerifier; |
||||||
|
|
||||||
|
/** |
||||||
|
* TODO ABCVarNameCheckerTest |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/6 |
||||||
|
*/ |
||||||
|
public class ABCVarNameCheckerTest { |
||||||
|
@Test |
||||||
|
void detected() { |
||||||
|
|
||||||
|
|
||||||
|
ABCVarNameChecker rule = new ABCVarNameChecker(); |
||||||
|
|
||||||
|
|
||||||
|
// Verifies that the check will raise the adequate issues with the expected message.
|
||||||
|
// In the test file, lines which should raise an issue have been commented out
|
||||||
|
// by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}"
|
||||||
|
CheckVerifier.newVerifier() |
||||||
|
.onFile("src/test/files/ABCVarNameRule.java") |
||||||
|
.withCheck(rule) |
||||||
|
.withClassPath(FilesUtils.getClassPath("target/test-jars")) |
||||||
|
.verifyIssues(); |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,75 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:Java 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.utils; |
||||||
|
|
||||||
|
import java.io.File; |
||||||
|
import java.io.IOException; |
||||||
|
import java.nio.file.*; |
||||||
|
import java.nio.file.attribute.BasicFileAttributes; |
||||||
|
import java.util.ArrayList; |
||||||
|
import java.util.LinkedList; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
/** |
||||||
|
* Duplicates org.sonar.java.checks.verifier.FilesUtils to locate test jars within the custom-rules plugin |
||||||
|
*/ |
||||||
|
public class FilesUtils { |
||||||
|
|
||||||
|
private FilesUtils() { |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Default location of the jars/zips to be taken into account when performing the analysis. |
||||||
|
*/ |
||||||
|
private static final String DEFAULT_TEST_JARS_DIRECTORY = "target/test-jars"; |
||||||
|
|
||||||
|
public static List<File> getClassPath(String jarsDirectory) { |
||||||
|
List<File> classpath = new LinkedList<>(); |
||||||
|
Path testJars = Paths.get(jarsDirectory); |
||||||
|
if (testJars.toFile().exists()) { |
||||||
|
classpath = getFilesRecursively(testJars, "jar", "zip"); |
||||||
|
} else if (!DEFAULT_TEST_JARS_DIRECTORY.equals(jarsDirectory)) { |
||||||
|
throw new AssertionError("The directory to be used to extend class path does not exists (" |
||||||
|
+ testJars.toAbsolutePath() |
||||||
|
+ ")."); |
||||||
|
} |
||||||
|
classpath.add(new File("target/test-classes")); |
||||||
|
return classpath; |
||||||
|
} |
||||||
|
|
||||||
|
private static List<File> getFilesRecursively(Path root, String... extensions) { |
||||||
|
final List<File> files = new ArrayList<>(); |
||||||
|
|
||||||
|
FileVisitor<Path> visitor = new SimpleFileVisitor<Path>() { |
||||||
|
@Override |
||||||
|
public FileVisitResult visitFile(Path filePath, BasicFileAttributes attrs) { |
||||||
|
for (String extension : extensions) { |
||||||
|
if (filePath.toString().endsWith("." |
||||||
|
+ extension)) { |
||||||
|
files.add(filePath.toFile()); |
||||||
|
break; |
||||||
|
} |
||||||
|
} |
||||||
|
return FileVisitResult.CONTINUE; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public FileVisitResult visitFileFailed(Path file, IOException exc) { |
||||||
|
return FileVisitResult.CONTINUE; |
||||||
|
} |
||||||
|
}; |
||||||
|
|
||||||
|
try { |
||||||
|
Files.walkFileTree(root, visitor); |
||||||
|
} catch (IOException e) { |
||||||
|
// we already ignore errors in the visitor
|
||||||
|
} |
||||||
|
|
||||||
|
return files; |
||||||
|
} |
||||||
|
|
||||||
|
} |
Loading…
Reference in new issue