sonarqube插件基础框架

wuhaoyang
Guo XIn 11 months ago
commit 2ab2551735
  1. 38
      .gitignore
  2. 6
      .gitmodules
  3. 35
      pom.xml
  4. 30
      sonar-dependencies/pom.xml
  5. 1
      sonar-dependencies/sonar-cxx
  6. 1
      sonar-dependencies/sonar-java
  7. 22
      sonar-keyware-plugins/pom.xml
  8. BIN
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/libs/cxx-sslr-toolkit-2.1.1.488.jar
  9. BIN
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/libs/sonar-cxx-plugin-2.1.1.488.jar
  10. 155
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/pom.xml
  11. 25
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSecurityDesignRulesPlugin.java
  12. 108
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/CxxSecurityDesignRulesRepository.java
  13. 39
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/DemoChecker.java
  14. 4
      sonar-keyware-plugins/sonar-keyware-plugins-cxx/src/main/resources/license-header.txt
  15. 244
      sonar-keyware-plugins/sonar-keyware-plugins-java/pom.xml
  16. 29
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java
  17. 45
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaFileCheckRegistrar.java
  18. 87
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java
  19. 54
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
  20. 40
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
  21. 4
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/resources/license-header.txt
  22. 9
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ABCVarNameChecker.html
  23. 13
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ABCVarNameChecker.json
  24. 11
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/files/ABCVarNameRule.java
  25. 55
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java
  26. 63
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaFileCheckRegistrarTest.java
  27. 65
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepositoryTest.java
  28. 36
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/ABCVarNameCheckerTest.java
  29. 75
      sonar-keyware-plugins/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/utils/FilesUtils.java

38
.gitignore vendored

@ -0,0 +1,38 @@
target/
!.mvn/wrapper/maven-wrapper.jar
!**/src/main/**/target/
!**/src/test/**/target/
### IntelliJ IDEA ###
.idea/modules.xml
.idea/jarRepositories.xml
.idea/compiler.xml
.idea/libraries/
*.iws
*.iml
*.ipr
### Eclipse ###
.apt_generated
.classpath
.factorypath
.project
.settings
.springBeans
.sts4-cache
### NetBeans ###
/nbproject/private/
/nbbuild/
/dist/
/nbdist/
/.nb-gradle/
build/
!**/src/main/**/build/
!**/src/test/**/build/
### VS Code ###
.vscode/
### Mac OS ###
.DS_Store

6
.gitmodules vendored

@ -0,0 +1,6 @@
[submodule "sonar-dependencies/sonar-cxx"]
path = sonar-dependencies/sonar-cxx
url = https://github.com/SonarOpenCommunity/sonar-cxx.git
[submodule "sonar-dependencies/sonar-java"]
path = sonar-dependencies/sonar-java
url = https://github.com/SonarSource/sonar-java.git

@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.sonarsource.java</groupId>
<artifactId>java</artifactId>
<version>7.30.1.34514</version>
</parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<modules>
<module>sonar-dependencies</module>
<module>sonar-keyware-plugins</module>
</modules>
<dependencyManagement>
<dependencies>
</dependencies>
</dependencyManagement>
<dependencies>
</dependencies>
</project>

@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>sonar-dependencies</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<!--<module>sonar-cxx</module>-->
<module>sonar-java</module>
</modules>
<properties>
</properties>
<dependencyManagement>
<dependencies>
</dependencies>
</dependencyManagement>
</project>

@ -0,0 +1 @@
Subproject commit dd3c88c7343f3a44c5172dc4499b361dda028d85

@ -0,0 +1 @@
Subproject commit 0d3165c6aebe18052b1d97893a2e3da85e6d9b41

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>sonar-keyware-plugins</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<module>sonar-keyware-plugins-java</module>
<module>sonar-keyware-plugins-cxx</module>
</modules>
</project>

@ -0,0 +1,155 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware-plugins</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<name>C++ 信息安全性设计准则</name>
<artifactId>sonar-keyware-plugins-cxx</artifactId>
<version>1.0-SNAPSHOT</version>
<description>用于检查C++源代码的安全性设计准则的Sonarqube插件</description>
<properties>
<java.version>11</java.version>
<commons-io.version>2.15.1</commons-io.version>
<commons-lang.version>2.6</commons-lang.version>
<!-- we depend on API ${sonar.version} but we keep backward compatibility with LTS -->
<sonar.version>9.9.0.65466</sonar.version>
<sonar.plugin.api.version>9.14.0.375</sonar.plugin.api.version>
<sonarQubeMinVersion>8.9</sonarQubeMinVersion>
<gson.version>2.10.1</gson.version>
<guava.version>33.0.0-jre</guava.version>
<jsr305.version>3.0.2</jsr305.version>
<mockito-all.version>1.10.19</mockito-all.version>
<mockito-core.version>5.8.0</mockito-core.version>
<assertj-core.version>3.24.2</assertj-core.version>
<junit-jupiter.version>5.10.1</junit-jupiter.version>
</properties>
<dependencies>
<dependency>
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
<artifactId>cxx-sslr-toolkit</artifactId>
<systemPath>${project.basedir}/libs/cxx-sslr-toolkit-2.1.1.488.jar</systemPath>
<version>2.1.1.488</version>
<scope>system</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
<artifactId>sonar-cxx-plugin</artifactId>
<systemPath>${project.basedir}/libs/sonar-cxx-plugin-2.1.1.488.jar</systemPath>
<version>2.1.1.488</version>
<scope>system</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.api.plugin</groupId>
<artifactId>sonar-plugin-api</artifactId>
<version>${sonar.plugin.api.version}</version>
</dependency>
<dependency>
<groupId>org.sonarsource.sonarqube</groupId>
<artifactId>sonar-plugin-api-impl</artifactId>
<version>${sonar.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>${commons-lang.version}</version>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
<version>${jsr305.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>${gson.version}</version>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>${mockito-core.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<version>${assertj-core.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${junit-jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.sonarsource.sonar-packaging-maven-plugin</groupId>
<artifactId>sonar-packaging-maven-plugin</artifactId>
<configuration>
<sonarQubeMinVersion>${sonarQubeMinVersion}</sonarQubeMinVersion>
</configuration>
</plugin>
<plugin>
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>${project.basedir}/src/main/resources/license-header.txt</header>
<!--排除文件-->
<excludes>
<exclude>**/*.properties</exclude>
<exclude>*.sh</exclude>
<exclude>*.yml</exclude>
<exclude>.editorconfig</exclude>
<exclude>.gitignore</exclude>
<exclude>**/*.md</exclude>
<exclude>**/*.xml</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
<resources>
<resource>
<directory>src/main/resources</directory>
<excludes>
<exclude>com/sonar/sqale/cxx-model-project*</exclude>
<exclude>external/*</exclude>
</excludes>
</resource>
</resources>
</build>
</project>

@ -0,0 +1,25 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称C++ 信息安全性设计准则
* 项目描述用于检查C++源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.cxx;
import com.keyware.sonar.cxx.rules.CxxSecurityDesignRulesRepository;
import org.sonar.api.Plugin;
import org.sonar.plugins.cxx.CxxLanguage;
/**
* TODO CxxSecurityDesignRulesPlugin
*
* @author GuoXin
* @date 2024/1/6
*/
public class CxxSecurityDesignRulesPlugin implements Plugin {
@Override
public void define(Context context) {
context.addExtension(CxxLanguage.class);
context.addExtension(CxxSecurityDesignRulesRepository.class);
}
}

@ -0,0 +1,108 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称C++ 信息安全性设计准则
* 项目描述用于检查C++源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.cxx.rules;
import org.sonar.api.SonarEdition;
import org.sonar.api.SonarProduct;
import org.sonar.api.SonarQubeSide;
import org.sonar.api.SonarRuntime;
import org.sonar.api.config.internal.MapSettings;
import org.sonar.api.resources.Language;
import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.api.utils.Version;
import org.sonar.plugins.cxx.CustomCxxRulesDefinition;
import org.sonar.plugins.cxx.CxxLanguage;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
/**
* TODO CxxSecurityDesignRulesRepository
*
* @author GuoXin
* @date 2024/1/6
*/
public class CxxSecurityDesignRulesRepository extends CustomCxxRulesDefinition {
// 不要修改这个值,因为路径在 CheckVerifier 中是硬编码的
private static final String RESOURCE_BASE_PATH = "org/sonar/l10n/java/rules/java";
public static final String REPOSITORY_KEY = "keyware-cxx-security-design";
public static final String REPOSITORY_NAME = "C++ 安全性设计准则";
// 添加需要视为模板规则的规则的规则键
private static final Set<String> RULE_TEMPLATES_KEY = Collections.emptySet();
private final SonarRuntime runtime;
public CxxSecurityDesignRulesRepository(SonarRuntime runtime) {
this.runtime = runtime;
}
@Override
public void define(RulesDefinition.Context context) {
RulesDefinition.NewRepository repository = context.createRepository(REPOSITORY_KEY, "cxx").setName(REPOSITORY_NAME);
setTemplates(repository);
repository.done();
}
@Override
public Language getLanguage() {
return new CxxLanguage(new MapSettings().asConfig());
}
@Override
public String repositoryName() {
return REPOSITORY_NAME;
}
@Override
public String repositoryKey() {
return REPOSITORY_KEY;
}
@Override
public Class[] checkClasses() {
return new Class[0];
}
private static void setTemplates(RulesDefinition.NewRepository repository) {
RULE_TEMPLATES_KEY.stream()
.map(repository::rule)
.filter(Objects::nonNull)
.forEach(rule -> rule.setTemplate(true));
}
public static class MockedSonarRuntime implements SonarRuntime {
@Override
public Version getApiVersion() {
return Version.create(9, 9);
}
@Override
public SonarProduct getProduct() {
return SonarProduct.SONARQUBE;
}
@Override
public SonarQubeSide getSonarQubeSide() {
return SonarQubeSide.SCANNER;
}
@Override
public SonarEdition getEdition() {
return SonarEdition.COMMUNITY;
}
}
}

@ -0,0 +1,39 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称C++ 信息安全性设计准则
* 项目描述用于检查C++源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.cxx.rules.checkers;
import com.sonar.cxx.sslr.api.AstNode;
import com.sonar.cxx.sslr.api.Grammar;
import org.sonar.check.Priority;
import org.sonar.check.Rule;
import org.sonar.cxx.parser.CxxGrammarImpl;
import org.sonar.cxx.squidbridge.SquidAstVisitor;
import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
/**
* TODO DemoChecker
*
* @author GuoXin
* @date 2024/1/6
*/
@Rule(key = "DemoChecker", name = "DemoChecker", description = "DemoChecker", priority = Priority.INFO, tags = {"28Suo"})
@ActivatedByDefault
@SqaleConstantRemediation("5min")
public class DemoChecker extends SquidAstVisitor<Grammar> {
@Override
public void init() {
this.subscribeTo(
CxxGrammarImpl.functionDefinition
);
}
@Override
public void visitNode(AstNode astNode) {
super.visitNode(astNode);
}
}

@ -0,0 +1,4 @@
Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
项目名称:${project.name}
项目描述:${project.description}
版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。

@ -0,0 +1,244 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware-plugins</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<name>Java 信息安全性设计准则</name>
<artifactId>sonar-keyware-plugins-java</artifactId>
<packaging>sonar-plugin</packaging>
<version>1.0-SNAPSHOT</version>
<description>用于检查Java源代码的安全性设计准则的Sonarqube插件</description>
<properties>
<jacoco.version>0.8.10</jacoco.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>sonar-java-plugin</artifactId>
<version>7.30.1.34514</version>
<type>sonar-plugin</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.api.plugin</groupId>
<artifactId>sonar-plugin-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.analyzer-commons</groupId>
<artifactId>sonar-analyzer-commons</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<scope>provided</scope>
</dependency>
<!-- unit tests -->
<dependency>
<groupId>org.sonarsource.api.plugin</groupId>
<artifactId>sonar-plugin-api-test-fixtures</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.sonarqube</groupId>
<artifactId>sonar-plugin-api-impl</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>test-classpath-reader</artifactId>
<version>7.30.1.34514</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>java-checks-testkit</artifactId>
<version>7.30.1.34514</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-migrationsupport</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.sonarsource.sonar-packaging-maven-plugin</groupId>
<artifactId>sonar-packaging-maven-plugin</artifactId>
<extensions>true</extensions>
<configuration>
<pluginKey>keyware-java-plugin</pluginKey>
<pluginName>Java 安全性设计准则</pluginName>
<pluginClass>com.keyware.sonar.java.JavaSecurityDesignRulesPlugin</pluginClass>
<sonarLintSupported>true</sonarLintSupported>
<skipDependenciesPackaging>true</skipDependenciesPackaging>
<pluginApiMinVersion>9.14.0.375</pluginApiMinVersion>
<requirePlugins>java:${project.version}</requirePlugins>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<configuration>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>11</source>
<target>11</target>
</configuration>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>prepare-agent</id>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- only required to run UT - these are UT dependencies -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy</id>
<phase>test-compile</phase>
<goals>
<goal>copy</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.30</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>6.0</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.3.RELEASE</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>4.3.3.RELEASE</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.3.3.RELEASE</version>
<type>jar</type>
</artifactItem>
<artifactItem>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<type>jar</type>
</artifactItem>
</artifactItems>
<outputDirectory>${project.build.directory}/test-jars</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>${project.basedir}/src/main/resources/license-header.txt</header>
<!--排除文件-->
<excludes>
<exclude>**/*.properties</exclude>
<exclude>*.sh</exclude>
<exclude>*.yml</exclude>
<exclude>.editorconfig</exclude>
<exclude>.gitignore</exclude>
<exclude>**/*.md</exclude>
<exclude>**/*.xml</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>

@ -0,0 +1,29 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java;
import com.keyware.sonar.java.rules.JavaFileCheckRegistrar;
import com.keyware.sonar.java.rules.JavaSecurityDesignRulesRepository;
import org.sonar.api.Plugin;
/**
* Java 安全性设计准则插件
*
* @author GuoXin
* @date 2024/1/6
*/
public class JavaSecurityDesignRulesPlugin implements Plugin {
@Override
public void define(Context context) {
// 服务器扩展 - >对象在服务器启动期间实例化
context.addExtension(JavaSecurityDesignRulesRepository.class);
// 批处理扩展 - >对象在代码分析期间实例化
context.addExtension(JavaFileCheckRegistrar.class);
}
}

@ -0,0 +1,45 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules;
import org.sonar.plugins.java.api.CheckRegistrar;
import org.sonar.plugins.java.api.JavaCheck;
import org.sonarsource.api.sonarlint.SonarLintSide;
import java.util.List;
/**
* 负责将java规则检查器注册到SonarQube中
*
* @author GuoXin
* @date 2024/1/6
*/
@SonarLintSide
public class JavaFileCheckRegistrar implements CheckRegistrar {
/**
* 注册将用于在分析期间实例化检查的类
*/
@Override
public void register(RegistrarContext registrarContext) {
// 调用 registerClassesForRepository 以将类与正确的存储库密钥相关联
registrarContext.registerClassesForRepository(JavaSecurityDesignRulesRepository.REPOSITORY_KEY, checkClasses(), testCheckClasses());
}
/**
* 列出插件提供的所有主检查器
*/
public static List<Class<? extends JavaCheck>> checkClasses() {
return RulesList.getJavaChecks();
}
/**
* 列出插件提供的所有测试检查器
*/
public static List<Class<? extends JavaCheck>> testCheckClasses() {
return RulesList.getJavaTestChecks();
}
}

@ -0,0 +1,87 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules;
import org.sonar.api.SonarEdition;
import org.sonar.api.SonarProduct;
import org.sonar.api.SonarQubeSide;
import org.sonar.api.SonarRuntime;
import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.api.utils.Version;
import org.sonarsource.analyzer.commons.RuleMetadataLoader;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
/**
* 用于定义出现在规则页面中规则的元数据
*
* @author GuoXin
* @date 2024/1/6
*/
public class JavaSecurityDesignRulesRepository implements RulesDefinition {
// 不要修改这个值,因为路径在 CheckVerifier 中是硬编码的
private static final String RESOURCE_BASE_PATH = "org/sonar/l10n/java/rules/java";
public static final String REPOSITORY_KEY = "keyware-java-security-design";
public static final String REPOSITORY_NAME = "Java安全性设计准则";
// 添加需要视为模板规则的规则的规则键
private static final Set<String> RULE_TEMPLATES_KEY = Collections.emptySet();
private final SonarRuntime runtime;
public JavaSecurityDesignRulesRepository(SonarRuntime runtime) {
this.runtime = runtime;
}
@Override
public void define(RulesDefinition.Context context) {
RulesDefinition.NewRepository repository = context.createRepository(REPOSITORY_KEY, "java").setName(REPOSITORY_NAME);
RuleMetadataLoader ruleMetadataLoader = new RuleMetadataLoader(RESOURCE_BASE_PATH, runtime);
ruleMetadataLoader.addRulesByAnnotatedClass(repository, new ArrayList<>(RulesList.getChecks()));
setTemplates(repository);
repository.done();
}
private static void setTemplates(RulesDefinition.NewRepository repository) {
RULE_TEMPLATES_KEY.stream()
.map(repository::rule)
.filter(Objects::nonNull)
.forEach(rule -> rule.setTemplate(true));
}
public static class MockedSonarRuntime implements SonarRuntime {
@Override
public Version getApiVersion() {
return Version.create(9, 9);
}
@Override
public SonarProduct getProduct() {
return SonarProduct.SONARQUBE;
}
@Override
public SonarQubeSide getSonarQubeSide() {
return SonarQubeSide.SCANNER;
}
@Override
public SonarEdition getEdition() {
return SonarEdition.COMMUNITY;
}
}
}

@ -0,0 +1,54 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules;
import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
import org.sonar.plugins.java.api.JavaCheck;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
public final class RulesList {
private RulesList() {
}
public static List<Class<? extends JavaCheck>> getChecks() {
List<Class<? extends JavaCheck>> checks = new ArrayList<>();
checks.addAll(getJavaChecks());
checks.addAll(getJavaTestChecks());
return Collections.unmodifiableList(checks);
}
/**
* These rules are going to target MAIN code only
*/
public static List<Class<? extends JavaCheck>> getJavaChecks() {
return Collections.unmodifiableList(Arrays.asList(
ABCVarNameChecker.class
/*SpringControllerRequestMappingEntityRule.class,
AvoidAnnotationRule.class,
AvoidBrandInMethodNamesRule.class,
AvoidMethodDeclarationRule.class,
AvoidSuperClassRule.class,
AvoidTreeListRule.class,
MyCustomSubscriptionRule.class,
SecurityAnnotationMandatoryRule.class*/
));
}
/**
* These rules are going to target TEST code only
*/
public static List<Class<? extends JavaCheck>> getJavaTestChecks() {
return Collections.unmodifiableList(Arrays.asList(
/*NoIfStatementInTestsRule.class*/
));
}
}

@ -0,0 +1,40 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;
import java.util.Collections;
import java.util.List;
/**
* TODO ABCVarNameChecker
*
* @author GuoXin
* @date 2024/1/6
*/
@Rule(key = "ABCVarNameChecker")
public class ABCVarNameChecker extends SubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
return Collections.singletonList(
Tree.Kind.VARIABLE
);
}
@Override
public void visitNode(Tree tree) {
VariableTree node = (VariableTree) tree;
if (node.simpleName().name().matches("ABC")) {
context.reportIssue(this, node.simpleName(), "不能使用ABC作为变量名");
}
}
}

@ -0,0 +1,4 @@
Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
项目名称:${project.name}
项目描述:${project.description}
版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。

@ -0,0 +1,9 @@
<p>不能使用ABC作为变量名</p>
<h2>不能使用ABC作为变量名</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "不能使用ABC作为变量名",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,11 @@
class VarNameRule{
private static String ABC = "abc"; // Noncompliant {{不能使用ABC作为变量名}}
private static String edf = "edf";
public String getABC(){
return ABC;
}
public void test(){
System.out.println(ABC);
}
}

@ -0,0 +1,55 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java;
import org.junit.jupiter.api.Test;
import org.sonar.api.*;
import org.sonar.api.utils.Version;
import static org.assertj.core.api.Assertions.assertThat;
/**
* TODO JavaSecurityDesignRulesPluginTest
*
* @author GuoXin
* @date 2024/1/6
*/
public class JavaSecurityDesignRulesPluginTest {
@Test
void testName() {
Plugin.Context context = new Plugin.Context(new MockedSonarRuntime());
new JavaSecurityDesignRulesPlugin().define(context);
assertThat(context.getExtensions())
.extracting(ext -> ((Class) ext).getSimpleName())
.containsExactlyInAnyOrder("JavaSecurityDesignRulesRepository", "JavaFileCheckRegistrar");
}
public static class MockedSonarRuntime implements SonarRuntime {
@Override
public Version getApiVersion() {
return Version.create(9, 9);
}
@Override
public SonarProduct getProduct() {
return SonarProduct.SONARQUBE;
}
@Override
public SonarQubeSide getSonarQubeSide() {
return SonarQubeSide.SCANNER;
}
@Override
public SonarEdition getEdition() {
return SonarEdition.COMMUNITY;
}
}
}

@ -0,0 +1,63 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules;
import org.junit.jupiter.api.Test;
import org.sonar.api.rule.RuleKey;
import org.sonar.java.checks.verifier.TestCheckRegistrarContext;
import static org.assertj.core.api.Assertions.assertThat;
/**
* TODO JavaFileCheckRegistrarTest
*
* @author GuoXin
* @date 2024/1/6
*/
public class JavaFileCheckRegistrarTest {
@Test
void checkRegisteredRulesKeysAndClasses() {
TestCheckRegistrarContext context = new TestCheckRegistrarContext();
JavaFileCheckRegistrar registrar = new JavaFileCheckRegistrar();
registrar.register(context);
assertThat(context.mainRuleKeys).extracting(RuleKey::toString).containsExactly(
/*"mycompany-java:SpringControllerRequestMappingEntity",
"mycompany-java:AvoidAnnotation",
"mycompany-java:AvoidBrandInMethodNames",
"mycompany-java:AvoidMethodDeclaration",
"mycompany-java:AvoidSuperClass",
"mycompany-java:AvoidTreeList",
"mycompany-java:AvoidMethodWithSameTypeInArgument",
"mycompany-java:SecurityAnnotationMandatory"*/
"keyware-java-security-design:ABCVarNameChecker"
);
assertThat(context.mainCheckClasses).extracting(Class::getSimpleName).containsExactly(
/*"SpringControllerRequestMappingEntityRule",
"AvoidAnnotationRule",
"AvoidBrandInMethodNamesRule",
"AvoidMethodDeclarationRule",
"AvoidSuperClassRule",
"AvoidTreeListRule",
"MyCustomSubscriptionRule",
"SecurityAnnotationMandatoryRule"*/
"ABCVarNameChecker"
);
assertThat(context.testRuleKeys).extracting(RuleKey::toString).containsExactly(
/*"mycompany-java:NoIfStatementInTests"*/
);
assertThat(context.testCheckClasses).extracting(Class::getSimpleName).containsExactly(
/*"NoIfStatementInTestsRule"*/
);
}
}

@ -0,0 +1,65 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules;
import org.junit.jupiter.api.Test;
import org.sonar.api.rules.RuleType;
import org.sonar.api.server.debt.DebtRemediationFunction;
import org.sonar.api.server.rule.RuleParamType;
import org.sonar.api.server.rule.RulesDefinition;
import static org.assertj.core.api.Assertions.assertThat;
/**
* TODO JavaSecurityDesignRulesRepositoryTest
*
* @author GuoXin
* @date 2024/1/6
*/
public class JavaSecurityDesignRulesRepositoryTest {
@Test
void test() {
JavaSecurityDesignRulesRepository rulesDefinition = new JavaSecurityDesignRulesRepository(new JavaSecurityDesignRulesRepository.MockedSonarRuntime());
RulesDefinition.Context context = new RulesDefinition.Context();
rulesDefinition.define(context);
RulesDefinition.Repository repository = context.repository(JavaSecurityDesignRulesRepository.REPOSITORY_KEY);
assertThat(repository.name()).isEqualTo(JavaSecurityDesignRulesRepository.REPOSITORY_NAME);
assertThat(repository.language()).isEqualTo("java");
assertThat(repository.rules()).hasSize(RulesList.getChecks().size());
assertThat(repository.rules().stream().filter(RulesDefinition.Rule::template)).isEmpty();
//assertRuleProperties(repository);
// assertParameterProperties(repository);
// assertAllRuleParametersHaveDescription(repository);
}
private static void assertParameterProperties(RulesDefinition.Repository repository) {
RulesDefinition.Param max = repository.rule("AvoidAnnotation").param("name");
assertThat(max).isNotNull();
assertThat(max.defaultValue()).isEqualTo("Inject");
assertThat(max.description()).isEqualTo("Name of the annotation to avoid, without the prefix @, for instance 'Override'");
assertThat(max.type()).isEqualTo(RuleParamType.STRING);
}
private static void assertRuleProperties(RulesDefinition.Repository repository) {
RulesDefinition.Rule rule = repository.rule("AvoidAnnotation");
assertThat(rule).isNotNull();
assertThat(rule.name()).isEqualTo("Title of AvoidAnnotation");
assertThat(rule.debtRemediationFunction().type()).isEqualTo(DebtRemediationFunction.Type.CONSTANT_ISSUE);
assertThat(rule.type()).isEqualTo(RuleType.CODE_SMELL);
}
private static void assertAllRuleParametersHaveDescription(RulesDefinition.Repository repository) {
for (RulesDefinition.Rule rule : repository.rules()) {
for (RulesDefinition.Param param : rule.params()) {
assertThat(param.description()).as("description for " + param.key()).isNotEmpty();
}
}
}
}

@ -0,0 +1,36 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
* TODO ABCVarNameCheckerTest
*
* @author GuoXin
* @date 2024/1/6
*/
public class ABCVarNameCheckerTest {
@Test
void detected() {
ABCVarNameChecker rule = new ABCVarNameChecker();
// Verifies that the check will raise the adequate issues with the expected message.
// In the test file, lines which should raise an issue have been commented out
// by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}"
CheckVerifier.newVerifier()
.onFile("src/test/files/ABCVarNameRule.java")
.withCheck(rule)
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}

@ -0,0 +1,75 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.utils;
import java.io.File;
import java.io.IOException;
import java.nio.file.*;
import java.nio.file.attribute.BasicFileAttributes;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
/**
* Duplicates org.sonar.java.checks.verifier.FilesUtils to locate test jars within the custom-rules plugin
*/
public class FilesUtils {
private FilesUtils() {
}
/**
* Default location of the jars/zips to be taken into account when performing the analysis.
*/
private static final String DEFAULT_TEST_JARS_DIRECTORY = "target/test-jars";
public static List<File> getClassPath(String jarsDirectory) {
List<File> classpath = new LinkedList<>();
Path testJars = Paths.get(jarsDirectory);
if (testJars.toFile().exists()) {
classpath = getFilesRecursively(testJars, "jar", "zip");
} else if (!DEFAULT_TEST_JARS_DIRECTORY.equals(jarsDirectory)) {
throw new AssertionError("The directory to be used to extend class path does not exists ("
+ testJars.toAbsolutePath()
+ ").");
}
classpath.add(new File("target/test-classes"));
return classpath;
}
private static List<File> getFilesRecursively(Path root, String... extensions) {
final List<File> files = new ArrayList<>();
FileVisitor<Path> visitor = new SimpleFileVisitor<Path>() {
@Override
public FileVisitResult visitFile(Path filePath, BasicFileAttributes attrs) {
for (String extension : extensions) {
if (filePath.toString().endsWith("."
+ extension)) {
files.add(filePath.toFile());
break;
}
}
return FileVisitResult.CONTINUE;
}
@Override
public FileVisitResult visitFileFailed(Path file, IOException exc) {
return FileVisitResult.CONTINUE;
}
};
try {
Files.walkFileTree(root, visitor);
} catch (IOException e) {
// we already ignore errors in the visitor
}
return files;
}
}
Loading…
Cancel
Save