diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java index 926ffef..b1cf710 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java @@ -68,7 +68,7 @@ public class ErrorMessageChecker extends SquidCheck { //判断参数列表是否包含违规参数 for(AstNode chil : children){ if("IDENTIFIER".equals(chil.getName())){ - if(lists.contains(chil.getTokenValue())){ + if(lists.contains(chil.getTokenValue().toLowerCase())){ getContext().createLineViolation(this,"抛出异常消息不得包含敏感信息",chil); } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ErrorMessageChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ErrorMessageChecker.java index bca6e48..fb3264c 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ErrorMessageChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ErrorMessageChecker.java @@ -58,7 +58,7 @@ public class ErrorMessageChecker extends IssuableSubscriptionVisitor { //判断参数是否是违规参数 @Override public void visitIdentifier(IdentifierTree tree) { - if(lists.contains(tree.name())){ + if(lists.contains(tree.name().toLowerCase())){ checker.context.reportIssue(checker, tree, "错误消息中不得包含敏感信息"); } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java new file mode 100644 index 0000000..6146324 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.check.Rule; +import org.sonar.java.model.expression.IdentifierTreeImpl; +import org.sonar.java.model.expression.MemberSelectExpressionTreeImpl; +import org.sonar.java.model.expression.MethodInvocationTreeImpl; +import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; +import org.sonar.plugins.java.api.tree.*; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +/** + * 发送信息规则检查 + * 检测类似发送信息的函数中的参数是否敏感信息,如敏感信息的字段 + * 1.获取到方法调用节点 + * 2. + * + * @author RenFengJiang + * @date 2024/1/20 + */ +@Rule(key = "SendMessageVerifyChecker") +public class SendMessageVerifyChecker extends IssuableSubscriptionVisitor { + + private static List lists = new ArrayList<>(){{ + add("weapon"); + add("unit"); + add("param"); + }}; + + @Override + public List nodesToVisit() { + /** + * Tree.Kind.METHOD:方法节点 + * Tree.Kind.BLOCK:方法的代码块节点 + * Tree.Kind.METHOD_INVOCATION: 方法的调用节点 + */ + return Collections.singletonList(Tree.Kind.METHOD_INVOCATION); + } + + @Override + public void visitNode(Tree tree) { + MethodInvocationTreeImpl methodInvocationTree = (MethodInvocationTreeImpl) tree; + ExpressionTree expressionTree = methodInvocationTree.methodSelect(); + if(expressionTree instanceof IdentifierTreeImpl){ + IdentifierTreeImpl identifierTree = (IdentifierTreeImpl) expressionTree; + //判断方法是否是方法调用的节点 + if(identifierTree.name().toLowerCase().contains("send")){ + IdenVisitor idenVisitor = new IdenVisitor(this); + methodInvocationTree.accept(idenVisitor); + } + } + } + + class IdenVisitor extends BaseTreeVisitor { + private final SendMessageVerifyChecker checker; + public IdenVisitor(SendMessageVerifyChecker checker){ + this.checker = checker; + } + + //判断参数是否是违规参数 + @Override + public void visitIdentifier(IdentifierTree tree) { + if(lists.contains(tree.name().toLowerCase())){ + checker.context.reportIssue(checker, tree, "发送信息规则检查"); + } + } + + } + +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.html new file mode 100644 index 0000000..542aeb3 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.html @@ -0,0 +1,16 @@ + + +

发送信息规则检查

+

检测类似发送信息的函数中的参数是否敏感信息,如敏感信息的字段

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.json new file mode 100644 index 0000000..3200c8c --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SendMessageVerifyChecker.json @@ -0,0 +1,13 @@ +{ + "title": "发送信息规则检查", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/SendMessageVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/SendMessageVerifyRule.java new file mode 100644 index 0000000..9911873 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/SendMessageVerifyRule.java @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +public class SendMessageVerifyRule { + public static void sendName(String name) { + try { + ServerSocket ss = new ServerSocket(6666); //建立服务器Socket并绑定端口 + Socket s = ss.accept();//建立连接 + DataOutputStream dout = new DataOutputStream(s.getOutputStream()); + dout.writeUTF(name);//编辑要发送的消息 + dout.flush(); + dout.close(); + ss.close(); + } catch(Exception e) { + System.out.println(e); + } + } + + public static void main(String[] args){ + String weapon = "ssss"; + sendName(weapon );// Noncompliant {{发送信息规则检查}} + } +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyCheckerTest.java new file mode 100644 index 0000000..59f7395 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyCheckerTest.java @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.rules.checkers; + +import com.keyware.sonar.java.utils.FilesUtils; +import org.junit.jupiter.api.Test; +import org.sonar.java.checks.verifier.CheckVerifier; + +/** + * TODO SendMessageVerifyCheckerTest + * + * @author RenFengJiang + * @date 2024/1/20 + */ +public class SendMessageVerifyCheckerTest { + + @Test + public void test(){ + CheckVerifier.newVerifier() + .onFile("src/test/files/SendMessageVerifyRule.java") + .withCheck(new SendMessageVerifyChecker()) + .withClassPath(FilesUtils.getClassPath("target/test-jars")) + .verifyIssues(); + } +}