diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java new file mode 100644 index 0000000..f2a6028 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java; + +import org.sonar.api.config.Configuration; +import org.sonar.api.config.PropertyDefinition; +import org.sonar.api.resources.AbstractLanguage; +import org.sonar.api.resources.Qualifiers; + +import java.util.Arrays; +import java.util.List; + +import static java.util.Arrays.asList; + +public class ConfigurationFileLanguage extends AbstractLanguage { + + public static final String NAME = "Configuration"; + public static final String KEY = "cfg"; + public static final String FILE_SUFFIXES_KEY = "sonar.disposition.file.suffixes"; + public static final String FILE_SUFFIXES_DEFAULT_VALUE = ".properties,.ini,.conf"; + + private final Configuration config; + + public ConfigurationFileLanguage(Configuration config) { + super(KEY, NAME); + this.config = config; + } + + @Override + public String[] getFileSuffixes() { + String[] suffixes = config.getStringArray(FILE_SUFFIXES_KEY); + + if (suffixes == null || suffixes.length == 0) { + return FILE_SUFFIXES_DEFAULT_VALUE.split(","); + } + + // 修剪空格和小写后缀 + return Arrays.stream(suffixes) + .map(String::trim) + .map(String::toLowerCase) + .toArray(String[]::new); + } + + public static List getProperties() { + return asList( + PropertyDefinition.builder(FILE_SUFFIXES_KEY) + .multiValues(true) + .defaultValue(FILE_SUFFIXES_DEFAULT_VALUE) + .category("FileType") + .name("File Suffixes") + .description("List of suffixes for files to analyze.") + .onQualifiers(Qualifiers.PROJECT) + .build() + ); + } +} diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java new file mode 100644 index 0000000..ff710a2 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java @@ -0,0 +1,149 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.batch.sensor.issue.NewIssue; +import org.sonar.api.rule.RuleKey; +import org.sonar.check.Rule; + +import java.io.*; +import java.util.Properties; +import java.util.Scanner; + + +/** + * TODO ConfigurationFileChecker + * + * @author WuHaoYang + * @date 2024/1/22 + */ +@Rule(key = "ConfigurationFileChecker") +public class ConfigurationFileChecker { + + + public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ + //文件名称 + String filename = inputFile.filename(); + System.out.println("[ConfigurationFileChecker]>>>>>" + filename); + + //校验文件后缀 + if (filename.endsWith(".properties")) { + try { + File file = new File(inputFile.absolutePath()); + try (Scanner scanner = new Scanner(file)) { + int lineNum = 1; + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + if (line.contains("password")) { + System.out.println(line); + NewIssue newIssue = context.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + break; + } + lineNum ++; + } + } + } catch (FileNotFoundException e) { + System.out.println("文件未找到: " + e.getMessage()); + } + } + + + if (filename.endsWith(".ini")){ + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + File absoluteFile = file1.getAbsoluteFile(); + + // 构建目录路径 + File folder = new File(String.valueOf(absoluteFile)).getParentFile(); + System.out.println("---------------ini文件路径----------------"+folder); + File[] listOfFiles = folder.listFiles(); + + int lineNum = 1; + for (File file : listOfFiles) { + if (file.isFile() && file.getName().endsWith(".ini")) { + Properties properties = new Properties(); + + try (FileInputStream fileInput = new FileInputStream(file)) { + properties.load(fileInput); + String password = properties.getProperty("password"); + System.out.println("password=" + password); + NewIssue newIssue = context.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + } catch (IOException e) { + e.printStackTrace(); + } + } + lineNum++; + } + } + + + + if (filename.endsWith(".conf")){ + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + File absoluteFile = file1.getAbsoluteFile(); + + // 构建目录路径 + File folder = new File(String.valueOf(absoluteFile)).getParentFile(); + + System.out.println("---------------conf文件路径----------------"+folder); + + File[] listOfFiles = folder.listFiles((dir, name) -> name.endsWith(".conf")); + + int lineNum = 1; + for (File file : listOfFiles) { + if (file.isFile()) { + Properties prop = new Properties(); + InputStream input = null; + + try { + input = new FileInputStream(file); + prop.load(input); + + if (prop.containsKey("password")) { + System.out.println("password="+ prop.getProperty("password")); + NewIssue newIssue = context.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + } + + } catch (IOException ex) { + ex.printStackTrace(); + } finally { + if (input != null) { + try { + input.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } + } + } + lineNum++; + } + } + } + +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html new file mode 100644 index 0000000..7f14d75 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html @@ -0,0 +1,9 @@ +

禁止在容易受攻击的地方明文存储口令密码

+

禁止在容易受攻击的地方明文存储口令密码,如果需要,考虑存储口令的单向加密散列,以替代明文口令存储。

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json new file mode 100644 index 0000000..cf2fffc --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json @@ -0,0 +1,13 @@ +{ + "title": "禁止在容易受攻击的地方明文存储口令密码", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.conf b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.conf new file mode 100644 index 0000000..662d821 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.conf @@ -0,0 +1,2 @@ +# 这是一个conf配置文件 +password = yourpassword \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.ini b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.ini new file mode 100644 index 0000000..c57ef7f --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.ini @@ -0,0 +1,3 @@ +[UserCredentials] +username = exampleUser +password = examplePassword \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.properties b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.properties new file mode 100644 index 0000000..ed2cc37 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.properties @@ -0,0 +1,2 @@ +# ConfigurationFileChecker.properties +password=abc123 \ No newline at end of file