sonarqube-plugins
/
sonar-keyware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

新家准则:禁止在容易受攻击的地方明文存储口令密码,如果需要,考虑存储口令的单向加密散列,以替代明文口令存储。(ini,properties,conf)

Browse Source
wuhaoyang
wuhaoyang 1 year ago
parent 0061c15772
commit 3818b0832d
7 changed files with 238 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 60
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java
  2. 149
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
  3. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html
  4. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json
  5. 2
      sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.conf
  6. 3
      sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.ini
  7. 2
      sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.properties

60
sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java
Unescape View File

@ -0,0 +1,60 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java;
import org.sonar.api.config.Configuration;
import org.sonar.api.config.PropertyDefinition;
import org.sonar.api.resources.AbstractLanguage;
import org.sonar.api.resources.Qualifiers;
import java.util.Arrays;
import java.util.List;
import static java.util.Arrays.asList;
public class ConfigurationFileLanguage extends AbstractLanguage {
public static final String NAME = "Configuration";
public static final String KEY = "cfg";
public static final String FILE_SUFFIXES_KEY = "sonar.disposition.file.suffixes";
public static final String FILE_SUFFIXES_DEFAULT_VALUE = ".properties,.ini,.conf";
private final Configuration config;
public ConfigurationFileLanguage(Configuration config) {
super(KEY, NAME);
this.config = config;
}
@Override
public String[] getFileSuffixes() {
String[] suffixes = config.getStringArray(FILE_SUFFIXES_KEY);
if (suffixes == null || suffixes.length == 0) {
return FILE_SUFFIXES_DEFAULT_VALUE.split(",");
}
// 修剪空格和小写后缀
return Arrays.stream(suffixes)
.map(String::trim)
.map(String::toLowerCase)
.toArray(String[]::new);
}
public static List<PropertyDefinition> getProperties() {
return asList(
PropertyDefinition.builder(FILE_SUFFIXES_KEY)
.multiValues(true)
.defaultValue(FILE_SUFFIXES_DEFAULT_VALUE)
.category("FileType")
.name("File Suffixes")
.description("List of suffixes for files to analyze.")
.onQualifiers(Qualifiers.PROJECT)
.build()
);
}
}

149
sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
Unescape View File

@ -0,0 +1,149 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.api.batch.fs.InputFile;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.batch.sensor.issue.NewIssue;
import org.sonar.api.rule.RuleKey;
import org.sonar.check.Rule;
import java.io.*;
import java.util.Properties;
import java.util.Scanner;
/**
* TODO ConfigurationFileChecker
*
* @author WuHaoYang
* @date 2024/1/22
*/
@Rule(key = "ConfigurationFileChecker")
public class ConfigurationFileChecker {
public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){
//文件名称
String filename = inputFile.filename();
System.out.println("[ConfigurationFileChecker]>>>>>" + filename);
//校验文件后缀
if (filename.endsWith(".properties")) {
try {
File file = new File(inputFile.absolutePath());
try (Scanner scanner = new Scanner(file)) {
int lineNum = 1;
while (scanner.hasNextLine()) {
String line = scanner.nextLine();
if (line.contains("password")) {
System.out.println(line);
NewIssue newIssue = context.newIssue();
newIssue
.forRule(ruleKey)
.at(newIssue.newLocation()
.on(inputFile)
.at(inputFile.selectLine(lineNum)))
.save();
break;
}
lineNum ++;
}
}
} catch (FileNotFoundException e) {
System.out.println("文件未找到: " + e.getMessage());
}
}
if (filename.endsWith(".ini")){
// 获取当前输入文件的绝对路径
File file1 = inputFile.file();
File absoluteFile = file1.getAbsoluteFile();
// 构建目录路径
File folder = new File(String.valueOf(absoluteFile)).getParentFile();
System.out.println("---------------ini文件路径----------------"+folder);
File[] listOfFiles = folder.listFiles();
int lineNum = 1;
for (File file : listOfFiles) {
if (file.isFile() && file.getName().endsWith(".ini")) {
Properties properties = new Properties();
try (FileInputStream fileInput = new FileInputStream(file)) {
properties.load(fileInput);
String password = properties.getProperty("password");
System.out.println("password=" + password);
NewIssue newIssue = context.newIssue();
newIssue
.forRule(ruleKey)
.at(newIssue.newLocation()
.on(inputFile)
.at(inputFile.selectLine(lineNum)))
.save();
} catch (IOException e) {
e.printStackTrace();
}
}
lineNum++;
}
}
if (filename.endsWith(".conf")){
// 获取当前输入文件的绝对路径
File file1 = inputFile.file();
File absoluteFile = file1.getAbsoluteFile();
// 构建目录路径
File folder = new File(String.valueOf(absoluteFile)).getParentFile();
System.out.println("---------------conf文件路径----------------"+folder);
File[] listOfFiles = folder.listFiles((dir, name) -> name.endsWith(".conf"));
int lineNum = 1;
for (File file : listOfFiles) {
if (file.isFile()) {
Properties prop = new Properties();
InputStream input = null;
try {
input = new FileInputStream(file);
prop.load(input);
if (prop.containsKey("password")) {
System.out.println("password="+ prop.getProperty("password"));
NewIssue newIssue = context.newIssue();
newIssue
.forRule(ruleKey)
.at(newIssue.newLocation()
.on(inputFile)
.at(inputFile.selectLine(lineNum)))
.save();
}
} catch (IOException ex) {
ex.printStackTrace();
} finally {
if (input != null) {
try {
input.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
lineNum++;
}
}
}
}

9
sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html
Unescape View File

@ -0,0 +1,9 @@
<p>禁止在容易受攻击的地方明文存储口令密码</p>
<h2>禁止在容易受攻击的地方明文存储口令密码,如果需要,考虑存储口令的单向加密散列,以替代明文口令存储。</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

13
sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json
Unescape View File

@ -0,0 +1,13 @@
{
"title": "禁止在容易受攻击的地方明文存储口令密码",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

2
sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.conf
Unescape View File

@ -0,0 +1,2 @@
# 这是一个conf配置文件
password = yourpassword

3
sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.ini
Unescape View File

@ -0,0 +1,3 @@
[UserCredentials]
username = exampleUser
password = examplePassword

2
sonar-keyware-plugins-java/src/test/files/configFile/ConfigurationFileChecker.properties
Unescape View File

@ -0,0 +1,2 @@
# ConfigurationFileChecker.properties
password=abc123
Write Preview
Loading…
Cancel
Save