From 44882302065343e8225c23f745cbf1eb534b737d Mon Sep 17 00:00:00 2001 From: wuhaoyang <2507865306@qq.com> Date: Tue, 6 Feb 2024 11:08:14 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=BC=98=E5=8C=96=E5=87=86?= =?UTF-8?q?=E5=88=99=E4=BB=A5=E5=8F=8A=E8=A2=AB=E6=B5=8B=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../checkers/IntegerCountVerifyChecker.java | 28 ++++--- .../cxx/rules/checkers/PathVerifyChecker.java | 20 ++--- .../checkers/UserInputPasswordChecker.java | 1 + .../rules/checkers/ValidatePasswordCheck.java | 1 - .../checkers/VerificationPathChecker.java | 77 ++++++++++++------- .../checkers/VirtualLockUsageChecker.java | 3 +- .../checkers/VerificationPathCheckerTest.java | 2 +- .../checkers/VirtualLockUsageCheckerTest.java | 2 + .../rules/checkers/VerificationPathChecker.cc | 5 +- .../rules/checkers/VirtualLockUsageChecker.cc | 6 +- 10 files changed, 87 insertions(+), 58 deletions(-) diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java index 9ff4428..73ea15c 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java @@ -96,18 +96,22 @@ public class IntegerCountVerifyChecker extends SquidCheck { }else if("std".equals(stList.getTokenValue())){ //获取到方法名称 AstNode firstDescendant = stList.getFirstDescendant(CxxGrammarImpl.qualifiedId); - List children = firstDescendant.getChildren(); - for(AstNode desc : children){ - //判断是否是用户输入方法 - if("cin".equals(desc.getTokenValue())){ - //获取用户输入中的参数变量 - AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression); - List descendantChildren = descendant.getChildren(); - for(AstNode dant:descendantChildren){ - if("IDENTIFIER".equals(dant.getName())){ - //判断输入的是否是整形变量 - if(lists.contains(dant.getTokenValue())){ - cinList.add(dant.getTokenValue()); + if (firstDescendant!=null){ + List children = firstDescendant.getChildren(); + for(AstNode desc : children){ + //判断是否是用户输入方法 + if("cin".equals(desc.getTokenValue())){ + //获取用户输入中的参数变量 + AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression); + if (descendant!=null){ + List descendantChildren = descendant.getChildren(); + for(AstNode dant:descendantChildren){ + if("IDENTIFIER".equals(dant.getName())){ + //判断输入的是否是整形变量 + if(lists.contains(dant.getTokenValue())){ + cinList.add(dant.getTokenValue()); + } + } } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java index 652782a..11d4dbc 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java @@ -50,15 +50,17 @@ public class PathVerifyChecker extends SquidCheck { public void visitNode(@Nonnull AstNode node) { //获取参数 AstNode firstDescendant = node.getFirstDescendant(CxxGrammarImpl.initializer); - List children = firstDescendant.getChildren(); - for(AstNode chil : children){ - //判断参数类型 - if("STRING".equals(chil.getName())){ - String result = chil.getTokenValue().replace("\"", ""); - if(isPath(result)){ - //判断是不是windows或linux的绝对路径 - if(!isWindowsAbsolutePath(result) && !isLinuxAbsolutePath(result)){ - getContext().createLineViolation(this, "使用关键资源时指定资源所在的路径", chil); + if (firstDescendant!=null){ + List children = firstDescendant.getChildren(); + for(AstNode chil : children){ + //判断参数类型 + if("STRING".equals(chil.getName())){ + String result = chil.getTokenValue().replace("\"", ""); + if(isPath(result)){ + //判断是不是windows或linux的绝对路径 + if(!isWindowsAbsolutePath(result) && !isLinuxAbsolutePath(result)){ + getContext().createLineViolation(this, "使用关键资源时指定资源所在的路径", chil); + } } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java index 7ff6f50..84b22ae 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java @@ -82,5 +82,6 @@ public class UserInputPasswordChecker extends SquidCheck { @Override public void leaveFile(@Nullable AstNode astNode) { fieldsMap.values().forEach(node -> getContext().createLineViolation(this, "用户输入口令时对口令域进行掩饰,通常,用户输入的每一个字符都应该以“*”形式回显", node)); + fieldsMap.clear(); } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java index a05ace6..e368043 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java @@ -82,7 +82,6 @@ public class ValidatePasswordCheck extends SquidCheck { String passwordValue = initializationValue.getTokenOriginalValue(); if (!passwordValue.matches(passwordRegex)) { - System.out.println("未通过正则校验的口令:"+passwordValue); getContext().createLineViolation(this, "口令不匹配足够复杂度", initializationValue); } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java index 6ddab47..0515cfa 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java @@ -16,10 +16,12 @@ import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; import org.sonar.cxx.squidbridge.checks.SquidCheck; -import java.util.ArrayList; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.io.IOException; import java.util.List; -import static com.sonar.cxx.sslr.api.GenericTokenType.IDENTIFIER; @Rule(key = "VerificationPathChecker", name = "在构建路径名前对数据进行校验", description = "对输入数据进行校验", priority = Priority.INFO, tags = {"28suo"}) @ActivatedByDefault @@ -28,45 +30,66 @@ public class VerificationPathChecker extends SquidCheck { @Override public void init() { - // 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 - this.subscribeTo( - CxxGrammarImpl.functionBody - ); + this.subscribeTo(CxxGrammarImpl.functionBody); } + public void visitNode(AstNode astNode) { List descendants = astNode.getDescendants(CxxGrammarImpl.statement); - for (AstNode ast:descendants) { - List descendants1 = ast.getDescendants(CxxGrammarImpl.shiftExpression); - for (AstNode desc :descendants1) { - if("cin".equals(desc.getTokenValue())){ - List children = desc.getChildren(); - for (AstNode chil:children) { - if("IDENTIFIER".equals(chil.getName())){ - if(chil.getTokenValue().toLowerCase().contains("path")){ - boolean boo = true; - List exprs = astNode.getDescendants(CxxGrammarImpl.postfixExpression); - for (AstNode expr:exprs) { - if(expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")){ - List astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList); - for (AstNode asrList:astNodeList) { - if(chil.getTokenValue().equals(asrList.getTokenValue())){ - boo = false; - } + for (AstNode ast : descendants) { + if (processAst(ast)) { + break; + } + } + } + + private boolean processAst(AstNode ast) { + List innerDescendants = ast.getDescendants(CxxGrammarImpl.shiftExpression); + for (AstNode desc : innerDescendants) { + if ("cin".equals(desc.getTokenValue())) { + List children = desc.getChildren(); + for (AstNode chil : children) { + if ("IDENTIFIER".equals(chil.getName())) { + if (chil.getTokenValue().toLowerCase().contains("path")) { + boolean boo = true; + List exprs = ast.getDescendants(CxxGrammarImpl.postfixExpression); + for (AstNode expr : exprs) { + if (expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")) { + List astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList); + for (AstNode asrList : astNodeList) { + if (chil.getTokenValue().equals(asrList.getTokenValue())) { + boo = false; } } } - if(boo){ - getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil); - } + } + int lineNumber = chil.getTokenLine(); + if (boo && isLineInFile(lineNumber)) { + getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil); + return true; } } } } } + } + return false; + } - + private boolean isLineInFile(int lineNumber) { + try { + int totalLines = countLines(getContext().getFile()); + return lineNumber <= totalLines; + } catch (IOException e) { + throw new RuntimeException(e); } + } + public int countLines(File file) throws IOException { + try (BufferedReader reader = new BufferedReader(new FileReader(file))) { + int lines = 0; + while (reader.readLine() != null) lines++; + return lines; + } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java index b2b4975..7f564d0 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java @@ -46,7 +46,7 @@ public class VirtualLockUsageChecker extends SquidCheck { String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue(); for (String keyword : keywords) { - if (varName.contains(keyword) && (!caches.containsKey(keyword) || !caches.get(keyword).containsKey(varName))) { + if (varName.equals(keyword) && (!caches.equals(keyword) || !caches.get(keyword).equals(varName))) { caches.putIfAbsent(keyword, new HashMap<>()); caches.get(keyword).put(varName, astNode); processNode(astNode, keyword); @@ -79,7 +79,6 @@ public class VirtualLockUsageChecker extends SquidCheck { private void reportViolations() { caches.values().forEach(cache -> cache.values().forEach(item -> { - System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用VirtualLock()函数锁定存放敏感信息的内存"); getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item); }) ); diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java index 9aa61f7..e012d4c 100644 --- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java @@ -21,7 +21,7 @@ public class VerificationPathCheckerTest { var tester = CxxFileTesterHelper.create("VerificationPathChecker.cc"); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); CheckMessagesVerifier.verify(file.getCheckMessages()) - .next().atLine(12).withMessage("在构建路径名前对数据进行校验") + .next().atLine(11).withMessage("在构建路径名前对数据进行校验") .noMore(); } } diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java index b53ad67..22510db 100644 --- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java @@ -30,6 +30,8 @@ public class VirtualLockUsageCheckerTest { SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); CheckMessagesVerifier.verify(file.getCheckMessages()) .next().atLine(8).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存") + .next().atLine(10).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存") + .next().atLine(12).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存") .noMore(); } } diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc index 403567d..187f0e3 100644 --- a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc @@ -3,12 +3,11 @@ using namespace std; // 假设以下两个函数用于检查和验证路径 -void checkPath(const std::string& path); -void verifyPath(const std::string& path); +void checkPath(const string& path); +void verifyPath(const string& path); int main(){ string userPath; - cout << "Enter a path: "; cin >> userPath; // 在获取用户输入之后立即对其进行验证 diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc index d8f7fc0..6cb5daf 100644 --- a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc @@ -7,9 +7,9 @@ int main() { string add = "北京市"; //error -// string keyword2 = "北京市"; //error -// -// string keyword3 = "北京市"; //error + string keyword2 = "北京市"; //error + + string keyword3 = "北京市"; //error // 利用vector管理内存 // vector addressBuffer(add.begin(), add.end());