修改优化准则以及被测件

master
wuhaoyang 10 months ago
parent 65ed9f4927
commit 4488230206
  1. 4
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java
  2. 2
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java
  3. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java
  4. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java
  5. 65
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java
  6. 3
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java
  7. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java
  8. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java
  9. 5
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc
  10. 6
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc

@ -96,12 +96,14 @@ public class IntegerCountVerifyChecker extends SquidCheck<Grammar> {
}else if("std".equals(stList.getTokenValue())){ }else if("std".equals(stList.getTokenValue())){
//获取到方法名称 //获取到方法名称
AstNode firstDescendant = stList.getFirstDescendant(CxxGrammarImpl.qualifiedId); AstNode firstDescendant = stList.getFirstDescendant(CxxGrammarImpl.qualifiedId);
if (firstDescendant!=null){
List<AstNode> children = firstDescendant.getChildren(); List<AstNode> children = firstDescendant.getChildren();
for(AstNode desc : children){ for(AstNode desc : children){
//判断是否是用户输入方法 //判断是否是用户输入方法
if("cin".equals(desc.getTokenValue())){ if("cin".equals(desc.getTokenValue())){
//获取用户输入中的参数变量 //获取用户输入中的参数变量
AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression); AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression);
if (descendant!=null){
List<AstNode> descendantChildren = descendant.getChildren(); List<AstNode> descendantChildren = descendant.getChildren();
for(AstNode dant:descendantChildren){ for(AstNode dant:descendantChildren){
if("IDENTIFIER".equals(dant.getName())){ if("IDENTIFIER".equals(dant.getName())){
@ -115,6 +117,8 @@ public class IntegerCountVerifyChecker extends SquidCheck<Grammar> {
} }
} }
} }
}
}
return cinList; return cinList;
} }

@ -50,6 +50,7 @@ public class PathVerifyChecker extends SquidCheck<Grammar> {
public void visitNode(@Nonnull AstNode node) { public void visitNode(@Nonnull AstNode node) {
//获取参数 //获取参数
AstNode firstDescendant = node.getFirstDescendant(CxxGrammarImpl.initializer); AstNode firstDescendant = node.getFirstDescendant(CxxGrammarImpl.initializer);
if (firstDescendant!=null){
List<AstNode> children = firstDescendant.getChildren(); List<AstNode> children = firstDescendant.getChildren();
for(AstNode chil : children){ for(AstNode chil : children){
//判断参数类型 //判断参数类型
@ -64,6 +65,7 @@ public class PathVerifyChecker extends SquidCheck<Grammar> {
} }
} }
} }
}
//判断是不是路径 //判断是不是路径
public static boolean isPath(String str) { public static boolean isPath(String str) {

@ -82,5 +82,6 @@ public class UserInputPasswordChecker extends SquidCheck<Grammar> {
@Override @Override
public void leaveFile(@Nullable AstNode astNode) { public void leaveFile(@Nullable AstNode astNode) {
fieldsMap.values().forEach(node -> getContext().createLineViolation(this, "用户输入口令时对口令域进行掩饰,通常,用户输入的每一个字符都应该以“*”形式回显", node)); fieldsMap.values().forEach(node -> getContext().createLineViolation(this, "用户输入口令时对口令域进行掩饰,通常,用户输入的每一个字符都应该以“*”形式回显", node));
fieldsMap.clear();
} }
} }

@ -82,7 +82,6 @@ public class ValidatePasswordCheck extends SquidCheck<Grammar> {
String passwordValue = initializationValue.getTokenOriginalValue(); String passwordValue = initializationValue.getTokenOriginalValue();
if (!passwordValue.matches(passwordRegex)) { if (!passwordValue.matches(passwordRegex)) {
System.out.println("未通过正则校验的口令:"+passwordValue);
getContext().createLineViolation(this, "口令不匹配足够复杂度", initializationValue); getContext().createLineViolation(this, "口令不匹配足够复杂度", initializationValue);
} }
} }

@ -16,10 +16,12 @@ import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.cxx.squidbridge.checks.SquidCheck; import org.sonar.cxx.squidbridge.checks.SquidCheck;
import java.util.ArrayList; import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.List; import java.util.List;
import static com.sonar.cxx.sslr.api.GenericTokenType.IDENTIFIER;
@Rule(key = "VerificationPathChecker", name = "在构建路径名前对数据进行校验", description = "对输入数据进行校验", priority = Priority.INFO, tags = {"28suo"}) @Rule(key = "VerificationPathChecker", name = "在构建路径名前对数据进行校验", description = "对输入数据进行校验", priority = Priority.INFO, tags = {"28suo"})
@ActivatedByDefault @ActivatedByDefault
@ -28,45 +30,66 @@ public class VerificationPathChecker extends SquidCheck<Grammar> {
@Override @Override
public void init() { public void init() {
// 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 this.subscribeTo(CxxGrammarImpl.functionBody);
this.subscribeTo(
CxxGrammarImpl.functionBody
);
} }
public void visitNode(AstNode astNode) { public void visitNode(AstNode astNode) {
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.statement); List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.statement);
for (AstNode ast:descendants) { for (AstNode ast : descendants) {
List<AstNode> descendants1 = ast.getDescendants(CxxGrammarImpl.shiftExpression); if (processAst(ast)) {
for (AstNode desc :descendants1) { break;
if("cin".equals(desc.getTokenValue())){ }
}
}
private boolean processAst(AstNode ast) {
List<AstNode> innerDescendants = ast.getDescendants(CxxGrammarImpl.shiftExpression);
for (AstNode desc : innerDescendants) {
if ("cin".equals(desc.getTokenValue())) {
List<AstNode> children = desc.getChildren(); List<AstNode> children = desc.getChildren();
for (AstNode chil:children) { for (AstNode chil : children) {
if("IDENTIFIER".equals(chil.getName())){ if ("IDENTIFIER".equals(chil.getName())) {
if(chil.getTokenValue().toLowerCase().contains("path")){ if (chil.getTokenValue().toLowerCase().contains("path")) {
boolean boo = true; boolean boo = true;
List<AstNode> exprs = astNode.getDescendants(CxxGrammarImpl.postfixExpression); List<AstNode> exprs = ast.getDescendants(CxxGrammarImpl.postfixExpression);
for (AstNode expr:exprs) { for (AstNode expr : exprs) {
if(expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")){ if (expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")) {
List<AstNode> astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList); List<AstNode> astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList);
for (AstNode asrList:astNodeList) { for (AstNode asrList : astNodeList) {
if(chil.getTokenValue().equals(asrList.getTokenValue())){ if (chil.getTokenValue().equals(asrList.getTokenValue())) {
boo = false; boo = false;
} }
} }
} }
} }
if(boo){ int lineNumber = chil.getTokenLine();
if (boo && isLineInFile(lineNumber)) {
getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil); getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil);
} return true;
} }
} }
} }
} }
} }
}
return false;
}
private boolean isLineInFile(int lineNumber) {
try {
int totalLines = countLines(getContext().getFile());
return lineNumber <= totalLines;
} catch (IOException e) {
throw new RuntimeException(e);
}
} }
public int countLines(File file) throws IOException {
try (BufferedReader reader = new BufferedReader(new FileReader(file))) {
int lines = 0;
while (reader.readLine() != null) lines++;
return lines;
}
} }
} }

@ -46,7 +46,7 @@ public class VirtualLockUsageChecker extends SquidCheck<Grammar> {
String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue(); String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue();
for (String keyword : keywords) { for (String keyword : keywords) {
if (varName.contains(keyword) && (!caches.containsKey(keyword) || !caches.get(keyword).containsKey(varName))) { if (varName.equals(keyword) && (!caches.equals(keyword) || !caches.get(keyword).equals(varName))) {
caches.putIfAbsent(keyword, new HashMap<>()); caches.putIfAbsent(keyword, new HashMap<>());
caches.get(keyword).put(varName, astNode); caches.get(keyword).put(varName, astNode);
processNode(astNode, keyword); processNode(astNode, keyword);
@ -79,7 +79,6 @@ public class VirtualLockUsageChecker extends SquidCheck<Grammar> {
private void reportViolations() { private void reportViolations() {
caches.values().forEach(cache -> caches.values().forEach(cache ->
cache.values().forEach(item -> { cache.values().forEach(item -> {
System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用VirtualLock()函数锁定存放敏感信息的内存");
getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item); getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item);
}) })
); );

@ -21,7 +21,7 @@ public class VerificationPathCheckerTest {
var tester = CxxFileTesterHelper.create("VerificationPathChecker.cc"); var tester = CxxFileTesterHelper.create("VerificationPathChecker.cc");
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages()) CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(12).withMessage("在构建路径名前对数据进行校验") .next().atLine(11).withMessage("在构建路径名前对数据进行校验")
.noMore(); .noMore();
} }
} }

@ -30,6 +30,8 @@ public class VirtualLockUsageCheckerTest {
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages()) CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(8).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存") .next().atLine(8).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.next().atLine(10).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.next().atLine(12).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.noMore(); .noMore();
} }
} }

@ -3,12 +3,11 @@
using namespace std; using namespace std;
// 假设以下两个函数用于检查和验证路径 // 假设以下两个函数用于检查和验证路径
void checkPath(const std::string& path); void checkPath(const string& path);
void verifyPath(const std::string& path); void verifyPath(const string& path);
int main(){ int main(){
string userPath; string userPath;
cout << "Enter a path: ";
cin >> userPath; cin >> userPath;
// 在获取用户输入之后立即对其进行验证 // 在获取用户输入之后立即对其进行验证

@ -7,9 +7,9 @@ int main() {
string add = "北京市"; //error string add = "北京市"; //error
// string keyword2 = "北京市"; //error string keyword2 = "北京市"; //error
//
// string keyword3 = "北京市"; //error string keyword3 = "北京市"; //error
// 利用vector<char>管理内存 // 利用vector<char>管理内存
// vector<char> addressBuffer(add.begin(), add.end()); // vector<char> addressBuffer(add.begin(), add.end());

Loading…
Cancel
Save