修改优化准则以及被测件

master
wuhaoyang 9 months ago
parent 65ed9f4927
commit 4488230206
  1. 28
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/IntegerCountVerifyChecker.java
  2. 20
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PathVerifyChecker.java
  3. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/UserInputPasswordChecker.java
  4. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java
  5. 77
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.java
  6. 3
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java
  7. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VerificationPathCheckerTest.java
  8. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java
  9. 5
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VerificationPathChecker.cc
  10. 6
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc

@ -96,18 +96,22 @@ public class IntegerCountVerifyChecker extends SquidCheck<Grammar> {
}else if("std".equals(stList.getTokenValue())){
//获取到方法名称
AstNode firstDescendant = stList.getFirstDescendant(CxxGrammarImpl.qualifiedId);
List<AstNode> children = firstDescendant.getChildren();
for(AstNode desc : children){
//判断是否是用户输入方法
if("cin".equals(desc.getTokenValue())){
//获取用户输入中的参数变量
AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression);
List<AstNode> descendantChildren = descendant.getChildren();
for(AstNode dant:descendantChildren){
if("IDENTIFIER".equals(dant.getName())){
//判断输入的是否是整形变量
if(lists.contains(dant.getTokenValue())){
cinList.add(dant.getTokenValue());
if (firstDescendant!=null){
List<AstNode> children = firstDescendant.getChildren();
for(AstNode desc : children){
//判断是否是用户输入方法
if("cin".equals(desc.getTokenValue())){
//获取用户输入中的参数变量
AstNode descendant = stList.getFirstDescendant(CxxGrammarImpl.shiftExpression);
if (descendant!=null){
List<AstNode> descendantChildren = descendant.getChildren();
for(AstNode dant:descendantChildren){
if("IDENTIFIER".equals(dant.getName())){
//判断输入的是否是整形变量
if(lists.contains(dant.getTokenValue())){
cinList.add(dant.getTokenValue());
}
}
}
}
}

@ -50,15 +50,17 @@ public class PathVerifyChecker extends SquidCheck<Grammar> {
public void visitNode(@Nonnull AstNode node) {
//获取参数
AstNode firstDescendant = node.getFirstDescendant(CxxGrammarImpl.initializer);
List<AstNode> children = firstDescendant.getChildren();
for(AstNode chil : children){
//判断参数类型
if("STRING".equals(chil.getName())){
String result = chil.getTokenValue().replace("\"", "");
if(isPath(result)){
//判断是不是windows或linux的绝对路径
if(!isWindowsAbsolutePath(result) && !isLinuxAbsolutePath(result)){
getContext().createLineViolation(this, "使用关键资源时指定资源所在的路径", chil);
if (firstDescendant!=null){
List<AstNode> children = firstDescendant.getChildren();
for(AstNode chil : children){
//判断参数类型
if("STRING".equals(chil.getName())){
String result = chil.getTokenValue().replace("\"", "");
if(isPath(result)){
//判断是不是windows或linux的绝对路径
if(!isWindowsAbsolutePath(result) && !isLinuxAbsolutePath(result)){
getContext().createLineViolation(this, "使用关键资源时指定资源所在的路径", chil);
}
}
}
}

@ -82,5 +82,6 @@ public class UserInputPasswordChecker extends SquidCheck<Grammar> {
@Override
public void leaveFile(@Nullable AstNode astNode) {
fieldsMap.values().forEach(node -> getContext().createLineViolation(this, "用户输入口令时对口令域进行掩饰,通常,用户输入的每一个字符都应该以“*”形式回显", node));
fieldsMap.clear();
}
}

@ -82,7 +82,6 @@ public class ValidatePasswordCheck extends SquidCheck<Grammar> {
String passwordValue = initializationValue.getTokenOriginalValue();
if (!passwordValue.matches(passwordRegex)) {
System.out.println("未通过正则校验的口令:"+passwordValue);
getContext().createLineViolation(this, "口令不匹配足够复杂度", initializationValue);
}
}

@ -16,10 +16,12 @@ import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.cxx.squidbridge.checks.SquidCheck;
import java.util.ArrayList;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.List;
import static com.sonar.cxx.sslr.api.GenericTokenType.IDENTIFIER;
@Rule(key = "VerificationPathChecker", name = "在构建路径名前对数据进行校验", description = "对输入数据进行校验", priority = Priority.INFO, tags = {"28suo"})
@ActivatedByDefault
@ -28,45 +30,66 @@ public class VerificationPathChecker extends SquidCheck<Grammar> {
@Override
public void init() {
// 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点
this.subscribeTo(
CxxGrammarImpl.functionBody
);
this.subscribeTo(CxxGrammarImpl.functionBody);
}
public void visitNode(AstNode astNode) {
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.statement);
for (AstNode ast:descendants) {
List<AstNode> descendants1 = ast.getDescendants(CxxGrammarImpl.shiftExpression);
for (AstNode desc :descendants1) {
if("cin".equals(desc.getTokenValue())){
List<AstNode> children = desc.getChildren();
for (AstNode chil:children) {
if("IDENTIFIER".equals(chil.getName())){
if(chil.getTokenValue().toLowerCase().contains("path")){
boolean boo = true;
List<AstNode> exprs = astNode.getDescendants(CxxGrammarImpl.postfixExpression);
for (AstNode expr:exprs) {
if(expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")){
List<AstNode> astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList);
for (AstNode asrList:astNodeList) {
if(chil.getTokenValue().equals(asrList.getTokenValue())){
boo = false;
}
for (AstNode ast : descendants) {
if (processAst(ast)) {
break;
}
}
}
private boolean processAst(AstNode ast) {
List<AstNode> innerDescendants = ast.getDescendants(CxxGrammarImpl.shiftExpression);
for (AstNode desc : innerDescendants) {
if ("cin".equals(desc.getTokenValue())) {
List<AstNode> children = desc.getChildren();
for (AstNode chil : children) {
if ("IDENTIFIER".equals(chil.getName())) {
if (chil.getTokenValue().toLowerCase().contains("path")) {
boolean boo = true;
List<AstNode> exprs = ast.getDescendants(CxxGrammarImpl.postfixExpression);
for (AstNode expr : exprs) {
if (expr.getTokenValue().contains("check") || expr.getTokenValue().contains("verify") || expr.getTokenValue().contains("valid")) {
List<AstNode> astNodeList = expr.getDescendants(CxxGrammarImpl.expressionList);
for (AstNode asrList : astNodeList) {
if (chil.getTokenValue().equals(asrList.getTokenValue())) {
boo = false;
}
}
}
if(boo){
getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil);
}
}
int lineNumber = chil.getTokenLine();
if (boo && isLineInFile(lineNumber)) {
getContext().createLineViolation(this, "在构建路径名前对数据进行校验", chil);
return true;
}
}
}
}
}
}
return false;
}
private boolean isLineInFile(int lineNumber) {
try {
int totalLines = countLines(getContext().getFile());
return lineNumber <= totalLines;
} catch (IOException e) {
throw new RuntimeException(e);
}
}
public int countLines(File file) throws IOException {
try (BufferedReader reader = new BufferedReader(new FileReader(file))) {
int lines = 0;
while (reader.readLine() != null) lines++;
return lines;
}
}
}

@ -46,7 +46,7 @@ public class VirtualLockUsageChecker extends SquidCheck<Grammar> {
String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue();
for (String keyword : keywords) {
if (varName.contains(keyword) && (!caches.containsKey(keyword) || !caches.get(keyword).containsKey(varName))) {
if (varName.equals(keyword) && (!caches.equals(keyword) || !caches.get(keyword).equals(varName))) {
caches.putIfAbsent(keyword, new HashMap<>());
caches.get(keyword).put(varName, astNode);
processNode(astNode, keyword);
@ -79,7 +79,6 @@ public class VirtualLockUsageChecker extends SquidCheck<Grammar> {
private void reportViolations() {
caches.values().forEach(cache ->
cache.values().forEach(item -> {
System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用VirtualLock()函数锁定存放敏感信息的内存");
getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item);
})
);

@ -21,7 +21,7 @@ public class VerificationPathCheckerTest {
var tester = CxxFileTesterHelper.create("VerificationPathChecker.cc");
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(12).withMessage("在构建路径名前对数据进行校验")
.next().atLine(11).withMessage("在构建路径名前对数据进行校验")
.noMore();
}
}

@ -30,6 +30,8 @@ public class VirtualLockUsageCheckerTest {
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(8).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.next().atLine(10).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.next().atLine(12).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存")
.noMore();
}
}

@ -3,12 +3,11 @@
using namespace std;
// 假设以下两个函数用于检查和验证路径
void checkPath(const std::string& path);
void verifyPath(const std::string& path);
void checkPath(const string& path);
void verifyPath(const string& path);
int main(){
string userPath;
cout << "Enter a path: ";
cin >> userPath;
// 在获取用户输入之后立即对其进行验证

@ -7,9 +7,9 @@ int main() {
string add = "北京市"; //error
// string keyword2 = "北京市"; //error
//
// string keyword3 = "北京市"; //error
string keyword2 = "北京市"; //error
string keyword3 = "北京市"; //error
// 利用vector<char>管理内存
// vector<char> addressBuffer(add.begin(), add.end());

Loading…
Cancel
Save