diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheck.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheck.java new file mode 100644 index 0000000..dc2374a --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheck.java @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + + +/** + * 要求用户使用具有足够复杂度的口令。 + * + * @author WuHaoyang + * @date 2024/1/12 + */ +import org.sonar.check.Rule; +import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; +import org.sonar.plugins.java.api.tree.*; + +import java.util.*; + +@Rule(key = "PasswordRegexCheck") +public class PasswordRegexCheck extends IssuableSubscriptionVisitor { + + private static final String MATCHER_METHOD = "matcher"; + private static final String PASSWORD_PARAMETER = "password"; + + @Override + public List nodesToVisit() { + return Collections.singletonList(Tree.Kind.METHOD); + } + + @Override + public void visitNode(Tree tree) { + if (tree.is(Tree.Kind.METHOD)) { + MethodTree methodTree = (MethodTree) tree; + checkPasswordValidation(methodTree); + } + } + + private void checkPasswordValidation(MethodTree methodTree) { + boolean hasPasswordValidation = false; + + for (StatementTree statement : methodTree.block().body()) { + if (statement.is(Tree.Kind.VARIABLE)) { + VariableTree variableTree = (VariableTree) statement; + if (variableTree.initializer() != null && variableTree.initializer().is(Tree.Kind.METHOD_INVOCATION)) { + MethodInvocationTree methodInvocationTree = (MethodInvocationTree) variableTree.initializer(); + String methodName = methodInvocationTree.methodSymbol().name(); + if (MATCHER_METHOD.equals(methodName)) { + hasPasswordValidation = hasPasswordValidation || hasPasswordParameter(methodInvocationTree.arguments()); + } + } + } + } + + if (!hasPasswordValidation) { + //如果没有发现密码验证,报告问题 + System.out.println("未对口令进行复杂度验证"+methodTree.simpleName()); + reportIssue(methodTree.simpleName(), "未对口令进行复杂度验证"); + } + } + + private boolean hasPasswordParameter(List arguments) { + for (ExpressionTree argument : arguments) { + if (argument.is(Tree.Kind.IDENTIFIER)) { + IdentifierTree identifier = (IdentifierTree) argument; + if (PASSWORD_PARAMETER.equalsIgnoreCase(identifier.name())) { + //检查标识符是否有密码验证 + return hasPasswordValidationInMethod(identifier.name()); + } + } + } + + return false; + } + + private boolean hasPasswordValidationInMethod(String paramName) { + //参数名是'password',已经存在 + return PASSWORD_PARAMETER.equalsIgnoreCase(paramName); + } + +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.html new file mode 100644 index 0000000..97e9b53 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.html @@ -0,0 +1,9 @@ +

未对口令进行复杂度验证

+

未对口令进行复杂度验证

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.json new file mode 100644 index 0000000..d2844a7 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordRegexCheck.json @@ -0,0 +1,13 @@ +{ + "title": "未对口令进行复杂度验证", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/PasswordRegexCheck.java b/sonar-keyware-plugins-java/src/test/files/PasswordRegexCheck.java new file mode 100644 index 0000000..3e213b5 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/PasswordRegexCheck.java @@ -0,0 +1,16 @@ +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class PasswordStrengthValidator { + + + + public String isValidPassword(String password) {// Noncompliant {{未对口令进行复杂度验证}} + String asdasd = "asdfsdfsdf"; + Pattern pattern = Pattern.compile("^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*#?&])[A-Za-z\\d@$!%*#?&]{8,}$"); + Matcher matcher1 = pattern.matcher(asdasd); + Matcher matcher3 = pattern.matcher(); + return password; + } + +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheckTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheckTest.java new file mode 100644 index 0000000..79adc14 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordRegexCheckTest.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers;/* + *@title PasswordRegexCheckTest + *@description + *@author Admin + *@version 1.0 + *@create 2024/1/12 14:56 + */ + +import com.keyware.sonar.java.utils.FilesUtils; +import org.junit.jupiter.api.Test; +import org.sonar.java.checks.verifier.CheckVerifier; + +public class PasswordRegexCheckTest { + + + @Test + void detected() { + + CheckVerifier.newVerifier() + .onFile("src/test/files/PasswordRegexCheck.java") + .withCheck(new PasswordRegexCheck()) + .withClassPath(FilesUtils.getClassPath("target/test-jars")) + .verifyIssues(); + } +}