修复:sonar-keyware-java打包部署到sonarqube后无法使用的问题

wuhaoyang
Guo XIn 11 months ago
parent fb0b5d6e39
commit 4e6c7e738c
  1. 29
      pom.xml
  2. 9
      sonar-keyware-plugins-cxx/pom.xml
  3. 66
      sonar-keyware-plugins-java/pom.xml
  4. 3
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java
  5. 13
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/package-info.java
  6. 4
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
  7. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
  8. 4
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
  9. 8
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java
  10. 7
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java
  11. 13
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/package-info.java
  12. 13
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/package-info.java
  13. 5
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java
  14. 39
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaFileCheckRegistrarTest.java
  15. 27
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepositoryTest.java

@ -4,9 +4,9 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.sonarsource.java</groupId>
<artifactId>java</artifactId>
<version>7.30.1.34514</version>
<groupId>org.sonarsource.parent</groupId>
<artifactId>parent</artifactId>
<version>68.0.0.247</version>
</parent>
<groupId>com.keyware.sonar</groupId>
@ -45,22 +45,37 @@
<properties>
<java.version>11</java.version>
<jdk.min.version>11</jdk.min.version>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<sonar.java.version>7.24.0.32100</sonar.java.version>
<version.jacoco.plugin>0.8.10</version.jacoco.plugin>
<aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir>
</properties>
<modules>
<module>sonar-keyware-plugins-cxx</module>
<module>sonar-keyware-plugins-java</module>
<module>soanr-keyware-example</module>
</modules>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
<artifactId>cxx</artifactId>
<version>2.1.2-SNAPSHOT</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>java</artifactId>
<version>7.24.0.32100</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
</dependencies>
</project>

@ -10,6 +10,13 @@
<version>1.0</version>
</parent>
<!--<parent>
<groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
<artifactId>cxx</artifactId>
<version>2.1.2-SNAPSHOT</version>
</parent>-->
<!--<groupId>com.keyware.sonar</groupId>-->
<name>C++ 信息安全性设计准则</name>
<artifactId>sonar-keyware-plugins-cxx</artifactId>
<version>1.0</version>
@ -21,9 +28,9 @@
<sonar.pluginClass>com.keyware.sonar.cxx.CxxPlugin</sonar.pluginClass>
<sonar.pluginName>C++ 信息安全性设计准则</sonar.pluginName>
<!-- in addition, a dependency must be set in 'integration-tests/pom.xml' to aggregate the results -->
<aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir>
<sonar.coverage.jacoco.xmlReportPaths>${basedir}/../${aggregate.report.dir}</sonar.coverage.jacoco.xmlReportPaths>
<java.version>11</java.version>
<commons-io.version>2.15.1</commons-io.version>
<commons-lang.version>2.6</commons-lang.version>
<sonar-cxx.versin>2.1.2-SNAPSHOT</sonar-cxx.versin>

@ -16,58 +16,38 @@
<version>1.0</version>
<description>用于检查Java源代码的安全性设计准则的Sonarqube插件</description>
<properties>
<jacoco.version>0.8.10</jacoco.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>sonar-java-plugin</artifactId>
<version>7.30.1.34514</version>
<type>sonar-plugin</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.api.plugin</groupId>
<artifactId>sonar-plugin-api</artifactId>
<version>9.9.0.229</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.analyzer-commons</groupId>
<artifactId>sonar-analyzer-commons</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<scope>provided</scope>
</dependency>
<!-- unit tests -->
<dependency>
<groupId>org.sonarsource.api.plugin</groupId>
<artifactId>sonar-plugin-api-test-fixtures</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.sonarqube</groupId>
<artifactId>sonar-plugin-api-impl</artifactId>
<scope>test</scope>
<groupId>org.sonarsource.java</groupId>
<artifactId>sonar-java-plugin</artifactId>
<version>${sonar.java.version}</version>
<type>sonar-plugin</type>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>test-classpath-reader</artifactId>
<version>7.30.1.34514</version>
<scope>test</scope>
<groupId>org.sonarsource.analyzer-commons</groupId>
<artifactId>sonar-analyzer-commons</artifactId>
</dependency>
<!-- unit tests -->
<dependency>
<groupId>org.sonarsource.java</groupId>
<artifactId>java-checks-testkit</artifactId>
<version>7.30.1.34514</version>
<version>${sonar.java.version}</version>
<scope>test</scope>
</dependency>
<dependency>
@ -80,21 +60,11 @@
<artifactId>junit-jupiter-migrationsupport</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
@ -109,14 +79,12 @@
<pluginClass>com.keyware.sonar.java.JavaSecurityDesignRulesPlugin</pluginClass>
<sonarLintSupported>true</sonarLintSupported>
<skipDependenciesPackaging>true</skipDependenciesPackaging>
<pluginApiMinVersion>9.14.0.375</pluginApiMinVersion>
<requirePlugins>java:${project.version}</requirePlugins>
<sonarQubeMinVersion>8.9</sonarQubeMinVersion>
<requirePlugins>java:${sonar.java.version}</requirePlugins>
<jreMinVersion>11</jreMinVersion>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
@ -144,7 +112,7 @@
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<version>${version.jacoco.plugin}</version>
<executions>
<execution>
<id>prepare-agent</id>

@ -22,6 +22,9 @@ public class JavaSecurityDesignRulesPlugin implements Plugin {
// 服务器扩展 - >对象在服务器启动期间实例化
context.addExtension(JavaSecurityDesignRulesRepository.class);
// 服务器扩展 - >对象在服务器启动期间实例化
context.addExtension(JavaSecurityDesignWayProfile.class);
// 批处理扩展 - >对象在代码分析期间实例化
context.addExtension(JavaFileCheckRegistrar.class);

@ -0,0 +1,13 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
/**
* TODO package-info
*
* @author GuoXin
* @date 2024/1/12
*/
package com.keyware.sonar.java;

@ -7,7 +7,7 @@
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;
@ -21,7 +21,7 @@ import java.util.List;
* @date 2024/1/6
*/
@Rule(key = "ABCVarNameChecker")
public class ABCVarNameChecker extends SubscriptionVisitor {
public class ABCVarNameChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {

@ -28,7 +28,7 @@ import java.util.List;
* @author WuHaoyang
* @date 2024/1/9
*/
@Rule(key = "AbsolutePathDetector")
@Rule(key = "AbsolutePathDetectorChecker")
public class AbsolutePathDetectorChecker extends IssuableSubscriptionVisitor {
@Override

@ -8,7 +8,7 @@ package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import java.util.Collections;
@ -18,7 +18,7 @@ import java.util.List;
@Rule(key = "DynamicCodeChecker")
//检测代码中包含动态代码执行操作时,工具进行提示
public class DynamicCodeChecker extends SubscriptionVisitor {
public class DynamicCodeChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {

@ -7,10 +7,10 @@
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import org.springframework.lang.NonNull;
import javax.annotation.Nonnull;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
@ -24,7 +24,7 @@ import java.util.stream.Collectors;
* @date 2024/1/10
*/
@Rule(key = "DynamicLibraryLoadChecker")
public class DynamicLibraryLoadChecker extends SubscriptionVisitor {
public class DynamicLibraryLoadChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
@ -33,7 +33,7 @@ public class DynamicLibraryLoadChecker extends SubscriptionVisitor {
}
@Override
public void visitNode(@NonNull Tree tree) {
public void visitNode(@Nonnull Tree tree) {
if (tree.is(Tree.Kind.METHOD)) {
MethodTree method = (MethodTree) tree;
var block = method.block();

@ -8,9 +8,10 @@ package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import org.springframework.lang.NonNull;
import javax.annotation.Nonnull;
import java.util.Arrays;
import java.util.List;
@ -21,7 +22,7 @@ import java.util.List;
* @date 2024/1/9
*/
@Rule(key = "RedirectUrlChecker")
public class RedirectUrlChecker extends SubscriptionVisitor {
public class RedirectUrlChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
var nodeType = new Tree.Kind[]{Tree.Kind.METHOD};
@ -29,7 +30,7 @@ public class RedirectUrlChecker extends SubscriptionVisitor {
}
@Override
public void visitNode(@NonNull Tree tree) {
public void visitNode(@Nonnull Tree tree) {
MethodTree methodTree = (MethodTree) tree;
BlockTree block = methodTree.block();
// 方法的参数列表

@ -0,0 +1,13 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
/**
* TODO package-info
*
* @author GuoXin
* @date 2024/1/12
*/
package com.keyware.sonar.java.rules.checkers;

@ -0,0 +1,13 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
/**
* TODO package-info
*
* @author GuoXin
* @date 2024/1/12
*/
package com.keyware.sonar.java.rules;

@ -27,7 +27,10 @@ public class JavaSecurityDesignRulesPluginTest {
assertThat(context.getExtensions())
.extracting(ext -> ((Class) ext).getSimpleName())
.containsExactlyInAnyOrder("JavaSecurityDesignRulesRepository", "JavaFileCheckRegistrar");
.containsExactlyInAnyOrder(
"JavaSecurityDesignRulesRepository",
"JavaSecurityDesignWayProfile",
"JavaFileCheckRegistrar");
}
public static class MockedSonarRuntime implements SonarRuntime {

@ -7,8 +7,7 @@
package com.keyware.sonar.java.rules;
import org.junit.jupiter.api.Test;
import org.sonar.api.rule.RuleKey;
import org.sonar.java.checks.verifier.TestCheckRegistrarContext;
import org.sonar.plugins.java.api.CheckRegistrar;
import static org.assertj.core.api.Assertions.assertThat;
@ -22,42 +21,14 @@ public class JavaFileCheckRegistrarTest {
@Test
void checkRegisteredRulesKeysAndClasses() {
TestCheckRegistrarContext context = new TestCheckRegistrarContext();
CheckRegistrar.RegistrarContext context = new CheckRegistrar.RegistrarContext();
JavaFileCheckRegistrar registrar = new JavaFileCheckRegistrar();
registrar.register(context);
assertThat(context.mainRuleKeys).extracting(RuleKey::toString).containsExactly(
/*"mycompany-java:SpringControllerRequestMappingEntity",
"mycompany-java:AvoidAnnotation",
"mycompany-java:AvoidBrandInMethodNames",
"mycompany-java:AvoidMethodDeclaration",
"mycompany-java:AvoidSuperClass",
"mycompany-java:AvoidTreeList",
"mycompany-java:AvoidMethodWithSameTypeInArgument",
"mycompany-java:SecurityAnnotationMandatory"*/
"keyware-java-security-design:ABCVarNameChecker"
);
assertThat(context.mainCheckClasses).extracting(Class::getSimpleName).containsExactly(
/*"SpringControllerRequestMappingEntityRule",
"AvoidAnnotationRule",
"AvoidBrandInMethodNamesRule",
"AvoidMethodDeclarationRule",
"AvoidSuperClassRule",
"AvoidTreeListRule",
"MyCustomSubscriptionRule",
"SecurityAnnotationMandatoryRule"*/
"ABCVarNameChecker"
);
assertThat(context.testRuleKeys).extracting(RuleKey::toString).containsExactly(
/*"mycompany-java:NoIfStatementInTests"*/
);
assertThat(context.testCheckClasses).extracting(Class::getSimpleName).containsExactly(
/*"NoIfStatementInTestsRule"*/
);
assertThat(context.checkClasses()).hasSize(6);
assertThat(context.testCheckClasses()).hasSize(0);
}
}

@ -34,32 +34,5 @@ public class JavaSecurityDesignRulesRepositoryTest {
assertThat(repository.rules()).hasSize(RulesList.getChecks().size());
assertThat(repository.rules().stream().filter(RulesDefinition.Rule::template)).isEmpty();
//assertRuleProperties(repository);
// assertParameterProperties(repository);
// assertAllRuleParametersHaveDescription(repository);
}
private static void assertParameterProperties(RulesDefinition.Repository repository) {
RulesDefinition.Param max = repository.rule("AvoidAnnotation").param("name");
assertThat(max).isNotNull();
assertThat(max.defaultValue()).isEqualTo("Inject");
assertThat(max.description()).isEqualTo("Name of the annotation to avoid, without the prefix @, for instance 'Override'");
assertThat(max.type()).isEqualTo(RuleParamType.STRING);
}
private static void assertRuleProperties(RulesDefinition.Repository repository) {
RulesDefinition.Rule rule = repository.rule("AvoidAnnotation");
assertThat(rule).isNotNull();
assertThat(rule.name()).isEqualTo("Title of AvoidAnnotation");
assertThat(rule.debtRemediationFunction().type()).isEqualTo(DebtRemediationFunction.Type.CONSTANT_ISSUE);
assertThat(rule.type()).isEqualTo(RuleType.CODE_SMELL);
}
private static void assertAllRuleParametersHaveDescription(RulesDefinition.Repository repository) {
for (RulesDefinition.Rule rule : repository.rules()) {
for (RulesDefinition.Param param : rule.params()) {
assertThat(param.description()).as("description for " + param.key()).isNotEmpty();
}
}
}
}

Loading…
Cancel
Save