修复：sonar-keyware-java打包部署到sonarqube后无法使用的问题

8 months ago · 4e6c7e738c
parent fb0b5d6e39
commit 4e6c7e738c
15 changed files with 111 additions and 131 deletions
--- a/pom.xml
+++ b/pom.xml
@ -4,9 +4,9 @@
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
-        <groupId>org.sonarsource.java</groupId>
-        <artifactId>java</artifactId>
-        <version>7.30.1.34514</version>
+        <groupId>org.sonarsource.parent</groupId>
+        <artifactId>parent</artifactId>
+        <version>68.0.0.247</version>
    </parent>

    <groupId>com.keyware.sonar</groupId>
@ -45,22 +45,37 @@


    <properties>
+        <java.version>11</java.version>
+        <jdk.min.version>11</jdk.min.version>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <sonar.java.version>7.24.0.32100</sonar.java.version>
+        <version.jacoco.plugin>0.8.10</version.jacoco.plugin>
        <aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir>
    </properties>

    <modules>
        <module>sonar-keyware-plugins-cxx</module>
        <module>sonar-keyware-plugins-java</module>
+        <module>soanr-keyware-example</module>
    </modules>
    <dependencyManagement>
        <dependencies>
-
+            <dependency>
+                <groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
+                <artifactId>cxx</artifactId>
+                <version>2.1.2-SNAPSHOT</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.sonarsource.java</groupId>
+                <artifactId>java</artifactId>
+                <version>7.24.0.32100</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
        </dependencies>
    </dependencyManagement>
-    <dependencies>
-
-    </dependencies>
 </project>
--- a/sonar-keyware-plugins-cxx/pom.xml
+++ b/sonar-keyware-plugins-cxx/pom.xml
@ -10,6 +10,13 @@
        <version>1.0</version>
    </parent>

+    <!--<parent>
+        <groupId>org.sonarsource.sonarqube-plugins.cxx</groupId>
+        <artifactId>cxx</artifactId>
+        <version>2.1.2-SNAPSHOT</version>
+    </parent>-->
+
+    <!--<groupId>com.keyware.sonar</groupId>-->
    <name>C++ 信息安全性设计准则</name>
    <artifactId>sonar-keyware-plugins-cxx</artifactId>
    <version>1.0</version>
@ -21,9 +28,9 @@
        <sonar.pluginClass>com.keyware.sonar.cxx.CxxPlugin</sonar.pluginClass>
        <sonar.pluginName>C++ 信息安全性设计准则</sonar.pluginName>
        <!-- in addition, a dependency must be set in 'integration-tests/pom.xml' to aggregate the results -->
+        <aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir>
        <sonar.coverage.jacoco.xmlReportPaths>${basedir}/../${aggregate.report.dir}</sonar.coverage.jacoco.xmlReportPaths>

-        <java.version>11</java.version>
        <commons-io.version>2.15.1</commons-io.version>
        <commons-lang.version>2.6</commons-lang.version>
        <sonar-cxx.versin>2.1.2-SNAPSHOT</sonar-cxx.versin>
--- a/sonar-keyware-plugins-java/pom.xml
+++ b/sonar-keyware-plugins-java/pom.xml
@ -16,58 +16,38 @@
    <version>1.0</version>
    <description>用于检查Java源代码的安全性设计准则的Sonarqube插件</description>

-    <properties>
-        <jacoco.version>0.8.10</jacoco.version>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    </properties>
-
    <dependencies>
-        <dependency>
-            <groupId>org.sonarsource.java</groupId>
-            <artifactId>sonar-java-plugin</artifactId>
-            <version>7.30.1.34514</version>
-            <type>sonar-plugin</type>
-            <scope>compile</scope>
-        </dependency>
-
        <dependency>
            <groupId>org.sonarsource.api.plugin</groupId>
            <artifactId>sonar-plugin-api</artifactId>
+            <version>9.9.0.229</version>
            <scope>provided</scope>
        </dependency>

-        <dependency>
-            <groupId>org.sonarsource.analyzer-commons</groupId>
-            <artifactId>sonar-analyzer-commons</artifactId>
-        </dependency>
-
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
            <scope>provided</scope>
        </dependency>

-        <!-- unit tests -->
-        <dependency>
-            <groupId>org.sonarsource.api.plugin</groupId>
-            <artifactId>sonar-plugin-api-test-fixtures</artifactId>
-            <scope>test</scope>
-        </dependency>
        <dependency>
-            <groupId>org.sonarsource.sonarqube</groupId>
-            <artifactId>sonar-plugin-api-impl</artifactId>
-            <scope>test</scope>
+            <groupId>org.sonarsource.java</groupId>
+            <artifactId>sonar-java-plugin</artifactId>
+            <version>${sonar.java.version}</version>
+            <type>sonar-plugin</type>
+            <scope>provided</scope>
        </dependency>
+
        <dependency>
-            <groupId>org.sonarsource.java</groupId>
-            <artifactId>test-classpath-reader</artifactId>
-            <version>7.30.1.34514</version>
-            <scope>test</scope>
+            <groupId>org.sonarsource.analyzer-commons</groupId>
+            <artifactId>sonar-analyzer-commons</artifactId>
        </dependency>
+
+        <!-- unit tests -->
        <dependency>
            <groupId>org.sonarsource.java</groupId>
            <artifactId>java-checks-testkit</artifactId>
-            <version>7.30.1.34514</version>
+            <version>${sonar.java.version}</version>
            <scope>test</scope>
        </dependency>
        <dependency>
@ -80,21 +60,11 @@
            <artifactId>junit-jupiter-migrationsupport</artifactId>
            <scope>test</scope>
        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <scope>test</scope>
-        </dependency>
        <dependency>
            <groupId>org.assertj</groupId>
            <artifactId>assertj-core</artifactId>
            <scope>test</scope>
        </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <scope>test</scope>
-        </dependency>
    </dependencies>

    <build>
@ -109,14 +79,12 @@
                    <pluginClass>com.keyware.sonar.java.JavaSecurityDesignRulesPlugin</pluginClass>
                    <sonarLintSupported>true</sonarLintSupported>
                    <skipDependenciesPackaging>true</skipDependenciesPackaging>
-                    <pluginApiMinVersion>9.14.0.375</pluginApiMinVersion>
-                    <requirePlugins>java:${project.version}</requirePlugins>
+                    <sonarQubeMinVersion>8.9</sonarQubeMinVersion>
+                    <requirePlugins>java:${sonar.java.version}</requirePlugins>
+                    <jreMinVersion>11</jreMinVersion>
                </configuration>
            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-            </plugin>
+
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-shade-plugin</artifactId>
@ -144,7 +112,7 @@
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
-                <version>${jacoco.version}</version>
+                <version>${version.jacoco.plugin}</version>
                <executions>
                    <execution>
                        <id>prepare-agent</id>
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java
@ -22,6 +22,9 @@ public class JavaSecurityDesignRulesPlugin implements Plugin {
        // 服务器扩展 - >对象在服务器启动期间实例化
        context.addExtension(JavaSecurityDesignRulesRepository.class);

+        // 服务器扩展 - >对象在服务器启动期间实例化
+        context.addExtension(JavaSecurityDesignWayProfile.class);
+
        // 批处理扩展 - >对象在代码分析期间实例化
        context.addExtension(JavaFileCheckRegistrar.class);

--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/package-info.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/package-info.java
@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+/**
+ * TODO package-info
+ *
+ * @author GuoXin
+ * @date 2024/1/12
+ */
+package com.keyware.sonar.java;
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
@ -7,7 +7,7 @@
 package com.keyware.sonar.java.rules.checkers;

 import org.sonar.check.Rule;
-import org.sonar.java.ast.visitors.SubscriptionVisitor;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.Tree;
 import org.sonar.plugins.java.api.tree.VariableTree;

@ -21,7 +21,7 @@ import java.util.List;
 * @date 2024/1/6
 */
@Rule(key = "ABCVarNameChecker")
-public class ABCVarNameChecker extends SubscriptionVisitor {
+public class ABCVarNameChecker extends IssuableSubscriptionVisitor {

    @Override
    public List<Tree.Kind> nodesToVisit() {
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
@ -28,7 +28,7 @@ import java.util.List;
 * @author WuHaoyang
 * @date 2024/1/9
 */
-@Rule(key = "AbsolutePathDetector")
+@Rule(key = "AbsolutePathDetectorChecker")
 public class AbsolutePathDetectorChecker extends IssuableSubscriptionVisitor {

    @Override
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
@ -8,7 +8,7 @@ package com.keyware.sonar.java.rules.checkers;


 import org.sonar.check.Rule;
-import org.sonar.java.ast.visitors.SubscriptionVisitor;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.*;

 import java.util.Collections;
@ -18,7 +18,7 @@ import java.util.List;
@Rule(key = "DynamicCodeChecker")

 //检测代码中包含动态代码执行操作时，工具进行提示
-public class DynamicCodeChecker extends SubscriptionVisitor {
+public class DynamicCodeChecker extends IssuableSubscriptionVisitor {

    @Override
    public List<Tree.Kind> nodesToVisit() {
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java
@ -7,10 +7,10 @@
 package com.keyware.sonar.java.rules.checkers;

 import org.sonar.check.Rule;
-import org.sonar.java.ast.visitors.SubscriptionVisitor;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.*;
-import org.springframework.lang.NonNull;

+import javax.annotation.Nonnull;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
@ -24,7 +24,7 @@ import java.util.stream.Collectors;
 * @date 2024/1/10
 */
@Rule(key = "DynamicLibraryLoadChecker")
-public class DynamicLibraryLoadChecker extends SubscriptionVisitor {
+public class DynamicLibraryLoadChecker extends IssuableSubscriptionVisitor {

    @Override
    public List<Tree.Kind> nodesToVisit() {
@ -33,7 +33,7 @@ public class DynamicLibraryLoadChecker extends SubscriptionVisitor {
    }

    @Override
-    public void visitNode(@NonNull Tree tree) {
+    public void visitNode(@Nonnull Tree tree) {
        if (tree.is(Tree.Kind.METHOD)) {
            MethodTree method = (MethodTree) tree;
            var block = method.block();
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java
@ -8,9 +8,10 @@ package com.keyware.sonar.java.rules.checkers;

 import org.sonar.check.Rule;
 import org.sonar.java.ast.visitors.SubscriptionVisitor;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.*;
-import org.springframework.lang.NonNull;

+import javax.annotation.Nonnull;
 import java.util.Arrays;
 import java.util.List;

@ -21,7 +22,7 @@ import java.util.List;
 * @date 2024/1/9
 */
@Rule(key = "RedirectUrlChecker")
-public class RedirectUrlChecker extends SubscriptionVisitor {
+public class RedirectUrlChecker extends IssuableSubscriptionVisitor {
    @Override
    public List<Tree.Kind> nodesToVisit() {
        var nodeType = new Tree.Kind[]{Tree.Kind.METHOD};
@ -29,7 +30,7 @@ public class RedirectUrlChecker extends SubscriptionVisitor {
    }

    @Override
-    public void visitNode(@NonNull Tree tree) {
+    public void visitNode(@Nonnull Tree tree) {
        MethodTree methodTree = (MethodTree) tree;
        BlockTree block = methodTree.block();
        // 方法的参数列表
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/package-info.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/package-info.java
@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+/**
+ * TODO package-info
+ *
+ * @author GuoXin
+ * @date 2024/1/12
+ */
+package com.keyware.sonar.java.rules.checkers;
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/package-info.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/package-info.java
@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+/**
+ * TODO package-info
+ *
+ * @author GuoXin
+ * @date 2024/1/12
+ */
+package com.keyware.sonar.java.rules;
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java
@ -27,7 +27,10 @@ public class JavaSecurityDesignRulesPluginTest {

        assertThat(context.getExtensions())
                .extracting(ext -> ((Class) ext).getSimpleName())
-                .containsExactlyInAnyOrder("JavaSecurityDesignRulesRepository", "JavaFileCheckRegistrar");
+                .containsExactlyInAnyOrder(
+                        "JavaSecurityDesignRulesRepository",
+                        "JavaSecurityDesignWayProfile",
+                        "JavaFileCheckRegistrar");
    }

    public static class MockedSonarRuntime implements SonarRuntime {
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaFileCheckRegistrarTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaFileCheckRegistrarTest.java
@ -7,8 +7,7 @@
 package com.keyware.sonar.java.rules;

 import org.junit.jupiter.api.Test;
-import org.sonar.api.rule.RuleKey;
-import org.sonar.java.checks.verifier.TestCheckRegistrarContext;
+import org.sonar.plugins.java.api.CheckRegistrar;

 import static org.assertj.core.api.Assertions.assertThat;

@ -22,42 +21,14 @@ public class JavaFileCheckRegistrarTest {

    @Test
    void checkRegisteredRulesKeysAndClasses() {
-        TestCheckRegistrarContext context = new TestCheckRegistrarContext();
+        CheckRegistrar.RegistrarContext context = new CheckRegistrar.RegistrarContext();
+

        JavaFileCheckRegistrar registrar = new JavaFileCheckRegistrar();
        registrar.register(context);

-        assertThat(context.mainRuleKeys).extracting(RuleKey::toString).containsExactly(
-                /*"mycompany-java:SpringControllerRequestMappingEntity",
-                "mycompany-java:AvoidAnnotation",
-                "mycompany-java:AvoidBrandInMethodNames",
-                "mycompany-java:AvoidMethodDeclaration",
-                "mycompany-java:AvoidSuperClass",
-                "mycompany-java:AvoidTreeList",
-                "mycompany-java:AvoidMethodWithSameTypeInArgument",
-                "mycompany-java:SecurityAnnotationMandatory"*/
-                "keyware-java-security-design:ABCVarNameChecker"
-        );
-
-        assertThat(context.mainCheckClasses).extracting(Class::getSimpleName).containsExactly(
-                /*"SpringControllerRequestMappingEntityRule",
-                "AvoidAnnotationRule",
-                "AvoidBrandInMethodNamesRule",
-                "AvoidMethodDeclarationRule",
-                "AvoidSuperClassRule",
-                "AvoidTreeListRule",
-                "MyCustomSubscriptionRule",
-                "SecurityAnnotationMandatoryRule"*/
-                "ABCVarNameChecker"
-        );
-
-        assertThat(context.testRuleKeys).extracting(RuleKey::toString).containsExactly(
-                /*"mycompany-java:NoIfStatementInTests"*/
-        );
-
-        assertThat(context.testCheckClasses).extracting(Class::getSimpleName).containsExactly(
-                /*"NoIfStatementInTestsRule"*/
-        );
+        assertThat(context.checkClasses()).hasSize(6);
+        assertThat(context.testCheckClasses()).hasSize(0);
    }

 }
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepositoryTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepositoryTest.java
@ -34,32 +34,5 @@ public class JavaSecurityDesignRulesRepositoryTest {
        assertThat(repository.rules()).hasSize(RulesList.getChecks().size());
        assertThat(repository.rules().stream().filter(RulesDefinition.Rule::template)).isEmpty();

-        //assertRuleProperties(repository);
-        // assertParameterProperties(repository);
-        // assertAllRuleParametersHaveDescription(repository);
-    }
-
-    private static void assertParameterProperties(RulesDefinition.Repository repository) {
-        RulesDefinition.Param max = repository.rule("AvoidAnnotation").param("name");
-        assertThat(max).isNotNull();
-        assertThat(max.defaultValue()).isEqualTo("Inject");
-        assertThat(max.description()).isEqualTo("Name of the annotation to avoid, without the prefix @, for instance 'Override'");
-        assertThat(max.type()).isEqualTo(RuleParamType.STRING);
-    }
-
-    private static void assertRuleProperties(RulesDefinition.Repository repository) {
-        RulesDefinition.Rule rule = repository.rule("AvoidAnnotation");
-        assertThat(rule).isNotNull();
-        assertThat(rule.name()).isEqualTo("Title of AvoidAnnotation");
-        assertThat(rule.debtRemediationFunction().type()).isEqualTo(DebtRemediationFunction.Type.CONSTANT_ISSUE);
-        assertThat(rule.type()).isEqualTo(RuleType.CODE_SMELL);
-    }
-
-    private static void assertAllRuleParametersHaveDescription(RulesDefinition.Repository repository) {
-        for (RulesDefinition.Rule rule : repository.rules()) {
-            for (RulesDefinition.Param param : rule.params()) {
-                assertThat(param.description()).as("description for " + param.key()).isNotEmpty();
-            }
-        }
    }
 }