From 58cd99cd4190563aab3311314acd62bed36e7e01 Mon Sep 17 00:00:00 2001 From: RenFengJiang <1111> Date: Tue, 23 Jan 2024 20:25:27 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=EF=BC=9Ajava=E8=AE=BE?= =?UTF-8?q?=E7=BD=AE=E4=BC=9A=E8=AF=9D=E8=BF=87=E6=9C=9F=E7=9A=84=E6=97=A5?= =?UTF-8?q?=E6=9C=9F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../sonar/java/ConfigFileSquidSensor.java | 7 +- .../java/JavaSecurityDesignWayProfile.java | 1 + .../JavaSecurityDesignRulesRepository.java | 4 +- .../java/rules/checkers/ConfigCheck.java | 23 +++++ .../checkers/ConfigurationFileChecker.java | 3 +- .../rules/checkers/SessionDateChecker.java | 96 +++++++++++++++++++ .../java/rules/java/SessionDateChecker.html | 16 ++++ .../java/rules/java/SessionDateChecker.json | 13 +++ .../files/sessionDates/application.properties | 9 ++ .../test/files/sessionDates/application.yml | 4 + 10 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json create mode 100644 sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties create mode 100644 sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java index faa9fef..0881079 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java @@ -6,7 +6,9 @@ */ package com.keyware.sonar.java; +import com.keyware.sonar.java.rules.checkers.ConfigCheck; import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker; +import com.keyware.sonar.java.rules.checkers.SessionDateChecker; import org.sonar.api.batch.fs.FilePredicates; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.batch.rule.CheckFactory; @@ -17,13 +19,14 @@ import org.sonar.api.batch.sensor.SensorDescriptor; public class ConfigFileSquidSensor implements Sensor { - private final Checks checks; + private final Checks checks; private SensorContext context; public ConfigFileSquidSensor(CheckFactory checkFactory){ checks = checkFactory.create("config"); checks.addAnnotatedChecks(ConfigurationFileChecker.class); + checks.addAnnotatedChecks(SessionDateChecker.class); } @Override public void describe(SensorDescriptor descriptor) { @@ -41,6 +44,8 @@ public class ConfigFileSquidSensor implements Sensor { check.execute(context, inputFile, checks.ruleKey(check)); }); } + + checks.all().forEach(check->check.endOfCheck(context, checks.ruleKey(check))); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java index e3aeef6..5acf99d 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java @@ -33,6 +33,7 @@ public class JavaSecurityDesignWayProfile implements BuiltInQualityProfilesDefin var cfgWay = context.createBuiltInQualityProfile("配置信息安全性设计规则", ConfigurationFileLanguage.KEY); cfgWay.activateRule("config", "ConfigurationFileChecker"); + cfgWay.activateRule("config", "SessionDateChecker"); cfgWay.done(); } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java index e0ad7a1..9577a04 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java @@ -7,6 +7,8 @@ package com.keyware.sonar.java.rules; import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker; +import com.keyware.sonar.java.rules.checkers.SecurityCookieChecker; +import com.keyware.sonar.java.rules.checkers.SessionDateChecker; import org.sonar.api.SonarEdition; import org.sonar.api.SonarProduct; import org.sonar.api.SonarQubeSide; @@ -54,7 +56,7 @@ public class JavaSecurityDesignRulesRepository implements RulesDefinition { htmlRepo.done(); RulesDefinition.NewRepository configRepo = context.createRepository("config", "cfg").setName("config"); - ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class)); + ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class, SessionDateChecker.class)); setTemplates(configRepo); configRepo.done(); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java new file mode 100644 index 0000000..c4342ff --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.rule.RuleKey; + +/** + * TODO ConfigCheck + * + * @author RenFengJiang + * @date 2024/1/23 + */ +public interface ConfigCheck { + default void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){} + default void endOfCheck(SensorContext context, RuleKey ruleKey){} +} diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java index 1c2f7e2..d87578c 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java @@ -35,9 +35,10 @@ import java.util.Scanner; * @date 2024/1/22 */ @Rule(key = "ConfigurationFileChecker") -public class ConfigurationFileChecker { +public class ConfigurationFileChecker implements ConfigCheck { + @Override public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ //文件名称 String filename = inputFile.filename(); diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java new file mode 100644 index 0000000..114bde9 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.rule.RuleKey; +import org.sonar.check.Rule; +import org.yaml.snakeyaml.Yaml; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.util.Map; +import java.util.Scanner; + +/** + * TODO SessionDateChecker + * + * @author RenFengJiang + * @date 2024/1/22 + */ +@Rule(key = "SessionDateChecker") +public class SessionDateChecker implements ConfigCheck { + + private boolean boo = true; + public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ + if(boo){ + //文件名称 + String filename = inputFile.filename(); + //校验文件后缀 + if (filename.endsWith(".properties")) { + try { + File file = new File(inputFile.absolutePath()); + try (Scanner scanner = new Scanner(file)) { + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + if (line.contains("server.servlet.session.timeout")) { + boo = false; + break; + } + } + } + } catch (FileNotFoundException e) { + System.out.println("文件未找到: " + e.getMessage()); + return; // 文件未找到时立即返回 + } + } + if (filename.endsWith(".yml")){ + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + File absoluteFile = file1.getAbsoluteFile(); + // 构建目录路径 + Yaml yaml = new Yaml(); + try (FileInputStream fis = new FileInputStream(file1)) { + Map obj = yaml.load(fis); + if (obj != null){ + String sessionTimeout = searchForSessionTimeout(obj, "server", "servlet", "session", "timeout"); + if (sessionTimeout != null) { + boo = false; + } + } + } catch (IOException e) { + e.printStackTrace(); + } + } + } + } + + private String searchForSessionTimeout(Map map, String... keys) { + Map currentLevel = map; + for (int i = 0; i < keys.length - 1; ++i) { + Object nextLevel = currentLevel.get(keys[i]); + if (nextLevel instanceof Map) { + currentLevel = (Map) nextLevel; + } else { + return null; + } + } + return currentLevel.get(keys[keys.length - 1]).toString(); + } + + @Override + public void endOfCheck(SensorContext context, RuleKey ruleKey) { + if(boo){ + var issue = context.newIssue(); + issue.at(issue.newLocation().on(context.project()).message("设置会话过期的日期")).forRule(ruleKey).save(); + } + } +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html new file mode 100644 index 0000000..d0627b8 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html @@ -0,0 +1,16 @@ + + +

设置会话过期的日期

+

设置会话过期的日期

+
+
+
+

合规解决方案

+
+
+
\ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json new file mode 100644 index 0000000..f59df08 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json @@ -0,0 +1,13 @@ +{ + "title": "设置会话过期的日期", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties new file mode 100644 index 0000000..b918494 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties @@ -0,0 +1,9 @@ +# +# Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. +# 项目名称:信息安全性设计准则检查插件 +# 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 +# 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 +# + +# 设置会话超时时间为30分钟 +server.servlet.session.timeout=30m \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml new file mode 100644 index 0000000..191582c --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml @@ -0,0 +1,4 @@ +server: + servlet: + session: + timeout: 30m \ No newline at end of file