新增：java设置会话过期的日期

8 months ago · 58cd99cd41
parent 338b45a24d
commit 58cd99cd41
10 changed files with 173 additions and 3 deletions
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java
@ -6,7 +6,9 @@
 */
 package com.keyware.sonar.java;
 import com.keyware.sonar.java.rules.checkers.ConfigCheck;
 import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker;
 import com.keyware.sonar.java.rules.checkers.SessionDateChecker;
 import org.sonar.api.batch.fs.FilePredicates;
 import org.sonar.api.batch.fs.InputFile;
 import org.sonar.api.batch.rule.CheckFactory;
@ -17,13 +19,14 @@ import org.sonar.api.batch.sensor.SensorDescriptor;
 public class ConfigFileSquidSensor implements Sensor {
-    private final Checks<ConfigurationFileChecker> checks;
+    private final Checks<ConfigCheck> checks;
    private SensorContext context;
    public ConfigFileSquidSensor(CheckFactory checkFactory){
        checks = checkFactory.create("config");
        checks.addAnnotatedChecks(ConfigurationFileChecker.class);
        checks.addAnnotatedChecks(SessionDateChecker.class);
    }
    @Override
    public void describe(SensorDescriptor descriptor) {
@ -41,6 +44,8 @@ public class ConfigFileSquidSensor implements Sensor {
                check.execute(context, inputFile, checks.ruleKey(check));
            });
        }
        checks.all().forEach(check->check.endOfCheck(context, checks.ruleKey(check)));
    }
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java
@ -33,6 +33,7 @@ public class JavaSecurityDesignWayProfile implements BuiltInQualityProfilesDefin
        var cfgWay = context.createBuiltInQualityProfile("配置信息安全性设计规则", ConfigurationFileLanguage.KEY);
        cfgWay.activateRule("config", "ConfigurationFileChecker");
        cfgWay.activateRule("config", "SessionDateChecker");
        cfgWay.done();
    }
 }
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java
@ -7,6 +7,8 @@
 package com.keyware.sonar.java.rules;
 import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker;
 import com.keyware.sonar.java.rules.checkers.SecurityCookieChecker;
 import com.keyware.sonar.java.rules.checkers.SessionDateChecker;
 import org.sonar.api.SonarEdition;
 import org.sonar.api.SonarProduct;
 import org.sonar.api.SonarQubeSide;
@ -54,7 +56,7 @@ public class JavaSecurityDesignRulesRepository implements RulesDefinition {
        htmlRepo.done();
        RulesDefinition.NewRepository configRepo = context.createRepository("config", "cfg").setName("config");
-        ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class));
+        ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class, SessionDateChecker.class));
        setTemplates(configRepo);
        configRepo.done();
    }
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java
@ -0,0 +1,23 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：信息安全性设计准则检查插件
 * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.java.rules.checkers;
 import org.sonar.api.batch.fs.InputFile;
 import org.sonar.api.batch.sensor.SensorContext;
 import org.sonar.api.rule.RuleKey;
 /**
 * TODO ConfigCheck
 *
 * @author RenFengJiang
 * @date 2024/1/23
 */
 public interface ConfigCheck {
    default  void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){}
    default void endOfCheck(SensorContext context, RuleKey ruleKey){}
 }
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
@ -35,9 +35,10 @@ import java.util.Scanner;
 * @date 2024/1/22
 */
@Rule(key = "ConfigurationFileChecker")
-public class ConfigurationFileChecker {
+public class ConfigurationFileChecker implements ConfigCheck {
    @Override
    public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){
        //文件名称
        String filename = inputFile.filename();
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java
@ -0,0 +1,96 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：信息安全性设计准则检查插件
 * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.java.rules.checkers;
 import org.sonar.api.batch.fs.InputFile;
 import org.sonar.api.batch.sensor.SensorContext;
 import org.sonar.api.rule.RuleKey;
 import org.sonar.check.Rule;
 import org.yaml.snakeyaml.Yaml;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.Map;
 import java.util.Scanner;
 /**
 * TODO SessionDateChecker
 *
 * @author RenFengJiang
 * @date 2024/1/22
 */
@Rule(key = "SessionDateChecker")
 public class SessionDateChecker implements ConfigCheck {
    private boolean boo = true;
    public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){
        if(boo){
            //文件名称
            String filename = inputFile.filename();
            //校验文件后缀
            if (filename.endsWith(".properties")) {
                try {
                    File file = new File(inputFile.absolutePath());
                    try (Scanner scanner = new Scanner(file)) {
                        while (scanner.hasNextLine()) {
                            String line = scanner.nextLine();
                            if (line.contains("server.servlet.session.timeout")) {
                                boo = false;
                                break;
                            }
                        }
                    }
                } catch (FileNotFoundException e) {
                    System.out.println("文件未找到: " + e.getMessage());
                    return;  // 文件未找到时立即返回
                }
            }
            if (filename.endsWith(".yml")){
                // 获取当前输入文件的绝对路径
                File file1 = inputFile.file();
                File absoluteFile = file1.getAbsoluteFile();
                // 构建目录路径
                Yaml yaml = new Yaml();
                try (FileInputStream fis = new FileInputStream(file1)) {
                    Map<String, Object> obj = yaml.load(fis);
                    if (obj != null){
                        String sessionTimeout = searchForSessionTimeout(obj, "server", "servlet", "session", "timeout");
                        if (sessionTimeout != null) {
                            boo = false;
                        }
                    }
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
    }
    private String searchForSessionTimeout(Map<String, Object> map, String... keys) {
        Map<String, Object> currentLevel = map;
        for (int i = 0; i < keys.length - 1; ++i) {
            Object nextLevel = currentLevel.get(keys[i]);
            if (nextLevel instanceof Map) {
                currentLevel = (Map<String, Object>) nextLevel;
            } else {
                return null;
            }
        }
        return currentLevel.get(keys[keys.length - 1]).toString();
    }
    @Override
    public void endOfCheck(SensorContext context, RuleKey ruleKey) {
        if(boo){
            var issue = context.newIssue();
            issue.at(issue.newLocation().on(context.project()).message("设置会话过期的日期")).forRule(ruleKey).save();
        }
    }
 }
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html
@ -0,0 +1,16 @@
 <!--
  ~ Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
  ~ 项目名称：信息安全性设计准则检查插件
  ~ 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
  ~ 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
  -->
 <p>设置会话过期的日期</p>
 <h2>设置会话过期的日期</h2>
 <pre>
 </pre>
 <h2>合规解决方案</h2>
 <pre>
 </pre>
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json
@ -0,0 +1,13 @@
 {
  "title": "设置会话过期的日期",
  "type": "CODE_SMELL",
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
    "constantCost": "5min"
  },
  "tags": [
    "28suo"
  ],
  "defaultSeverity": "Minor"
 }
--- a/sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties
+++ b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.properties
@ -0,0 +1,9 @@
 #
 # Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 # 项目名称：信息安全性设计准则检查插件
 # 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 # 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 #
 # 设置会话超时时间为30分钟
 server.servlet.session.timeout=30m
--- a/sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml
+++ b/sonar-keyware-plugins-java/src/test/files/sessionDates/application.yml
@ -0,0 +1,4 @@
 server:
  servlet:
    session:
      timeout: 30m