Merge remote-tracking branch 'origin/master'

8 months ago · 5ce8feea75
parent 4cd845ed64 ac4eee2647
commit 5ce8feea75
20 changed files with 142 additions and 17 deletions
--- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.java
+++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.java
@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：信息安全性设计准则检查插件
+ * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+package com.keyware.sonar.cxx.rules.checkers;
+
+import com.sonar.cxx.sslr.api.AstNode;
+import com.sonar.cxx.sslr.api.Grammar;
+import org.sonar.check.Priority;
+import org.sonar.check.Rule;
+import org.sonar.cxx.parser.CxxGrammarImpl;
+import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
+import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
+import org.sonar.cxx.squidbridge.checks.SquidCheck;
+
+import javax.annotation.Nonnull;
+import java.util.List;
+
+/**
+ * TODO 应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法
+ *
+ * @author RenFengJiang
+ * @date 2024/1/23
+ */
+@Rule(key = "PRNGVerifyChecker", name = "应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法", description = "使用目前被业界专家认为较强的经过良好审核的加密PRNG算法，初始化随机数生成器时使用具有足够长度且不固定的种子", priority = Priority.INFO, tags = {"28suo"})
+@ActivatedByDefault
+@SqaleConstantRemediation("5min")
+public class PRNGVerifyChecker extends SquidCheck<Grammar> {
+
+    List<String> lists = List.of("minstd_rand0","minstd_rand","mt19937","mt19937_64","ranlux24_base","ranlux48_base","ranlux24","ranlux48","knuth_b");
+    @Override
+    public void init() {
+        // 指定当前访问器需要访问的节点类型，functionBody（函数）主体节点
+        this.subscribeTo(
+                CxxGrammarImpl.declarationStatement
+        );
+    }
+
+    /**
+     * 访问AST节点
+     *
+     * @param node 要处理的AST节点，该节点类型为通过subscribeTo方法订阅的类型
+     */
+    @Override
+    public void visitNode(@Nonnull AstNode node) {
+        List<AstNode> descendants = node.getDescendants(CxxGrammarImpl.typeName);
+        for (AstNode desc:descendants) {
+            if(lists.contains(desc.getTokenValue())){
+                getContext().createLineViolation(this, "应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法", node);
+                break;
+            }
+        }
+
+    }
+}
--- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyCheckerTest.java
+++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyCheckerTest.java
@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：信息安全性设计准则检查插件
+ * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+package com.keyware.sonar.cxx.rules.checkers;
+
+import com.keyware.sonar.cxx.CxxFileTesterHelper;
+import org.junit.jupiter.api.Test;
+import org.sonar.cxx.CxxAstScanner;
+import org.sonar.cxx.squidbridge.api.SourceFile;
+import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier;
+
+import java.io.IOException;
+
+/**
+ * TODO PRNGVerifyCheckerTest
+ *
+ * @author RenFengJiang
+ * @date 2024/1/23
+ */
+public class PRNGVerifyCheckerTest {
+
+    @Test
+    public void checkTest() throws IOException {
+        var checker = new PRNGVerifyChecker();
+        var tester = CxxFileTesterHelper.create("PRNGVerifyChecker.cc");
+        SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
+        CheckMessagesVerifier.verify(file.getCheckMessages())
+                .next().atLine(4).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
+                .next().atLine(6).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
+                .next().atLine(8).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
+                .noMore();
+    }
+}
--- a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.cc
+++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.cc
@ -0,0 +1,10 @@
+int main(){
+    std::mt19937 generator(time(0)); // mt19937是32比特的
+    std::cout << generator() << std::endl;
+    std::ranlux24_base generator(time(0)); // ranlux24_base是24比特的
+    std::cout << generator() << std::endl;
+    std::knuth_b generator(time(0));
+    std::cout << generator() << std::endl;
+
+    return 0;
+}
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
@ -15,7 +15,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO ABCVarNameChecker
+ *  Test
 *
 * @author GuoXin
 * @date 2024/1/6
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AuthenticationChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AuthenticationChecker.java
@ -18,8 +18,7 @@ import java.util.*;


 /**
- * TODO 通过用户名口令、数据证书等其他手段对用户身份进行验证。
- * AuthenticationChecker
+ * 通过用户名口令、数据证书等其他手段对用户身份进行验证。
 *
 * @author WuHaoYang
 * @date 2024/1/23
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
@ -12,7 +12,12 @@ import org.sonar.plugins.java.api.semantic.Symbol;
 import org.sonar.plugins.java.api.tree.*;

 import java.util.*;
-
+/**
+ * 日志中包含敏感信息
+ *
+ * @author WuHaoYang
+ * @date 2024/1/23
+ */
@Rule(key = "AvoidSensitiveInfoInLogsCheck")
 public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor {

--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java
@ -12,7 +12,7 @@ import org.sonar.api.batch.sensor.SensorContext;
 import org.sonar.api.rule.RuleKey;

 /**
- * TODO ConfigCheck
+ * ConfigCheck
 *
 * @author RenFengJiang
 * @date 2024/1/23
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
@ -29,7 +29,7 @@ import java.util.Scanner;


 /**
- * TODO ConfigurationFileChecker
+ * 禁止在容易受攻击的地方明文存储口令密码
 *
 * @author WuHaoYang
 * @date 2024/1/22
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
@ -15,6 +15,12 @@ import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;

 import java.util.*;

+/**
+ * Cookie参数设置中包含敏感字段
+ *
+ * @author WuHaoYang
+ * @date 2024/1/22
+ */
@Rule(key = "CookieSensitiveParameterCheck")
 public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor {

--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
@ -16,7 +16,12 @@ import java.util.List;


@Rule(key = "DynamicCodeChecker")
-
+/**
+ * 程序设计时禁止动态构建代码进行功能实现
+ *
+ * @author renfengshan
+ * @date 2024/1/22
+ */
 //检测代码中包含动态代码执行操作时，工具进行提示
 public class DynamicCodeChecker extends IssuableSubscriptionVisitor {

--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java
@ -19,7 +19,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO HashSaltPassWordChecker
+ * 应使用盐值计算口令
 *
 * @author RenFengJiang
 * @date 2024/1/11
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HttpInputDataChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HttpInputDataChecker.java
@ -20,7 +20,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO HttpInputDataChecker
+ * HTTP输入数据验证
 *
 * @author RenFengJiang
 * @date 2024/1/12
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/InputSQLVerifyChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/InputSQLVerifyChecker.java
@ -18,7 +18,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO InputSQLVerifyChecker
+ * 使用sql语句前应对其进行验证
 *
 * @author RenFengJiang
 * @date 2024/1/14
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/Md5PassWordVerifyChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/Md5PassWordVerifyChecker.java
@ -20,7 +20,7 @@ import java.util.List;
 import java.util.Locale;

 /**
- * TODO Md5PassWordVerifyChecker
+ * 应使用单向不可逆的加密算法
 *
 * @author RenFengJiang
 * @date 2024/1/13
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java
@ -17,7 +17,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO RSAEncryptionChecker
+ * 使用RSA最优加密填充
 *
 * @author RenFengJiang
 * @date 2024/1/11
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java
@ -14,7 +14,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO SecurityCookieChecker
+ * 设置HTTPS会话中cookie的安全属性
 *
 * @author RenFengJiang
 * @date 2024/1/10
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java
@ -22,7 +22,7 @@ import java.util.List;
 * 发送信息规则检查
 * 检测类似发送信息的函数中的参数是否敏感信息，如敏感信息的字段
 * 1.获取到方法调用节点
- * 2.
+ * 2.对获取到的节点进行判断
 *
 * @author RenFengJiang
 * @date 2024/1/20
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java
@ -21,7 +21,7 @@ import java.util.Map;
 import java.util.Scanner;

 /**
- * TODO SessionDateChecker
+ * 设置会话过期的日期
 *
 * @author RenFengJiang
 * @date 2024/1/22
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java
@ -14,7 +14,7 @@ import java.util.Collections;
 import java.util.List;

 /**
- * TODO 上传文件检查规则
+ * 上传文件检查规则
 *
 * @author RenFengJiang
 * @date 2024/1/8
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java
@ -13,7 +13,12 @@ import org.sonar.plugins.java.api.tree.*;

 import java.util.List;

-
+/**
+ * 规定循环次数的上限，在将用户输入的数据用于循环条件前进行验证用户输入的数据是否超过上限
+ *
+ * @author renfengshan
+ * @date 2024/1/8
+ */
@Rule(key = "UpperCycleLimitRuleChecker")
 public class UpperCycleLimitRuleChecker extends IssuableSubscriptionVisitor {
    @Override