Merge remote-tracking branch 'origin/master'

wuhaoyang
Guo XIn 10 months ago
commit 5ce8feea75
  1. 58
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.java
  2. 37
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyCheckerTest.java
  3. 10
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PRNGVerifyChecker.cc
  4. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ABCVarNameChecker.java
  5. 3
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AuthenticationChecker.java
  6. 7
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
  7. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigCheck.java
  8. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java
  9. 6
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
  10. 7
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
  11. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java
  12. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HttpInputDataChecker.java
  13. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/InputSQLVerifyChecker.java
  14. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/Md5PassWordVerifyChecker.java
  15. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java
  16. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java
  17. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SendMessageVerifyChecker.java
  18. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java
  19. 2
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java
  20. 7
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java

@ -0,0 +1,58 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.cxx.rules.checkers;
import com.sonar.cxx.sslr.api.AstNode;
import com.sonar.cxx.sslr.api.Grammar;
import org.sonar.check.Priority;
import org.sonar.check.Rule;
import org.sonar.cxx.parser.CxxGrammarImpl;
import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.cxx.squidbridge.checks.SquidCheck;
import javax.annotation.Nonnull;
import java.util.List;
/**
* TODO 应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法
*
* @author RenFengJiang
* @date 2024/1/23
*/
@Rule(key = "PRNGVerifyChecker", name = "应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法", description = "使用目前被业界专家认为较强的经过良好审核的加密PRNG算法,初始化随机数生成器时使用具有足够长度且不固定的种子", priority = Priority.INFO, tags = {"28suo"})
@ActivatedByDefault
@SqaleConstantRemediation("5min")
public class PRNGVerifyChecker extends SquidCheck<Grammar> {
List<String> lists = List.of("minstd_rand0","minstd_rand","mt19937","mt19937_64","ranlux24_base","ranlux48_base","ranlux24","ranlux48","knuth_b");
@Override
public void init() {
// 指定当前访问器需要访问的节点类型,functionBody(函数)主体节点
this.subscribeTo(
CxxGrammarImpl.declarationStatement
);
}
/**
* 访问AST节点
*
* @param node 要处理的AST节点该节点类型为通过subscribeTo方法订阅的类型
*/
@Override
public void visitNode(@Nonnull AstNode node) {
List<AstNode> descendants = node.getDescendants(CxxGrammarImpl.typeName);
for (AstNode desc:descendants) {
if(lists.contains(desc.getTokenValue())){
getContext().createLineViolation(this, "应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法", node);
break;
}
}
}
}

@ -0,0 +1,37 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.cxx.rules.checkers;
import com.keyware.sonar.cxx.CxxFileTesterHelper;
import org.junit.jupiter.api.Test;
import org.sonar.cxx.CxxAstScanner;
import org.sonar.cxx.squidbridge.api.SourceFile;
import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier;
import java.io.IOException;
/**
* TODO PRNGVerifyCheckerTest
*
* @author RenFengJiang
* @date 2024/1/23
*/
public class PRNGVerifyCheckerTest {
@Test
public void checkTest() throws IOException {
var checker = new PRNGVerifyChecker();
var tester = CxxFileTesterHelper.create("PRNGVerifyChecker.cc");
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(4).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
.next().atLine(6).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
.next().atLine(8).withMessage("应使用目前被业界专家认为较强的经过良好审核的加密PRNG算法")
.noMore();
}
}

@ -0,0 +1,10 @@
int main(){
std::mt19937 generator(time(0)); // mt19937是32比特的
std::cout << generator() << std::endl;
std::ranlux24_base generator(time(0)); // ranlux24_base是24比特的
std::cout << generator() << std::endl;
std::knuth_b generator(time(0));
std::cout << generator() << std::endl;
return 0;
}

@ -15,7 +15,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO ABCVarNameChecker * Test
* *
* @author GuoXin * @author GuoXin
* @date 2024/1/6 * @date 2024/1/6

@ -18,8 +18,7 @@ import java.util.*;
/** /**
* TODO 通过用户名口令数据证书等其他手段对用户身份进行验证 * 通过用户名口令数据证书等其他手段对用户身份进行验证
* AuthenticationChecker
* *
* @author WuHaoYang * @author WuHaoYang
* @date 2024/1/23 * @date 2024/1/23

@ -12,7 +12,12 @@ import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.*; import org.sonar.plugins.java.api.tree.*;
import java.util.*; import java.util.*;
/**
* 日志中包含敏感信息
*
* @author WuHaoYang
* @date 2024/1/23
*/
@Rule(key = "AvoidSensitiveInfoInLogsCheck") @Rule(key = "AvoidSensitiveInfoInLogsCheck")
public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor { public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor {

@ -12,7 +12,7 @@ import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.rule.RuleKey; import org.sonar.api.rule.RuleKey;
/** /**
* TODO ConfigCheck * ConfigCheck
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/23 * @date 2024/1/23

@ -29,7 +29,7 @@ import java.util.Scanner;
/** /**
* TODO ConfigurationFileChecker * 禁止在容易受攻击的地方明文存储口令密码
* *
* @author WuHaoYang * @author WuHaoYang
* @date 2024/1/22 * @date 2024/1/22

@ -15,6 +15,12 @@ import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import java.util.*; import java.util.*;
/**
* Cookie参数设置中包含敏感字段
*
* @author WuHaoYang
* @date 2024/1/22
*/
@Rule(key = "CookieSensitiveParameterCheck") @Rule(key = "CookieSensitiveParameterCheck")
public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor { public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor {

@ -16,7 +16,12 @@ import java.util.List;
@Rule(key = "DynamicCodeChecker") @Rule(key = "DynamicCodeChecker")
/**
* 程序设计时禁止动态构建代码进行功能实现
*
* @author renfengshan
* @date 2024/1/22
*/
//检测代码中包含动态代码执行操作时,工具进行提示 //检测代码中包含动态代码执行操作时,工具进行提示
public class DynamicCodeChecker extends IssuableSubscriptionVisitor { public class DynamicCodeChecker extends IssuableSubscriptionVisitor {

@ -19,7 +19,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO HashSaltPassWordChecker * 应使用盐值计算口令
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/11 * @date 2024/1/11

@ -20,7 +20,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO HttpInputDataChecker * HTTP输入数据验证
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/12 * @date 2024/1/12

@ -18,7 +18,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO InputSQLVerifyChecker * 使用sql语句前应对其进行验证
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/14 * @date 2024/1/14

@ -20,7 +20,7 @@ import java.util.List;
import java.util.Locale; import java.util.Locale;
/** /**
* TODO Md5PassWordVerifyChecker * 应使用单向不可逆的加密算法
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/13 * @date 2024/1/13

@ -17,7 +17,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO RSAEncryptionChecker * 使用RSA最优加密填充
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/11 * @date 2024/1/11

@ -14,7 +14,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO SecurityCookieChecker * 设置HTTPS会话中cookie的安全属性
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/10 * @date 2024/1/10

@ -22,7 +22,7 @@ import java.util.List;
* 发送信息规则检查 * 发送信息规则检查
* 检测类似发送信息的函数中的参数是否敏感信息如敏感信息的字段 * 检测类似发送信息的函数中的参数是否敏感信息如敏感信息的字段
* 1.获取到方法调用节点 * 1.获取到方法调用节点
* 2. * 2.对获取到的节点进行判断
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/20 * @date 2024/1/20

@ -21,7 +21,7 @@ import java.util.Map;
import java.util.Scanner; import java.util.Scanner;
/** /**
* TODO SessionDateChecker * 设置会话过期的日期
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/22 * @date 2024/1/22

@ -14,7 +14,7 @@ import java.util.Collections;
import java.util.List; import java.util.List;
/** /**
* TODO 上传文件检查规则 * 上传文件检查规则
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/8 * @date 2024/1/8

@ -13,7 +13,12 @@ import org.sonar.plugins.java.api.tree.*;
import java.util.List; import java.util.List;
/**
* 规定循环次数的上限在将用户输入的数据用于循环条件前进行验证用户输入的数据是否超过上限
*
* @author renfengshan
* @date 2024/1/8
*/
@Rule(key = "UpperCycleLimitRuleChecker") @Rule(key = "UpperCycleLimitRuleChecker")
public class UpperCycleLimitRuleChecker extends IssuableSubscriptionVisitor { public class UpperCycleLimitRuleChecker extends IssuableSubscriptionVisitor {
@Override @Override

Loading…
Cancel
Save