From 747fc39bd9f58f2e0e99140bd41b899e71edfcb0 Mon Sep 17 00:00:00 2001 From: RenFengJiang <1111> Date: Fri, 16 Aug 2024 17:35:29 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=EF=BC=9A=E6=A0=B9=E6=8D=AE?= =?UTF-8?q?=E5=8F=8D=E9=A6=88=E7=9A=84=E9=97=AE=E9=A2=98=EF=BC=8C=E4=BF=AE?= =?UTF-8?q?=E6=94=B9=E9=81=87=E5=88=B0=E7=9A=84=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../rules/checkers/SessionDateChecker.java | 3 +- .../com/keyware/sonar/cxx/CxxSquidSensor.java | 28 +++++++--- .../rules/checkers/ErrorMessageChecker.java | 29 +++++++---- .../cxx/rules/checkers/FileAccessChecker.java | 16 +++--- .../rules/checkers/LogFileWriteChecker.java | 52 +++++++++++-------- .../rules/checkers/PassWordCountChecker.java | 3 +- .../rules/checkers/SendMessageChecker.java | 20 +++---- .../org/sonar/cxx/squidbridge/AstScanner.java | 6 ++- .../sonar/cxx/rules/checkers/LogChecker.log | 24 ++++----- .../JavaSecurityDesignRulesRepository.java | 1 - .../rules/checkers/DynamicCodeChecker.java | 22 ++++---- .../checkers/DynamicLibraryLoadChecker.java | 2 +- .../checkers/HashSaltPassWordChecker.java | 10 ++-- .../rules/checkers/HostIdentityChecker.java | 11 ++-- .../rules/checkers/OptionsVerifyChecker.java | 5 +- .../checkers/PasswordInputTagJavaChecker.java | 7 ++- .../rules/checkers/RSAEncryptionChecker.java | 49 +++++++++-------- .../rules/checkers/RedirectUrlChecker.java | 10 ++-- .../rules/checkers/SecurityCookieChecker.java | 2 +- ...eChecker.java => SessionDateCheckera.java} | 4 +- .../checkers/UploadFileVerifyChecker.java | 32 ++++++------ .../checkers/UpperCycleLimitRuleChecker.java | 2 +- 22 files changed, 187 insertions(+), 151 deletions(-) rename sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/{SessionDateChecker.java => SessionDateCheckera.java} (96%) diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java index 6b5047d..97f5300 100644 --- a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java @@ -9,7 +9,6 @@ package com.keyware.sonar.Configuration.rules.checkers; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.batch.sensor.SensorContext; -import org.sonar.api.batch.sensor.issue.NewIssue; import org.sonar.api.rule.RuleKey; import org.sonar.check.Rule; import org.yaml.snakeyaml.Yaml; @@ -100,7 +99,7 @@ public class SessionDateChecker implements ConfigCheck { Map currentLevel = map; for (int i = 0; i < keys.length - 1; ++i) { Object nextLevel = currentLevel.get(keys[i]); - if (nextLevel instanceof Map) { + if (nextLevel != null && nextLevel instanceof Map) { currentLevel = (Map) nextLevel; } else { return null; diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java index b299eef..7659e84 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java @@ -574,7 +574,12 @@ public class CxxSquidSensor implements ProjectSensor { } }); } - fileLinesContext.save(); + + try { + fileLinesContext.save(); + }catch (Exception e){ + LOG.error(e.getMessage()); + } } private void saveCpdTokens(InputFile inputFile, SourceCode sourceCode) { @@ -621,15 +626,22 @@ public class CxxSquidSensor implements ProjectSensor { }); } - - newHighlighting.save(); + try { + newHighlighting.save(); + }catch (Exception e){ + LOG.error(e.getMessage()); + } } private void saveMetric(InputComponent file, Metric metric, T value) { - context.newMeasure() - .withValue(value) - .forMetric(metric) - .on(file) - .save(); + try { + context.newMeasure() + .withValue(value) + .forMetric(metric) + .on(file) + .save(); + }catch (Exception e){ + LOG.error(e.getMessage()); + } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java index f396ccd..7a45a1c 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ErrorMessageChecker.java @@ -53,26 +53,35 @@ public class ErrorMessageChecker extends SquidCheck { */ @Override public void visitNode(@Nonnull AstNode node) { - //声明集合 - List children; //获取第一种情况参数列表 AstNode firstDescendant = node.getFirstDescendant(CxxGrammarImpl.additiveExpression); if(firstDescendant != null){ //第一种情况获取参数列表 - children = firstDescendant.getChildren(); + List children = firstDescendant.getChildren(); + //判断参数列表是否包含违规参数 + for(AstNode chil : children){ + if("IDENTIFIER".equals(chil.getName())){ + if(lists.contains(chil.getTokenValue().toLowerCase())){ + getContext().createLineViolation(this,"抛出异常消息不得包含敏感信息",chil); + } + } + } }else { //获取第二种情况获取参数列表 AstNode descendant = node.getFirstDescendant(CxxGrammarImpl.initializerList); - children = descendant.getChildren(); - } - //判断参数列表是否包含违规参数 - for(AstNode chil : children){ - if("IDENTIFIER".equals(chil.getName())){ - if(lists.contains(chil.getTokenValue().toLowerCase())){ - getContext().createLineViolation(this,"抛出异常消息不得包含敏感信息",chil); + if(descendant != null){ + List children = descendant.getChildren(); + for(AstNode chil : children){ + if("IDENTIFIER".equals(chil.getName())){ + if(lists.contains(chil.getTokenValue().toLowerCase())){ + getContext().createLineViolation(this,"抛出异常消息不得包含敏感信息",chil); + } + } } } + } + } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FileAccessChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FileAccessChecker.java index 998e5b9..5a6a310 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FileAccessChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FileAccessChecker.java @@ -106,13 +106,15 @@ public class FileAccessChecker extends SquidCheck { if (child.getType().equals(CxxGrammarImpl.selectionStatement)) { // 找到 if 语句节点 AstNode conditionNode = child.getFirstDescendant(CxxGrammarImpl.condition); - // 找到条件部分的节点 - AstNode identifierNode = conditionNode.getFirstDescendant(GenericTokenType.IDENTIFIER); - // 找到代表标识符的节点 - if (identifierNode != null) { - String codeInsideIf = identifierNode.getTokenValue(); - // 获取标识符节点的值 - conditionVariables.add(codeInsideIf); + if(conditionNode != null){ + // 找到条件部分的节点 + AstNode identifierNode = conditionNode.getFirstDescendant(GenericTokenType.IDENTIFIER); + // 找到代表标识符的节点 + if (identifierNode != null) { + String codeInsideIf = identifierNode.getTokenValue(); + // 获取标识符节点的值 + conditionVariables.add(codeInsideIf); + } } } else { addAllIdentifiers(child); diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/LogFileWriteChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/LogFileWriteChecker.java index 1fdbab6..2c51fb1 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/LogFileWriteChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/LogFileWriteChecker.java @@ -90,36 +90,42 @@ public class LogFileWriteChecker extends SquidCheck { tokenValue = descendant.getTokenValue(); } else { AstNode firstDescendant = dec.getFirstDescendant(CxxGrammarImpl.andExpression); - List astNodeList = firstDescendant.getChildren(); - for (AstNode ast : astNodeList) { - if ("IDENTIFIER".equals(ast.getName())) { - tokenValue = ast.getTokenValue(); - } + if(firstDescendant != null){ + List astNodeList = firstDescendant.getChildren(); + for (AstNode ast : astNodeList) { + if ("IDENTIFIER".equals(ast.getName())) { + tokenValue = ast.getTokenValue(); + } + } } } List astNodeList = astNode.getDescendants(CxxGrammarImpl.expression); for (AstNode ast : astNodeList) { if (tokenValue.equals(ast.getTokenValue())) { AstNode descendant1 = ast.getFirstDescendant(CxxGrammarImpl.postfixExpression); - List childrens = descendant1.getChildren(); - for (AstNode fir : childrens) { - //判断是否是debug、info、warn、error - if (lists.contains(fir.getTokenValue())) { - AstNode inits = ast.getFirstDescendant(CxxGrammarImpl.initializerList); - List descendantChildren = inits.getChildren(); - for (AstNode chil : descendantChildren) { - if ("IDENTIFIER".equals(chil.getName())) { - if (listss.contains(chil.getTokenValue().toLowerCase())) { - getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); - break; - } - } else if ("additiveExpression".equals(chil.getName())) { - List chilChildren = chil.getChildren(); - for (AstNode dren : chilChildren) { - if (listss.contains(dren.getTokenValue().toLowerCase())) { - getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); - break; + if(descendant1 != null){ + List childrens = descendant1.getChildren(); + for (AstNode fir : childrens) { + //判断是否是debug、info、warn、error + if (lists.contains(fir.getTokenValue())) { + AstNode inits = ast.getFirstDescendant(CxxGrammarImpl.initializerList); + if(inits != null){ + List descendantChildren = inits.getChildren(); + for (AstNode chil : descendantChildren) { + if ("IDENTIFIER".equals(chil.getName())) { + if (listss.contains(chil.getTokenValue().toLowerCase())) { + getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); + break; + } + } else if ("additiveExpression".equals(chil.getName())) { + List chilChildren = chil.getChildren(); + for (AstNode dren : chilChildren) { + if (listss.contains(dren.getTokenValue().toLowerCase())) { + getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); + break; + } + } } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java index 7acaf8e..d403280 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java @@ -17,6 +17,7 @@ import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; import org.sonar.cxx.squidbridge.checks.SquidCheck; +import javax.annotation.Nonnull; import java.util.ArrayList; import java.util.List; @@ -46,7 +47,7 @@ public class PassWordCountChecker extends SquidCheck { * @param astNode 要处理的AST节点,该节点类型为通过subscribeTo方法订阅的类型 */ @Override - public void visitNode(AstNode astNode) { + public void visitNode(@Nonnull AstNode astNode) { BodyWay bodyWay = new BodyWay(this); bodyWay.accept(astNode); } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SendMessageChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SendMessageChecker.java index 9fc0d94..13ee1a0 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SendMessageChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SendMessageChecker.java @@ -81,16 +81,18 @@ public class SendMessageChecker extends SquidCheck { } else if (des.getTokenValue().startsWith("send")) { //获取其中的参数 AstNode firstDescendant = des.getFirstDescendant(CxxGrammarImpl.initializerList); - List children = firstDescendant.getChildren(); - if (children != null) { - AstNode astNode = children.get(0); - //判断其中的参数类型 - if ("STRING".equals(astNode.getName())) { + if(firstDescendant != null){ + List children = firstDescendant.getChildren(); + if (children != null) { + AstNode astNode = children.get(0); + //判断其中的参数类型 + if ("STRING".equals(astNode.getName())) { - } else { - //判斷其中是否包含敏感字段 - if (lists.contains(astNode.getTokenValue().toLowerCase())) { - getContext().createLineViolation(this, "发送敏感信息前应对敏感信息进行加密", des); + } else { + //判斷其中是否包含敏感字段 + if (lists.contains(astNode.getTokenValue().toLowerCase())) { + getContext().createLineViolation(this, "发送敏感信息前应对敏感信息进行加密", des); + } } } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/squidbridge/AstScanner.java b/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/squidbridge/AstScanner.java index d54a162..bacb004 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/squidbridge/AstScanner.java +++ b/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/squidbridge/AstScanner.java @@ -227,8 +227,10 @@ public class AstScanner { public Builder withSquidAstVisitor(SquidAstVisitor visitor) { checkNotNull(visitor, "visitor cannot be null"); - visitor.setContext(context); - visitors.add(visitor); + if(visitor.getContext() == null){ + visitor.setContext(context); + visitors.add(visitor); + } return this; } diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/LogChecker.log b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/LogChecker.log index 9b871dc..e5cbe23 100644 --- a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/LogChecker.log +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/LogChecker.log @@ -13,7 +13,7 @@ 2024.01.14 16:05:34 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -24,7 +24,7 @@ 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 16:05:36 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 @@ -475,7 +475,7 @@ 2024.01.14 16:51:09 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -486,7 +486,7 @@ 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 16:51:10 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 @@ -850,7 +850,7 @@ 2024.01.14 17:22:18 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -861,7 +861,7 @@ 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 17:22:19 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 @@ -1254,7 +1254,7 @@ 2024.01.14 17:49:17 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -1265,7 +1265,7 @@ 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 17:49:18 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 @@ -1658,7 +1658,7 @@ 2024.01.14 18:19:14 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -1669,7 +1669,7 @@ 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 18:19:15 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 @@ -2062,7 +2062,7 @@ 2024.01.14 18:48:41 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy C# Code Quality and Security / 9.8.0.76515 / c1515bad8ebe3e38e102b68fdec8c429669ec560 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy C++ 信息安全性设计准则 / 1.0 / 1390585ba547ab6e3fe269c9d341cef06e44f08e -2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / +2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Checkstyle / 10.12.3 / 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Chinese Pack / 10.2 / null 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Clean as You Code / 2.1.0.500 / 4a2d47cf125d03ebacf43536a3897c168deb1b0a 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Configuration detection for Code Quality and Security / 1.3.0.654 / 63073f0270b2c4754afa58eb8b5ea04e2eebf1a4 @@ -2073,7 +2073,7 @@ 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Example Plugin for SonarQube 10.x / 10.0.0 / null -2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / +2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Findbugs / 4.2.5 / 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Flex Code Quality and Security / 2.10.0.3458 / 3ef14c50cfd03e5b40a2270fc6e8edc5c49dedcd 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Go Code Quality and Security / 1.14.0.4481 / dcfff811316898a16bf1c6ff191dd3a5d84d3307 2024.01.14 18:48:42 INFO web[][o.s.s.p.ServerPluginManager] Deploy Groovy / 1.8 / 6f5ddad1c7cf86e39cd9a8fc0be896660b4d4b61 diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java index 57d8725..30f3a6f 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java @@ -6,7 +6,6 @@ */ package com.keyware.sonar.java.rules; -import com.keyware.sonar.java.rules.checkers.SessionDateChecker; import org.sonar.api.SonarEdition; import org.sonar.api.SonarProduct; import org.sonar.api.SonarQubeSide; diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java index f47a741..d00b0fc 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java @@ -37,20 +37,24 @@ public class DynamicCodeChecker extends IssuableSubscriptionVisitor { MethodInvocationTree node = (MethodInvocationTree) tree; var expressionTree = node.methodSelect(); - if (expressionTree instanceof MemberSelectExpressionTree) { + if (expressionTree != null && expressionTree instanceof MemberSelectExpressionTree) { var exprTree = (MemberSelectExpressionTree) expressionTree; var name = exprTree.identifier(); if ("eval".equals(name.toString())) { var varNameNode = exprTree.expression(); - if (varNameNode instanceof IdentifierTree) { + if (varNameNode != null && varNameNode instanceof IdentifierTree) { var varName = (IdentifierTree) varNameNode; - var symbol = varName.symbol(); - var varDecler = symbol.declaration(); - if (varDecler != null) { - var variableTree = (VariableTree) varDecler; - var typeName = variableTree.type().toString(); - if ("ScriptEngine".equals(typeName)) { - context.reportIssue(this, tree, "程序设计时禁止动态构建代码进行功能实现"); + if (varName != null) { + var symbol = varName.symbol(); + if (symbol != null) { + var varDecler = symbol.declaration(); + if (varDecler != null && varDecler instanceof VariableTree) { + var variableTree = (VariableTree) varDecler; + var typeName = variableTree.type().toString(); + if ("ScriptEngine".equals(typeName)) { + context.reportIssue(this, tree, "程序设计时禁止动态构建代码进行功能实现"); + } + } } } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java index 011c0c9..d9c9793 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicLibraryLoadChecker.java @@ -72,7 +72,7 @@ public class DynamicLibraryLoadChecker extends IssuableSubscriptionVisitor { @Override public void visitMethodInvocation(MethodInvocationTree tree) { var methodSelect = tree.methodSelect(); - if (methodSelect instanceof MemberSelectExpressionTree) { + if (methodSelect != null && methodSelect instanceof MemberSelectExpressionTree) { var mset = (MemberSelectExpressionTree) methodSelect; // 判断是否调用了System.loadLibrary() if (mset.firstToken() != null && "System".equals(mset.firstToken().text()) && "loadLibrary".equals(mset.identifier().name())) { diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java index 97a4a78..692e0c3 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HashSaltPassWordChecker.java @@ -7,8 +7,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.declaration.VariableTreeImpl; -import org.sonar.java.model.expression.MethodInvocationTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; @@ -77,11 +75,11 @@ public class HashSaltPassWordChecker extends IssuableSubscriptionVisitor { } } else if("BCrypt".equals(memberSelectExpressionTree.expression().toString()) && "hashpw".equals(memberSelectExpressionTree.identifier().name())){ Tree parent = memberSelectExpressionTree.parent(); - if(parent instanceof MethodInvocationTreeImpl){ - MethodInvocationTreeImpl methodInvocationTree = (MethodInvocationTreeImpl) parent; + if(parent != null && parent instanceof MethodInvocationTree){ + MethodInvocationTree methodInvocationTree = (MethodInvocationTree) parent; Tree parent1 = methodInvocationTree.parent(); - if(parent1 instanceof VariableTreeImpl){ - VariableTreeImpl variableTree = (VariableTreeImpl) parent1; + if(parent1 != null && parent1 instanceof VariableTree){ + VariableTree variableTree = (VariableTree) parent1; // 加盐后的参数名称 strPassWord = variableTree.simpleName().name(); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HostIdentityChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HostIdentityChecker.java index fa9ba55..0b5f6d5 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HostIdentityChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HostIdentityChecker.java @@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.expression.IdentifierTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; @@ -58,7 +57,7 @@ public class HostIdentityChecker extends IssuableSubscriptionVisitor { public void visitIfStatement(IfStatementTree tree) { //获取到if表达式 ExpressionTree condition = tree.condition(); - if (condition instanceof BinaryExpressionTree) { + if (condition != null && condition instanceof BinaryExpressionTree) { BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; //判断是否进行if判断 if ("username".equals(binaryExpressionTree.leftOperand().toString())) { @@ -67,12 +66,12 @@ public class HostIdentityChecker extends IssuableSubscriptionVisitor { passwordBoolean = false; } } - if (condition instanceof IdentifierTreeImpl) { - IdentifierTreeImpl identifierTreeImpl = (IdentifierTreeImpl) condition; + if (condition != null && condition instanceof IdentifierTree) { + IdentifierTree identifierTree = (IdentifierTree) condition; //判断是否进行if判断 - if ("username".equals(identifierTreeImpl.name())) { + if ("username".equals(identifierTree.name())) { nameBoolean = false; - } else if ("password".equals(identifierTreeImpl.name())) { + } else if ("password".equals(identifierTree.name())) { passwordBoolean = false; } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyChecker.java index 0108225..266d2ec 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyChecker.java @@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.expression.IdentifierTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; @@ -98,8 +97,8 @@ public class OptionsVerifyChecker extends IssuableSubscriptionVisitor { public void visitVariable(VariableTree tree) { IdentifierTree identifierTree = tree.simpleName(); TypeTree type = tree.type(); - if(type instanceof IdentifierTreeImpl){ - IdentifierTreeImpl fierTree = (IdentifierTreeImpl) type; + if(type != null && type instanceof IdentifierTree){ + IdentifierTree fierTree = (IdentifierTree) type; if("HttpServletResponse".equals(fierTree.name())){ MethodCall methodCall = new MethodCall(); node.block().accept(methodCall); diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaChecker.java index fffb8b1..e986241 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaChecker.java @@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.statement.BlockTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; @@ -35,15 +34,15 @@ public class PasswordInputTagJavaChecker extends IssuableSubscriptionVisitor { @Override public void visitNode(Tree tree) { - BlockTreeImpl node = (BlockTreeImpl) tree; + BlockTree node = (BlockTree) tree; MethodeBodyVisitor methodeBodyVisitor = new MethodeBodyVisitor(this, node); node.accept(methodeBodyVisitor); } static class MethodeBodyVisitor extends BaseTreeVisitor { - private BlockTreeImpl blockTree; + private BlockTree blockTree; private PasswordInputTagJavaChecker checker; - public MethodeBodyVisitor(PasswordInputTagJavaChecker checker, BlockTreeImpl blockTree){ + public MethodeBodyVisitor(PasswordInputTagJavaChecker checker, BlockTree blockTree){ this.checker = checker; this.blockTree = blockTree; } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java index 2a4645e..a2da78c 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RSAEncryptionChecker.java @@ -7,7 +7,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.expression.LiteralTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; @@ -25,6 +24,7 @@ import java.util.List; public class RSAEncryptionChecker extends IssuableSubscriptionVisitor { private List nameLists = new ArrayList(); + @Override public List nodesToVisit() { /** @@ -42,29 +42,31 @@ public class RSAEncryptionChecker extends IssuableSubscriptionVisitor { MethodBOdyVisitor methodBOdyVisitor = new MethodBOdyVisitor(); tree.accept(methodBOdyVisitor); nameLists = methodBOdyVisitor.getNameLists(); - }else if(tree.is(Tree.Kind.METHOD_INVOCATION)){ + } else if (tree.is(Tree.Kind.METHOD_INVOCATION)) { MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; ExpressionTree expressionTree = methodInvocationTree.methodSelect(); - // 获取到方法调用 - if (expressionTree instanceof MemberSelectExpressionTree) { - MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) expressionTree; - // 判断是否符合标准 - String a = memberSelectExpressionTree.expression().toString(); - String b = memberSelectExpressionTree.identifier().name(); - if ("Cipher".equals(memberSelectExpressionTree.expression().toString()) && "getInstance".equals(memberSelectExpressionTree.identifier().name())) { - // 获取参数列表 - List arguments = methodInvocationTree.arguments(); - for (ExpressionTree argument : arguments) { - if (argument.is(Tree.Kind.STRING_LITERAL)) { - LiteralTree literalTree = (LiteralTree) argument; - String c = ((LiteralTree) argument).token().text(); - // 对参数进行判断判断是否符合要求 - if (!literalTree.token().text().startsWith("\"RSA")) { + if (expressionTree != null) { + // 获取到方法调用 + if (expressionTree instanceof MemberSelectExpressionTree) { + MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) expressionTree; + // 判断是否符合标准 + String a = memberSelectExpressionTree.expression().toString(); + String b = memberSelectExpressionTree.identifier().name(); + if ("Cipher".equals(memberSelectExpressionTree.expression().toString()) && "getInstance".equals(memberSelectExpressionTree.identifier().name())) { + // 获取参数列表 + List arguments = methodInvocationTree.arguments(); + for (ExpressionTree argument : arguments) { + if (argument.is(Tree.Kind.STRING_LITERAL)) { + LiteralTree literalTree = (LiteralTree) argument; + String c = ((LiteralTree) argument).token().text(); + // 对参数进行判断判断是否符合要求 + if (!literalTree.token().text().startsWith("\"RSA")) { + context.reportIssue(this, argument, "使用RSA最优加密填充"); + } + } else if (!nameLists.equals(argument.toString())) { context.reportIssue(this, argument, "使用RSA最优加密填充"); } - }else if( !nameLists.equals(argument.toString())){ - context.reportIssue(this, argument, "使用RSA最优加密填充"); } } } @@ -76,6 +78,7 @@ public class RSAEncryptionChecker extends IssuableSubscriptionVisitor { static class MethodBOdyVisitor extends BaseTreeVisitor { private List nameLists = new ArrayList(); + public MethodBOdyVisitor() { } @@ -88,12 +91,14 @@ public class RSAEncryptionChecker extends IssuableSubscriptionVisitor { public void visitVariable(VariableTree tree) { IdentifierTree identifierTree = tree.simpleName(); ExpressionTree initializer = tree.initializer(); - if(initializer instanceof LiteralTreeImpl){ - LiteralTreeImpl literalTree = (LiteralTreeImpl) initializer; - if(literalTree.value().startsWith("\"RSA") ){ + if (identifierTree != null && initializer != null && initializer instanceof LiteralTree) { + LiteralTree literalTree = (LiteralTree) initializer; + if (literalTree.value().startsWith("\"RSA")) { nameLists.add(identifierTree.name()); } } + + } } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java index 3a97cb3..2adc4ac 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java @@ -61,7 +61,7 @@ public class RedirectUrlChecker extends IssuableSubscriptionVisitor { ReturnStatementTree rs = (ReturnStatementTree) statementTree; ExpressionTree exprTree = rs.expression(); if (exprTree != null && !exprTree.is(Tree.Kind.STRING_LITERAL)) { - if (exprTree instanceof BinaryExpressionTree) { + if (exprTree != null && exprTree instanceof BinaryExpressionTree) { BinaryExpressionTree bExprTree = (BinaryExpressionTree) exprTree; if (bExprTree.is(Tree.Kind.PLUS) && bExprTree.leftOperand().is(Tree.Kind.STRING_LITERAL) && bExprTree.rightOperand().is(Tree.Kind.IDENTIFIER)) { var identifierTree = (IdentifierTree) bExprTree.rightOperand(); @@ -139,13 +139,13 @@ public class RedirectUrlChecker extends IssuableSubscriptionVisitor { var hasMappingAnnotation = false; for (ModifierTree modifier : methodTree.modifiers()) { // 判断是否为公共方法 - if (!isPublic && modifier instanceof ModifierKeywordTree) { + if (!isPublic && modifier != null && modifier instanceof ModifierKeywordTree) { if (((ModifierKeywordTree) modifier).modifier() == Modifier.PUBLIC) { isPublic = true; } } // 判断是否包含Mapping注解 - if (!hasMappingAnnotation && modifier instanceof AnnotationTree) { + if (!hasMappingAnnotation && modifier != null && modifier instanceof AnnotationTree) { AnnotationTree annotationTree = (AnnotationTree) modifier; if (annotationTree.annotationType() instanceof IdentifierTree) { IdentifierTree identifierTree = (IdentifierTree) annotationTree.annotationType(); @@ -189,7 +189,7 @@ public class RedirectUrlChecker extends IssuableSubscriptionVisitor { @Override public void visitMethodInvocation(MethodInvocationTree invocationTree) { ExpressionTree expressionTree = invocationTree.methodSelect(); - if (expressionTree instanceof MemberSelectExpressionTree) { + if (expressionTree != null && expressionTree instanceof MemberSelectExpressionTree) { MemberSelectExpressionTree member = (MemberSelectExpressionTree) expressionTree; if (member.expression().symbolType().is("org.springframework.web.servlet.view.RedirectView") && "setUrl".equals(member.identifier().name())) { @@ -201,7 +201,7 @@ public class RedirectUrlChecker extends IssuableSubscriptionVisitor { private void checkArgs(ExpressionTree argNode, Tree tree) { // 判断该语法树节点是否为IdentifierTree,如果是,则说明语法树节点为变量,然后判断该变量是否是包含在方法的参数列表中 - if (argNode instanceof IdentifierTree) { + if (argNode != null && argNode instanceof IdentifierTree) { IdentifierTree identifierTree = (IdentifierTree) argNode; String argName = identifierTree.name(); if (methodParameters.stream().anyMatch(parameter -> parameter.simpleName().name().equals(argName))) { diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java index da2693d..c72dc20 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java @@ -70,7 +70,7 @@ public class SecurityCookieChecker extends IssuableSubscriptionVisitor { @Override public void visitMethodInvocation(MethodInvocationTree tree) { ExpressionTree expressionTree = tree.methodSelect(); - if(expressionTree instanceof MemberSelectExpressionTree){ + if(expressionTree != null && expressionTree instanceof MemberSelectExpressionTree){ MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) expressionTree; switch (memberSelectExpressionTree.identifier().name()){ // case "setHttpOnly": diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateCheckera.java similarity index 96% rename from sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java rename to sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateCheckera.java index ee49984..e451a8a 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionDateCheckera.java @@ -27,7 +27,7 @@ import java.util.Scanner; * @date 2024/1/22 */ @Rule(key = "SessionDateChecker") -public class SessionDateChecker implements ConfigCheck { +public class SessionDateCheckera implements ConfigCheck { private boolean boo = true; public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ @@ -77,7 +77,7 @@ public class SessionDateChecker implements ConfigCheck { Map currentLevel = map; for (int i = 0; i < keys.length - 1; ++i) { Object nextLevel = currentLevel.get(keys[i]); - if (nextLevel instanceof Map) { + if (nextLevel != null && nextLevel instanceof Map) { currentLevel = (Map) nextLevel; } else { return null; diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java index e6b1e1b..95ac550 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java @@ -7,11 +7,11 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; -import org.sonar.java.model.expression.IdentifierTreeImpl; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.tree.*; -import java.util.*; +import java.util.Collections; +import java.util.List; /** * 上传文件检查规则 @@ -99,35 +99,35 @@ public class UploadFileVerifyChecker extends IssuableSubscriptionVisitor { public void visitMethodInvocation(MethodInvocationTree tree) { //获取到方法调用的参数 ExpressionTree expressionTree = tree.methodSelect(); - if (expressionTree instanceof MemberSelectExpressionTree) { + if (expressionTree != null && expressionTree instanceof MemberSelectExpressionTree) { MemberSelectExpressionTree expressionTree1 = (MemberSelectExpressionTree) expressionTree; //对调用方法进行判断 if ("getOriginalFilename".equals(expressionTree1.identifier().toString())) { Tree parent = expressionTree1.parent(); - if (parent instanceof MethodInvocationTree) { + if (parent != null && parent instanceof MethodInvocationTree) { MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; Tree parent1 = memberSelectExpressionTree.parent(); - if (parent1 instanceof VariableTree) { + if (parent1 != null && parent1 instanceof VariableTree) { VariableTree variableTree = (VariableTree) parent1; fileName = variableTree.simpleName().toString(); } } } else if ("extName".equals(expressionTree1.identifier().toString())) { Tree parent = expressionTree1.parent(); - if (parent instanceof MethodInvocationTree) { + if (parent != null && parent instanceof MethodInvocationTree) { MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; Tree parent1 = memberSelectExpressionTree.parent(); - if (parent1 instanceof VariableTree) { + if (parent1 != null && parent1 instanceof VariableTree) { VariableTree variableTree = (VariableTree) parent1; fileType = variableTree.simpleName().toString(); } } } else if ("getSize".equals(expressionTree1.identifier().toString())) { Tree parent = expressionTree1.parent(); - if (parent instanceof MethodInvocationTree) { + if (parent != null && parent instanceof MethodInvocationTree) { MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; Tree parent1 = memberSelectExpressionTree.parent(); - if (parent1 instanceof VariableTree) { + if (parent1 != null && parent1 instanceof VariableTree) { VariableTree variableTree = (VariableTree) parent1; sizeName = variableTree.simpleName().toString(); } @@ -153,7 +153,7 @@ public class UploadFileVerifyChecker extends IssuableSubscriptionVisitor { public void visitIfStatement(IfStatementTree tree) { //获取到if表达式 ExpressionTree condition = tree.condition(); - if (condition instanceof BinaryExpressionTree) { + if (condition != null && condition instanceof BinaryExpressionTree) { BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; //判断是否进行if判断 if (name.equals(binaryExpressionTree.leftOperand().toString())) { @@ -162,12 +162,12 @@ public class UploadFileVerifyChecker extends IssuableSubscriptionVisitor { boo = false; } } - if (condition instanceof IdentifierTreeImpl) { - IdentifierTreeImpl identifierTreeImpl = (IdentifierTreeImpl) condition; + if (condition != null && condition instanceof IdentifierTree) { + IdentifierTree identifierTree = (IdentifierTree) condition; //判断是否进行if判断 - if (name.equals(identifierTreeImpl.name())) { + if (name.equals(identifierTree.name())) { boo = false; - } else if (name.equals(identifierTreeImpl.name())) { + } else if (name.equals(identifierTree.name())) { boo = false; } } @@ -188,8 +188,8 @@ public class UploadFileVerifyChecker extends IssuableSubscriptionVisitor { public void visitVariable(VariableTree tree) { IdentifierTree identifierTree = tree.simpleName(); TypeTree type = tree.type(); - if(type instanceof IdentifierTreeImpl){ - IdentifierTreeImpl fierTree = (IdentifierTreeImpl) type; + if(type != null && type instanceof IdentifierTree){ + IdentifierTree fierTree = (IdentifierTree) type; if("Fileltem".equals(fierTree.name())){ NodeIf nodeIf = new NodeIf(identifierTree.name()); node.block().accept(nodeIf); diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java index eb876b8..5adc373 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UpperCycleLimitRuleChecker.java @@ -80,7 +80,7 @@ public class UpperCycleLimitRuleChecker extends IssuableSubscriptionVisitor { private void checkVar(ExpressionTree operand) { - if (operand instanceof IdentifierTree) { + if (operand != null && operand instanceof IdentifierTree) { IdentifierTree identifierTree = (IdentifierTree) operand; var name = identifierTree.name(); for (VariableTree varTree : args) {