diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java new file mode 100644 index 0000000..3fc7227 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.sonar.cxx.sslr.api.AstNode; +import com.sonar.cxx.sslr.api.Grammar; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.parser.CxxGrammarImpl; +import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; +import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; +import org.sonar.cxx.squidbridge.checks.SquidCheck; + +import java.util.List; + +/** + * TODO PassWordCountChecker + * + * @author RenFengJiang + * @date 2024/1/13 + */ +@Rule(key = "PassWordCountChecker", name = "使用盐值计算散列值", description = "使用盐值计算散列值,增加攻击者破解口令的难度", priority = Priority.INFO, tags = {"28suo"}) +@ActivatedByDefault +@SqaleConstantRemediation("5min") +public class PassWordCountChecker extends SquidCheck { + + @Override + public void init() { + // 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 + this.subscribeTo( + CxxGrammarImpl.simpleDeclaration + ); + } + + + /** + * 检查AST节点 + * + * @param astNode 要处理的AST节点,该节点类型为通过subscribeTo方法订阅的类型 + */ + @Override + public void visitNode(AstNode astNode) { + List descendants = astNode.getDescendants(CxxGrammarImpl.templateName); + for (AstNode desc:descendants) { + String value = desc.getToken().getValue(); + if("hash".equals(value)){ + getContext().createLineViolation(this, "使用盐值计算散列值", desc); + } + } + } +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java new file mode 100644 index 0000000..f96a4e6 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.sonar.cxx.sslr.api.AstNode; +import com.sonar.cxx.sslr.api.Grammar; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.parser.CxxGrammarImpl; +import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; +import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; +import org.sonar.cxx.squidbridge.checks.SquidCheck; + +import java.util.ArrayList; +import java.util.List; + +/** + * TODO ReallocMainChecker + * + * @author RenFengJiang + * @date 2024/1/13 + */ +@Rule(key = "ReallocMainChecker", name = "使用realloc函数前应先清楚敏感信息", description = "使用realloc()函数前先清空该内存块中的敏感信息", priority = Priority.INFO, tags = {"28suo"}) +@ActivatedByDefault +@SqaleConstantRemediation("5min") +public class ReallocMainChecker extends SquidCheck { + + @Override + public void init() { + // 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 + this.subscribeTo( + CxxGrammarImpl.expression + ); + } + + private List lists = new ArrayList(); + /** + * 检查AST节点 + * + * @param astNode 要处理的AST节点,该节点类型为通过subscribeTo方法订阅的类型 + */ + @Override + public void visitNode(AstNode astNode) { + //判断是否是memset方法调用 + if("memset".equals(astNode.getToken().getValue())){ + //获取到此 方法调用中的参数列表 + List listAsts = astNode.getDescendants(CxxGrammarImpl.expressionList); + for (AstNode listAst :listAsts) { + //将此参数列表存入list中 + lists.add(listAst.getToken().getValue()); + } + } + List astNodeDescendants = astNode.getDescendants(CxxGrammarImpl.postfixExpression); + for (AstNode ast :astNodeDescendants) { + //判断是不是realloc方法调用 + if("realloc".equals(ast.getToken().getValue())){ + //获取到参数列表 + List astNodes = ast.getDescendants(CxxGrammarImpl.expressionList); + for (AstNode as:astNodes) { + //获取到参数 + String name = as.getToken().getValue(); + //判断参数是否存在在集合中 + if(!lists.contains(name)){ + getContext().createLineViolation(this,"使用realloc函数前应先清楚敏感信息",as); + } + } + } + } + } +// class IfChildren extends SquidCheck{ +// private final String name ; +// private boolean boo = true; +// +// IfChildren(String name){ +// this.name = name; +// } +// +// @Override +// public void init() { +// // 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 +// this.subscribeTo( +// CxxGrammarImpl.expression +// ); +// } +// @Override +// public void visitNode(AstNode astNode) { +// +// List astNodes = astNode.getDescendants(CxxGrammarImpl.expressionStatement); +// for (AstNode as :astNodes) { +// if("memset".equals(as.getToken().getValue())){ +// List descendants = astNode.getDescendants(CxxGrammarImpl.expressionList); +// for (AstNode ast :descendants) { +// if(name.equals(ast.getToken().getValue())){ +// boo = false; +// } +// } +// } +// } +// +// List descendants = astNode.getDescendants(CxxGrammarImpl.postfixExpression); +// for (AstNode ast :descendants) { +// if(name.equals(ast.getToken().getValue())){ +// boo = false; +// } +// } +// } +// +// } +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java new file mode 100644 index 0000000..350f547 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.sonar.cxx.sslr.api.AstNode; +import com.sonar.cxx.sslr.api.Grammar; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.parser.CxxGrammarImpl; +import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; +import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; +import org.sonar.cxx.squidbridge.checks.SquidCheck; + +import java.util.List; + +/** + * 检查口令长度不少于10位,且至少包含特殊字符、大写、小写、数字中的3种, + * + * @author WuHaoYang + * @date 2024/1/13 + */ +@Rule(key = "ValidatePasswordCheck", name = "口令不匹配足够复杂度", description = "口令不匹配足够复杂度", priority = Priority.INFO, tags = {"28suo"}) +@ActivatedByDefault +@SqaleConstantRemediation("5min") +public class ValidatePasswordCheck extends SquidCheck { + + + private static final String passwordRegex = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@#$%^&+=!]).{10,}$"; + + @Override + public void init() { + subscribeTo(CxxGrammarImpl.functionDefinition); + } + + @Override + public void visitNode(AstNode astNode) { + + AstNode functionNameNode = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId); + String functionName = functionNameNode.getTokenOriginalValue(); + + //检查函数是否为main + if ("main".equals(functionName)) { + checkPasswordValidationInMain(astNode); + } + } + + private void checkPasswordValidationInMain(AstNode mainFunctionNode) { + AstNode compoundStatement = mainFunctionNode.getFirstDescendant(CxxGrammarImpl.compoundStatement); + + if (compoundStatement != null) { + List declarations = compoundStatement.getDescendants(CxxGrammarImpl.initDeclarator); + + for (AstNode initDeclarator : declarations) { + AstNode declaratorId = initDeclarator.getFirstDescendant(CxxGrammarImpl.declaratorId); + + if (declaratorId != null) { + String variableName = declaratorId.getTokenOriginalValue(); + + // 检查变量是否命名为password + if ("password".equalsIgnoreCase(variableName)) { + checkPasswordInitialization(initDeclarator); + } + } + } + } + } + + private void checkPasswordInitialization(AstNode declaration) { + AstNode initializer = declaration.getFirstDescendant(CxxGrammarImpl.initializer); + + if (initializer != null) { + + // 获取初始化值的子节点 + AstNode initializationValue = initializer.getLastChild(); + + if (initializationValue != null) { + + String passwordValue = initializationValue.getTokenOriginalValue(); + + if (!passwordValue.matches(passwordRegex)) { + System.out.println("未通过正则校验的口令:"+passwordValue); + getContext().createLineViolation(this, "口令不匹配足够复杂度", initializationValue); + } + } + } + } + + +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/parser/CxxGrammarImpl.java b/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/parser/CxxGrammarImpl.java index 9a34fa9..fe381f3 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/parser/CxxGrammarImpl.java +++ b/sonar-keyware-plugins-cxx/src/main/java/org/sonar/cxx/parser/CxxGrammarImpl.java @@ -1,3 +1,9 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ package org.sonar.cxx.parser; import static com.sonar.cxx.sslr.api.GenericTokenType.EOF; diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountCheckerTest.java new file mode 100644 index 0000000..37b8712 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountCheckerTest.java @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.keyware.sonar.cxx.CxxFileTesterHelper; +import org.junit.jupiter.api.Test; +import org.sonar.cxx.CxxAstScanner; +import org.sonar.cxx.squidbridge.api.SourceFile; +import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; + +import java.io.IOException; + +/** + * TODO PassWordCountCheckerTest + * + * @author RenFengJiang + * @date 2024/1/13 + */ +public class PassWordCountCheckerTest { + + @Test + public void checkTest() throws IOException { + var checker = new PassWordCountChecker(); + var tester = CxxFileTesterHelper.create("PassWordCountChecker.cc"); + SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); + CheckMessagesVerifier.verify(file.getCheckMessages()) + .next().atLine(5).withMessage("使用盐值计算散列值") + .noMore(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java new file mode 100644 index 0000000..dd25b7a --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.keyware.sonar.cxx.CxxFileTesterHelper; +import org.junit.jupiter.api.Test; +import org.sonar.cxx.CxxAstScanner; +import org.sonar.cxx.squidbridge.api.SourceFile; +import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; + +import java.io.IOException; + +/** + * TODO ReallocMainCheckerTest + * + * @author RenFengJiang + * @date 2024/1/13 + */ +public class ReallocMainCheckerTest { + @Test + public void checkTest() throws IOException { + var checker = new ReallocMainChecker(); + var tester = CxxFileTesterHelper.create("ReallocMainChecker.cc"); + SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); + CheckMessagesVerifier.verify(file.getCheckMessages()) + .next().atLine(14).withMessage("使用realloc函数前应先清楚敏感信息") + .noMore(); + } + +} diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheckTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheckTest.java new file mode 100644 index 0000000..c02dee8 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheckTest.java @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.keyware.sonar.cxx.CxxFileTesterHelper; +import org.junit.jupiter.api.Test; +import org.sonar.cxx.CxxAstScanner; +import org.sonar.cxx.squidbridge.api.SourceFile; +import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; + +import java.io.IOException; + +public class ValidatePasswordCheckTest { + + @Test + public void checkTest() throws IOException { + var checker = new ValidatePasswordCheck(); + var tester = CxxFileTesterHelper.create("ValidatePasswordCheck.cc"); + SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); + CheckMessagesVerifier.verify(file.getCheckMessages()) + .next().atLine(5).withMessage("口令不匹配足够复杂度") + .noMore(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.cc new file mode 100644 index 0000000..4dcd2b4 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.cc @@ -0,0 +1,10 @@ +int main() { + + std::string input = "example"; + // 使用std::hash + std::hash hasher ; // error + size_t hash_value = hasher(input); + std::cout << "Hash value using std::hash: " << hash_value << std::endl; + + return 0; +} \ No newline at end of file diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.cc new file mode 100644 index 0000000..1596a5b --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.cc @@ -0,0 +1,22 @@ +struct User { + char name[50]; + int age; +}; + +int main() { + // 假设有一个使用者结构体需要重新分配内存 +// User* users = (User*)malloc(5 * sizeof(User)); + + // 在使用realloc()函数重新分配内存块之前,先清空使用者信息 +// memset(users, 0, 5 * sizeof(User)); + + // 使用realloc()函数重新分配内存块 + users = (User*)realloc(users, 10 * sizeof(User));//error + + // 继续使用重新分配后的内存块... + + // 最后释放内存 +// free(users); + + return 0; +} diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.cc new file mode 100644 index 0000000..da35b33 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/ValidatePasswordCheck.cc @@ -0,0 +1,7 @@ +#include +using namespace std; + +int main() { + string password = "1111111111"; // error + return 0; +}