优化:C++使用盐值计算散列值规则,删除无用代码

wuhaoyang
RenFengJiang 10 months ago
parent 1d230fed2c
commit 9ea3d82720
  1. 5
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FVNRPassWordChecker.java
  2. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FVNRShaChecker.java
  3. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HighEncryptDesChecker.java
  4. 1
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/LogChecker.java
  5. 73
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.java
  6. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/PassWordCountCheckerTest.java
  7. 18
      sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/PassWordCountChecker.cc

@ -43,10 +43,9 @@ public class FVNRPassWordChecker extends SquidCheck<Grammar> {
List<String> inputFileLines = getContext().getInputFileLines(); List<String> inputFileLines = getContext().getInputFileLines();
for (String str:inputFileLines) { for (String str:inputFileLines) {
if(str.startsWith("#include")){ if(str.startsWith("#include")){
if(str.contains("<openssl/aes.h>")){ if(str.contains("<openssl/aes.h>") || str.contains("<openssl/des.h>")){
getContext().createFileViolation(this, "应使用单向不可逆算法对密码进行加密");
}else if(str.contains("<openssl/des.h>")){
getContext().createFileViolation(this, "应使用单向不可逆算法对密码进行加密"); getContext().createFileViolation(this, "应使用单向不可逆算法对密码进行加密");
break;
} }
} }
} }

@ -46,6 +46,7 @@ public class FVNRShaChecker extends SquidCheck<Grammar> {
if(str.contains("<openssl/") || str.contains("<cryptopp/") ){ if(str.contains("<openssl/") || str.contains("<cryptopp/") ){
if(!str.contains("sha.h>") && !str.contains("blake2.h>") && !str.contains("md5.h>")){ if(!str.contains("sha.h>") && !str.contains("blake2.h>") && !str.contains("md5.h>")){
getContext().createFileViolation(this, "应使用不可逆标准散列算法"); getContext().createFileViolation(this, "应使用不可逆标准散列算法");
break;
} }
} }
} }

@ -46,6 +46,7 @@ public class HighEncryptDesChecker extends SquidCheck<Grammar> {
if(str.contains("<openssl/") || str.contains("<cryptopp/") ){ if(str.contains("<openssl/") || str.contains("<cryptopp/") ){
if(!str.contains("aes.h>") && !str.contains("des.h>") ){ if(!str.contains("aes.h>") && !str.contains("des.h>") ){
getContext().createFileViolation(this, "应采用加密强度较高的标准加密算法"); getContext().createFileViolation(this, "应采用加密强度较高的标准加密算法");
break;
} }
} }
} }

@ -27,7 +27,6 @@ public class LogChecker extends SquidCheck<Grammar> {
@Override @Override
public void visitFile(@Nullable AstNode astNode) { public void visitFile(@Nullable AstNode astNode) {
super.visitFile(astNode);
if(getContext().getInputFile().filename().endsWith(".log")){ if(getContext().getInputFile().filename().endsWith(".log")){
getContext().createFileViolation(this, "日志文件检查"); getContext().createFileViolation(this, "日志文件检查");
} }

@ -6,7 +6,9 @@
*/ */
package com.keyware.sonar.cxx.rules.checkers; package com.keyware.sonar.cxx.rules.checkers;
import com.keyware.sonar.cxx.SubscriptionAstVisitor;
import com.sonar.cxx.sslr.api.AstNode; import com.sonar.cxx.sslr.api.AstNode;
import com.sonar.cxx.sslr.api.AstNodeType;
import com.sonar.cxx.sslr.api.Grammar; import com.sonar.cxx.sslr.api.Grammar;
import org.sonar.check.Priority; import org.sonar.check.Priority;
import org.sonar.check.Rule; import org.sonar.check.Rule;
@ -15,6 +17,7 @@ import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault;
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.cxx.squidbridge.checks.SquidCheck; import org.sonar.cxx.squidbridge.checks.SquidCheck;
import java.util.ArrayList;
import java.util.List; import java.util.List;
/** /**
@ -32,7 +35,7 @@ public class PassWordCountChecker extends SquidCheck<Grammar> {
public void init() { public void init() {
// 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点 // 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点
this.subscribeTo( this.subscribeTo(
CxxGrammarImpl.simpleDeclaration CxxGrammarImpl.functionBody
); );
} }
@ -44,11 +47,69 @@ public class PassWordCountChecker extends SquidCheck<Grammar> {
*/ */
@Override @Override
public void visitNode(AstNode astNode) { public void visitNode(AstNode astNode) {
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.templateName); BodyWay bodyWay = new BodyWay(this);
for (AstNode desc:descendants) { bodyWay.accept(astNode);
String value = desc.getToken().getValue(); }
if("hash".equals(value)){
getContext().createLineViolation(this, "使用盐值计算散列值", desc); class BodyWay extends SubscriptionAstVisitor{
/**
* 构造函数需要传入初代访问器
*
* @param checker 初代规则检查器
*/
public BodyWay(SquidCheck<Grammar> checker) {
super(checker);
}
@Override
public List<AstNodeType> visitNodeTypes() {
return List.of(CxxGrammarImpl.functionBody);
}
@Override
public void visitNode(AstNode astNode) {
//获取方法参数列表
List<AstNode> nodeDescendants = astNode.getDescendants(CxxGrammarImpl.expressionList);
List<String> seqLists = new ArrayList<>();
for(AstNode desc :nodeDescendants){
seqLists.add(desc.getTokenValue());
}
//判读入参有没有进行赋值操作
List<AstNode> astNodes = astNode.getDescendants(CxxGrammarImpl.assignmentExpression);
List<String> aslists = new ArrayList<>();
for(AstNode ast : astNodes){
if(seqLists.contains(ast.getTokenValue())){
aslists.add(ast.getTokenValue());
}
}
//获取到声明hash变量名
List<String> lists = new ArrayList<>();
List<AstNode> astNodeDescendants = astNode.getDescendants(CxxGrammarImpl.simpleDeclaration);
for(AstNode des :astNodeDescendants){
if("std".equals(des.getTokenValue())){
List<AstNode> descendants = des.getDescendants(CxxGrammarImpl.typeName);
for (AstNode dan : descendants){
if("hash".equals(dan.getTokenValue())){
List<AstNode> nodeList = des.getDescendants(CxxGrammarImpl.initDeclarator);
for (AstNode lis:nodeList) {
lists.add(lis.getTokenValue());
}
}
}
}
}
//判断生成的散列值参数是否是进行赋后的入参
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.postfixExpression);
for (AstNode desc:descendants) {
if(lists.contains(desc.getTokenValue())){
List<AstNode> descDescendants = desc.getDescendants(CxxGrammarImpl.expressionList);
for(AstNode dd : descDescendants){
if(!aslists.contains(dd.getTokenValue())){
reportIssue(dd, "使用盐值计算散列值");
}
}
}
} }
} }
} }

@ -28,7 +28,7 @@ public class PassWordCountCheckerTest {
var tester = CxxFileTesterHelper.create("PassWordCountChecker.cc"); var tester = CxxFileTesterHelper.create("PassWordCountChecker.cc");
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages()) CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(5).withMessage("使用盐值计算散列值") .next().atLine(10).withMessage("使用盐值计算散列值")
.noMore(); .noMore();
} }
} }

@ -1,10 +1,20 @@
int main() { #include <iostream>
#include <string>
#include <functional> // 引入std::hash
int test(std::string& input) {
// input = "example" + "1234";
std::string input = "example"; // 正确实例化并使用std::hash
// 使用std::hash std::hash<std::string> hasher;
std::hash<std::string> hasher ; // error
size_t hash_value = hasher(input); size_t hash_value = hasher(input);
std::cout << "Hash value using std::hash: " << hash_value << std::endl; std::cout << "Hash value using std::hash: " << hash_value << std::endl;
return 0;
}
int main() {
std::string input;
test(input);
return 0; return 0;
} }
Loading…
Cancel
Save