优化java配置文件被测件

8 months ago · b6e02e866c
parent c480a220c7
commit b6e02e866c
26 changed files with 190 additions and 53 deletions
--- a/uut-example/java/pom.xml
+++ b/uut-example/java/pom.xml
@ -3,16 +3,129 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>com.keyware.sonar</groupId>
        <artifactId>sonar-keyware</artifactId>
        <version>1.0</version>
    </parent>
-    <!--<groupId>com.keyware.sonar</groupId>-->
+    <groupId>com.keyware.sonar</groupId>
    <artifactId>uut-example</artifactId>
    <version>1.0</version>
    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>2.1.6.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <version>RELEASE</version>
        </dependency>
        <!-- 配置文件绑定提示 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
            <version>2.1.6.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <version>2.1.6.RELEASE</version>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>junit</groupId>
                    <artifactId>junit</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
            <version>RELEASE</version>
        </dependency>
        <!--引入druid数据源-->
        <!-- https://mvnrepository.com/artifact/com.alibaba/druid -->
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.8</version>
        </dependency>
        <!-- 引入mybatis的starter-->
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>1.3.1</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>20.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-lang3</artifactId>
            <version>3.5</version>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.1</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.28</version>
        </dependency>
        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger2</artifactId>
            <version>2.2.2</version>
        </dependency>
        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger-ui</artifactId>
            <version>2.2.2</version>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>2.4</version>
        </dependency>
        <dependency>
            <groupId>commons-fileupload</groupId>
            <artifactId>commons-fileupload</artifactId>
            <version>1.3.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-core</artifactId>
            <version>10.1.18</version>
            <scope>compile</scope>
        </dependency>
    </dependencies>
    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
--- a/uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 public class ABCVarNameRule {
    private static String ABC = "abc"; // Noncompliant {{不能使用ABC作为变量名}}
--- a/uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
@ -1,3 +1,4 @@
 package com.keyware.sonar;
 public class AbsolutePathDetectorRule{
    // 使用绝对路径读取配置文件，触发规则
--- a/uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
--- a/uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 public class AvoidSensitiveInfoInLogsCheck {
--- a/uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
@ -1,4 +1,7 @@
-import javax.servlet.http.Cookie;
+package com.keyware.sonar;
 import jakarta.servlet.http.Cookie;
 public class CookieSensitiveParameterCheck {
--- a/uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 import javax.script.Invocable;
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineManager;
--- a/uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 // 在动态加载库前对输入数据进行验证，确保输入数据仅能用于加载允许加载的代码库
 public class DynamicLibraryLoadChecker {
--- a/uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 public class ErrorMessageRule {
    public static void main(String[] args) {
        try {
--- a/uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 public class FileCheck{
    public  String FileName(){
--- a/uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
@ -1,3 +1,4 @@
 package com.keyware.sonar;
 public class HashSaltPassWordRule {
--- a/uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
@ -1,7 +1,9 @@
 package com.keyware.sonar;
 import jakarta.servlet.ServletOutputStream;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletResponse;
 import javax.servlet.ServletOutputStream;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.Collection;
@ -112,15 +114,6 @@ public class HttpInputDataRule {
                return null;
            }
            @Override
            public String encodeUrl(String s) {
                return null;
            }
            @Override
            public String encodeRedirectUrl(String s) {
                return null;
            }
            @Override
            public void sendError(int i, String s) throws IOException {
@ -172,11 +165,6 @@ public class HttpInputDataRule {
            }
            @Override
            public void setStatus(int i, String s) {
            }
            @Override
            public int getStatus() {
                return 0;
--- a/uut-example/java/src/main/java/com/keyware/sonar/InputSQLVerifyRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/InputSQLVerifyRule.java
@ -1,7 +1,8 @@
 package com.keyware.sonar;
 import java.sql.*;
-public class InputSQLVerifyRile {
+public class InputSQLVerifyRule {
    private static final String DB_URL = "jdbc:mysql://localhost:3306/mydatabase";
    private static final String USER = "username";
    private static final String PASS = "password";
--- a/uut-example/java/src/main/java/com/keyware/sonar/Md5PassWordVerifyRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/Md5PassWordVerifyRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 public class Md5PassWordVerifyRule{
    public static void cs(Student student){
        // 结合盐值和口令进行散列计算
--- a/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java
@ -1,7 +1,9 @@
 package com.keyware.sonar;
 import jakarta.servlet.*;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 public class OptionsVerifyRule implements Filter {
--- a/uut-example/java/src/main/java/com/keyware/sonar/PasswordRegexCheck.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/PasswordRegexCheck.java
@ -1,3 +1,4 @@
 package com.keyware.sonar;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
--- a/uut-example/java/src/main/java/com/keyware/sonar/PathAndKeywordCheck.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/PathAndKeywordCheck.java
@ -1,3 +1,4 @@
 package com.keyware.sonar;
 import java.io.File;
 import java.net.URI;
--- a/uut-example/java/src/main/java/com/keyware/sonar/RSAEncryptionRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/RSAEncryptionRule.java
@ -1,4 +1,4 @@
-
+package com.keyware.sonar;
 import javax.crypto.Cipher;
 import java.security.*;
--- a/uut-example/java/src/main/java/com/keyware/sonar/RedirectUrlChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/RedirectUrlChecker.java
@ -1,3 +1,4 @@
 package com.keyware.sonar;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
--- a/uut-example/java/src/main/java/com/keyware/sonar/SecurityCookieRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/SecurityCookieRule.java
@ -1,7 +1,8 @@
-import javax.servlet.http.HttpServletResponse;
+package com.keyware.sonar;
-import javax.servlet.http.Cookie;
+
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletResponse;
 public class SecurityCookieRule {
--- a/uut-example/java/src/main/java/com/keyware/sonar/SendMessageVerifyRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/SendMessageVerifyRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 import java.io.DataOutputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
--- a/uut-example/java/src/main/java/com/keyware/sonar/SessionCacheParamsChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/SessionCacheParamsChecker.java
@ -1,11 +1,13 @@
 package com.keyware.sonar;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 public class SessionCacheParamsChecker {
    private static final long serialVersionUID = 1391640560504378168L;
--- a/uut-example/java/src/main/java/com/keyware/sonar/SystemFunctionChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/SystemFunctionChecker.java
@ -1,4 +1,4 @@
-
+package com.keyware.sonar;
 import java.io.IOException;
--- a/uut-example/java/src/main/java/com/keyware/sonar/UploadFileVerifyRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/UploadFileVerifyRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.PostMapping;
@ -29,7 +31,7 @@ public class UploadFileVerifyRule {
        }
        //获取文件原始名称
        String originalFilename = file.getOriginalFilename();
-        String type = FileUtil.extName(originalFilename);
+        String type = extName(originalFilename);
 //        if(type == ""){
 //
 //        }
@ -44,10 +46,10 @@ public class UploadFileVerifyRule {
        return "上传成功";
    }
-    class FileUtil{
+
-        public static String extName(String filename){
+        public String extName(String filename){
            // 根据文件名获取文件后缀
            return filename.substring(filename.lastIndexOf(".") + 1);
        }
-    }
+
 }
--- a/uut-example/java/src/main/java/com/keyware/sonar/UpperCycleLimitRule.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/UpperCycleLimitRule.java
@ -1,3 +1,5 @@
 package com.keyware.sonar;
 public class UpperCycleLimitRule {
    public static void Upper(int number){
--- a/uut-example/java/src/main/java/com/keyware/sonar/UserStatusVerifyChecker.java
+++ b/uut-example/java/src/main/java/com/keyware/sonar/UserStatusVerifyChecker.java
@ -1,13 +1,14 @@
 package com.keyware.sonar;
 import com.fasterxml.classmate.Filter;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
 public class UserStatusVerifyChecker {
@ -34,7 +35,7 @@ public class UserStatusVerifyChecker {
                }
                HttpSession newSession = request.getSession(true);
                newSession.setMaxInactiveInterval(30 * 60);
-                newSession.setAttribute("username", username);
+                newSession.setAttribute("username", "username");
                chain.doFilter(req, resp); // 继续执行下一个过滤器或请求
            } else {
                req.getRequestDispatcher("/login.jsp").forward(req, resp); // 跳转到登录页面
@ -48,14 +49,13 @@ public class UserStatusVerifyChecker {
    }
    public class AuthenticationInterceptor extends HandlerInterceptorAdapter {
        @Override
        public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}}
            boolean isValidUser = false;
            String username = request.getParameter("username");
            String password = request.getParameter("password");
            isValidUser = UserService.validate(username, password);
            if (isValidUser) {
-//                HttpSession oldSession = request.getSession(false);
+                HttpSession oldSession = request.getSession(false);
                if (oldSession != null) {
                    oldSession.invalidate();
                }
`@ -1,3 +1,4 @@`
		`package com.keyware.sonar;`

	`public class HashSaltPassWordRule {`	`public class HashSaltPassWordRule {`
`@ -1,4 +1,4 @@`
		`package com.keyware.sonar;`

	`import java.io.IOException;`	`import java.io.IOException;`