parent
2ada807f82
commit
bcd123a05d
@ -0,0 +1,140 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:C++ 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.cxx.rules.checkers; |
||||||
|
|
||||||
|
import com.sonar.cxx.sslr.api.AstNode; |
||||||
|
import com.sonar.cxx.sslr.api.Grammar; |
||||||
|
import org.sonar.check.Priority; |
||||||
|
import org.sonar.check.Rule; |
||||||
|
import org.sonar.cxx.parser.CxxGrammarImpl; |
||||||
|
import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; |
||||||
|
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; |
||||||
|
import org.sonar.cxx.squidbridge.checks.SquidCheck; |
||||||
|
|
||||||
|
import java.util.ArrayList; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
@Rule(key = "LogFileWriteChecker", name = "慎重考虑写入日志文件信息的隐私性", description = "避免把敏感信息写入日志文件,日志文件只需记录必要的信息,包括日志类型、产生时间、错误信息等,不能在日志文件中记录武器参数、用户单位名称、重要控制命令等信息。", priority = Priority.INFO, tags = {"28suo"}) |
||||||
|
@ActivatedByDefault |
||||||
|
@SqaleConstantRemediation("5min") |
||||||
|
public class LogFileWriteChecker extends SquidCheck<Grammar> { |
||||||
|
public void init() { |
||||||
|
// 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点
|
||||||
|
this.subscribeTo( |
||||||
|
CxxGrammarImpl.translationUnit |
||||||
|
); |
||||||
|
} |
||||||
|
|
||||||
|
public void visitNode(AstNode astNode) { |
||||||
|
|
||||||
|
//四种级别
|
||||||
|
List<String> lists = new ArrayList<>(); |
||||||
|
lists.add("debug"); |
||||||
|
lists.add("info"); |
||||||
|
lists.add("warn"); |
||||||
|
lists.add("error"); |
||||||
|
|
||||||
|
//敏感信息
|
||||||
|
List<String> listss = new ArrayList<>(); |
||||||
|
listss.add("username"); |
||||||
|
listss.add("orgname"); |
||||||
|
listss.add("armsname"); |
||||||
|
|
||||||
|
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.declaration); |
||||||
|
descendants.addAll(astNode.getDescendants(CxxGrammarImpl.assignmentExpression)); |
||||||
|
|
||||||
|
for (AstNode dec : descendants) { |
||||||
|
AstNode firstDescendantst = dec.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||||
|
if (firstDescendantst != null) { |
||||||
|
if ("spdlog".equals(firstDescendantst.getTokenValue())) { |
||||||
|
AstNode firstDescendant = dec.getFirstDescendant(CxxGrammarImpl.declarator); |
||||||
|
List<AstNode> astNodeList = astNode.getDescendants(CxxGrammarImpl.expression); |
||||||
|
for (AstNode as : astNodeList) { |
||||||
|
//判断rotating_logger
|
||||||
|
if (firstDescendant.getTokenValue().equals(as.getTokenValue())) { |
||||||
|
AstNode descendant1 = as.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||||
|
List<AstNode> children = descendant1.getChildren(); |
||||||
|
for (AstNode fir : children) { |
||||||
|
//判断是否是debug、info、warn、error
|
||||||
|
if (lists.contains(fir.getTokenValue())) { |
||||||
|
AstNode descendant = as.getFirstDescendant(CxxGrammarImpl.initializerList); |
||||||
|
List<AstNode> descendantChildren = descendant.getChildren(); |
||||||
|
for (AstNode chil : descendantChildren) { |
||||||
|
if ("IDENTIFIER".equals(chil.getName())) { |
||||||
|
if (listss.contains(chil.getTokenValue().toLowerCase())) { |
||||||
|
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); |
||||||
|
break; |
||||||
|
} |
||||||
|
} else if ("additiveExpression".equals(chil.getName())) { |
||||||
|
List<AstNode> chilChildren = chil.getChildren(); |
||||||
|
for (AstNode dren : chilChildren) { |
||||||
|
if (listss.contains(dren.getTokenValue().toLowerCase())) { |
||||||
|
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); |
||||||
|
break; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} else if ("log4cpp".equals(dec.getTokenValue())) { |
||||||
|
AstNode descendant = dec.getFirstDescendant(CxxGrammarImpl.declaratorId); |
||||||
|
String tokenValue = null; |
||||||
|
if (descendant != null) { |
||||||
|
tokenValue = descendant.getTokenValue(); |
||||||
|
} else { |
||||||
|
AstNode firstDescendant = dec.getFirstDescendant(CxxGrammarImpl.andExpression); |
||||||
|
List<AstNode> astNodeList = firstDescendant.getChildren(); |
||||||
|
for (AstNode ast : astNodeList) { |
||||||
|
if ("IDENTIFIER".equals(ast.getName())) { |
||||||
|
tokenValue = ast.getTokenValue(); |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
|
} |
||||||
|
List<AstNode> astNodeList = astNode.getDescendants(CxxGrammarImpl.expression); |
||||||
|
for (AstNode ast : astNodeList) { |
||||||
|
if (tokenValue.equals(ast.getTokenValue())) { |
||||||
|
AstNode descendant1 = ast.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||||
|
List<AstNode> childrens = descendant1.getChildren(); |
||||||
|
for (AstNode fir : childrens) { |
||||||
|
//判断是否是debug、info、warn、error
|
||||||
|
if (lists.contains(fir.getTokenValue())) { |
||||||
|
AstNode inits = ast.getFirstDescendant(CxxGrammarImpl.initializerList); |
||||||
|
List<AstNode> descendantChildren = inits.getChildren(); |
||||||
|
for (AstNode chil : descendantChildren) { |
||||||
|
if ("IDENTIFIER".equals(chil.getName())) { |
||||||
|
if (listss.contains(chil.getTokenValue().toLowerCase())) { |
||||||
|
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); |
||||||
|
break; |
||||||
|
} |
||||||
|
} else if ("additiveExpression".equals(chil.getName())) { |
||||||
|
List<AstNode> chilChildren = chil.getChildren(); |
||||||
|
for (AstNode dren : chilChildren) { |
||||||
|
if (listss.contains(dren.getTokenValue().toLowerCase())) { |
||||||
|
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); |
||||||
|
break; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -0,0 +1,35 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:C++ 信息安全性设计准则 |
||||||
|
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.cxx.rules.checkers; |
||||||
|
|
||||||
|
import com.keyware.sonar.cxx.CxxFileTesterHelper; |
||||||
|
import org.junit.jupiter.api.Test; |
||||||
|
import org.sonar.cxx.CxxAstScanner; |
||||||
|
import org.sonar.cxx.squidbridge.api.SourceFile; |
||||||
|
import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; |
||||||
|
|
||||||
|
import java.io.IOException; |
||||||
|
|
||||||
|
public class LogFileWriteCheckerTest { |
||||||
|
@Test |
||||||
|
public void checkTest() throws IOException { |
||||||
|
var checker = new LogFileWriteChecker(); |
||||||
|
var tester = CxxFileTesterHelper.create("LogFileWriteChecker.cc"); |
||||||
|
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); |
||||||
|
CheckMessagesVerifier.verify(file.getCheckMessages()) |
||||||
|
.next().atLine(25).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(26).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(27).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(28).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(50).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(51).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(52).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.next().atLine(53).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||||
|
.noMore(); |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
Loading…
Reference in new issue