parent
2ada807f82
commit
bcd123a05d
@ -0,0 +1,140 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:C++ 信息安全性设计准则 |
||||
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.cxx.rules.checkers; |
||||
|
||||
import com.sonar.cxx.sslr.api.AstNode; |
||||
import com.sonar.cxx.sslr.api.Grammar; |
||||
import org.sonar.check.Priority; |
||||
import org.sonar.check.Rule; |
||||
import org.sonar.cxx.parser.CxxGrammarImpl; |
||||
import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; |
||||
import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; |
||||
import org.sonar.cxx.squidbridge.checks.SquidCheck; |
||||
|
||||
import java.util.ArrayList; |
||||
import java.util.List; |
||||
|
||||
@Rule(key = "LogFileWriteChecker", name = "慎重考虑写入日志文件信息的隐私性", description = "避免把敏感信息写入日志文件,日志文件只需记录必要的信息,包括日志类型、产生时间、错误信息等,不能在日志文件中记录武器参数、用户单位名称、重要控制命令等信息。", priority = Priority.INFO, tags = {"28suo"}) |
||||
@ActivatedByDefault |
||||
@SqaleConstantRemediation("5min") |
||||
public class LogFileWriteChecker extends SquidCheck<Grammar> { |
||||
public void init() { |
||||
// 订阅要检查AST节点类型,用于在visitNode方法中检查该类型节点
|
||||
this.subscribeTo( |
||||
CxxGrammarImpl.translationUnit |
||||
); |
||||
} |
||||
|
||||
public void visitNode(AstNode astNode) { |
||||
|
||||
//四种级别
|
||||
List<String> lists = new ArrayList<>(); |
||||
lists.add("debug"); |
||||
lists.add("info"); |
||||
lists.add("warn"); |
||||
lists.add("error"); |
||||
|
||||
//敏感信息
|
||||
List<String> listss = new ArrayList<>(); |
||||
listss.add("username"); |
||||
listss.add("orgname"); |
||||
listss.add("armsname"); |
||||
|
||||
List<AstNode> descendants = astNode.getDescendants(CxxGrammarImpl.declaration); |
||||
descendants.addAll(astNode.getDescendants(CxxGrammarImpl.assignmentExpression)); |
||||
|
||||
for (AstNode dec : descendants) { |
||||
AstNode firstDescendantst = dec.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||
if (firstDescendantst != null) { |
||||
if ("spdlog".equals(firstDescendantst.getTokenValue())) { |
||||
AstNode firstDescendant = dec.getFirstDescendant(CxxGrammarImpl.declarator); |
||||
List<AstNode> astNodeList = astNode.getDescendants(CxxGrammarImpl.expression); |
||||
for (AstNode as : astNodeList) { |
||||
//判断rotating_logger
|
||||
if (firstDescendant.getTokenValue().equals(as.getTokenValue())) { |
||||
AstNode descendant1 = as.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||
List<AstNode> children = descendant1.getChildren(); |
||||
for (AstNode fir : children) { |
||||
//判断是否是debug、info、warn、error
|
||||
if (lists.contains(fir.getTokenValue())) { |
||||
AstNode descendant = as.getFirstDescendant(CxxGrammarImpl.initializerList); |
||||
List<AstNode> descendantChildren = descendant.getChildren(); |
||||
for (AstNode chil : descendantChildren) { |
||||
if ("IDENTIFIER".equals(chil.getName())) { |
||||
if (listss.contains(chil.getTokenValue().toLowerCase())) { |
||||
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); |
||||
break; |
||||
} |
||||
} else if ("additiveExpression".equals(chil.getName())) { |
||||
List<AstNode> chilChildren = chil.getChildren(); |
||||
for (AstNode dren : chilChildren) { |
||||
if (listss.contains(dren.getTokenValue().toLowerCase())) { |
||||
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); |
||||
break; |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} else if ("log4cpp".equals(dec.getTokenValue())) { |
||||
AstNode descendant = dec.getFirstDescendant(CxxGrammarImpl.declaratorId); |
||||
String tokenValue = null; |
||||
if (descendant != null) { |
||||
tokenValue = descendant.getTokenValue(); |
||||
} else { |
||||
AstNode firstDescendant = dec.getFirstDescendant(CxxGrammarImpl.andExpression); |
||||
List<AstNode> astNodeList = firstDescendant.getChildren(); |
||||
for (AstNode ast : astNodeList) { |
||||
if ("IDENTIFIER".equals(ast.getName())) { |
||||
tokenValue = ast.getTokenValue(); |
||||
} |
||||
|
||||
} |
||||
} |
||||
List<AstNode> astNodeList = astNode.getDescendants(CxxGrammarImpl.expression); |
||||
for (AstNode ast : astNodeList) { |
||||
if (tokenValue.equals(ast.getTokenValue())) { |
||||
AstNode descendant1 = ast.getFirstDescendant(CxxGrammarImpl.postfixExpression); |
||||
List<AstNode> childrens = descendant1.getChildren(); |
||||
for (AstNode fir : childrens) { |
||||
//判断是否是debug、info、warn、error
|
||||
if (lists.contains(fir.getTokenValue())) { |
||||
AstNode inits = ast.getFirstDescendant(CxxGrammarImpl.initializerList); |
||||
List<AstNode> descendantChildren = inits.getChildren(); |
||||
for (AstNode chil : descendantChildren) { |
||||
if ("IDENTIFIER".equals(chil.getName())) { |
||||
if (listss.contains(chil.getTokenValue().toLowerCase())) { |
||||
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", chil); |
||||
break; |
||||
} |
||||
} else if ("additiveExpression".equals(chil.getName())) { |
||||
List<AstNode> chilChildren = chil.getChildren(); |
||||
for (AstNode dren : chilChildren) { |
||||
if (listss.contains(dren.getTokenValue().toLowerCase())) { |
||||
getContext().createLineViolation(this, "慎重考虑写入日志文件信息的隐私性", dren); |
||||
break; |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
|
||||
|
||||
|
@ -0,0 +1,35 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:C++ 信息安全性设计准则 |
||||
* 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.cxx.rules.checkers; |
||||
|
||||
import com.keyware.sonar.cxx.CxxFileTesterHelper; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.sonar.cxx.CxxAstScanner; |
||||
import org.sonar.cxx.squidbridge.api.SourceFile; |
||||
import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; |
||||
|
||||
import java.io.IOException; |
||||
|
||||
public class LogFileWriteCheckerTest { |
||||
@Test |
||||
public void checkTest() throws IOException { |
||||
var checker = new LogFileWriteChecker(); |
||||
var tester = CxxFileTesterHelper.create("LogFileWriteChecker.cc"); |
||||
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); |
||||
CheckMessagesVerifier.verify(file.getCheckMessages()) |
||||
.next().atLine(25).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(26).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(27).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(28).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(50).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(51).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(52).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.next().atLine(53).withMessage("慎重考虑写入日志文件信息的隐私性") |
||||
.noMore(); |
||||
} |
||||
|
||||
} |
Loading…
Reference in new issue