From c0365cb297d62e85ffe26b01b18e9534225ba45b Mon Sep 17 00:00:00 2001 From: Guo XIn <371864209@qq.com> Date: Thu, 25 Jan 2024 21:20:26 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?= =?UTF-8?q?=E5=BA=94=E9=80=9A=E8=BF=87=E7=94=A8=E6=88=B7=E5=90=8D=E5=8F=A3?= =?UTF-8?q?=E4=BB=A4=E3=80=81=E6=95=B0=E5=AD=97=E8=AF=81=E4=B9=A6=E7=AD=89?= =?UTF-8?q?=E5=85=B6=E4=BB=96=E6=89=8B=E6=AE=B5=E5=AF=B9=E4=B8=BB=E6=9C=BA?= =?UTF-8?q?=E8=BA=AB=E4=BB=BD=E8=BF=9B=E8=A1=8C=E9=89=B4=E5=88=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/keyware/sonar/cxx/CxxSquidSensor.java | 57 ++++++-- .../rules/SecurityDesignRuleProperties.java | 17 +++ .../checkers/HostIdentityVerifyChecker.java | 133 ++++++++++++++++++ .../HostIdentityVerifyCheckerTest.java | 45 ++++++ .../checkers/HostIdentityVerifyChecker.cc | 80 +++++++++++ 5 files changed, 318 insertions(+), 14 deletions(-) create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java create mode 100644 sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java create mode 100644 sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java index b0b8727..44c60a1 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java @@ -38,6 +38,7 @@ import org.sonar.cxx.sensors.utils.CxxUtils; import org.sonar.cxx.squidbridge.SquidAstVisitor; import org.sonar.cxx.squidbridge.api.SourceCode; import org.sonar.cxx.squidbridge.api.SourceFile; +import org.sonar.cxx.squidbridge.api.SourceProject; import org.sonar.cxx.squidbridge.indexer.QueryByType; import org.sonar.cxx.visitors.CxxCpdVisitor; import org.sonar.cxx.visitors.CxxHighlighterVisitor; @@ -286,7 +287,7 @@ public class CxxSquidSensor implements ProjectSensor { public void describe(SensorDescriptor descriptor) { descriptor .name("CXX") - .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY,ConfigurationFileLanguage.KEY) + .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY) .onlyOnFileType(InputFile.Type.MAIN) .onlyWhenConfiguration(conf -> !conf.getBoolean(SQUID_DISABLED_KEY).orElse(false)); } @@ -315,7 +316,7 @@ public class CxxSquidSensor implements ProjectSensor { Iterable inputFiles = getInputFiles(context, squidConfig); scanner.scanInputFiles(inputFiles); - Collection squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceFile.class)); + Collection squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceProject.class), new QueryByType(SourceFile.class)); save(squidSourceFiles); } @@ -373,7 +374,7 @@ public class CxxSquidSensor implements ProjectSensor { private Iterable getInputFiles(SensorContext context, CxxSquidConfiguration squidConfig) { Iterable inputFiles = context.fileSystem().inputFiles( context.fileSystem().predicates().and( - context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY,ConfigurationFileLanguage.KEY), + context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY), context.fileSystem().predicates().hasType(InputFile.Type.MAIN) ) ); @@ -400,19 +401,25 @@ public class CxxSquidSensor implements ProjectSensor { } private void save(Collection sourceCodeFiles) { - for (var sourceCodeFile : sourceCodeFiles) { + for (var sourceCode : sourceCodeFiles) { try { - var sourceFile = (SourceFile) sourceCodeFile; - InputFile inputFile = context.fileSystem().inputFile( - context.fileSystem().predicates().hasPath(sourceFile.getKey()) - ); - saveMeasures(inputFile, sourceFile); - saveViolations(inputFile, sourceFile); - saveFileLinesContext(inputFile, sourceFile); - saveCpdTokens(inputFile, sourceFile); - saveHighlighting(inputFile, sourceFile); + if (sourceCode instanceof SourceFile) { + var sourceFile = (SourceFile) sourceCode; + InputFile inputFile = context.fileSystem().inputFile( + context.fileSystem().predicates().hasPath(sourceFile.getKey()) + ); + saveMeasures(inputFile, sourceFile); + saveViolations(inputFile, sourceFile); + saveFileLinesContext(inputFile, sourceFile); + saveCpdTokens(inputFile, sourceFile); + saveHighlighting(inputFile, sourceFile); + } else if (sourceCode instanceof SourceProject) { + var sourceProject = (SourceProject) sourceCode; + saveProjectViolations(sourceProject); + } + } catch (IllegalStateException e) { - var msg = "Cannot save all measures for file '" + sourceCodeFile.getKey() + "'"; + var msg = "Cannot save all measures for file '" + sourceCode.getKey() + "'"; CxxUtils.validateRecovery(msg, e, context.config()); } } @@ -451,6 +458,28 @@ public class CxxSquidSensor implements ProjectSensor { saveMetric(inputFile, CxxMetrics.BIG_FUNCTIONS_LOC, sourceFile.getInt(CxxMetric.BIG_FUNCTIONS_LOC)); } + + /** + * 保存项目问题 + * + * @param sourceProject + */ + private void saveProjectViolations(SourceProject sourceProject) { + sourceProject.getCheckMessages().forEach(message -> { + var checker = (SquidAstVisitor) message.getCheck(); + RuleKey ruleKey = checks.ruleKey(checker); + if (ruleKey != null) { + var newIssue = context.newIssue().forRule(ruleKey); + var location = newIssue.newLocation() + .on(context.project()) + .message(message.getText(Locale.CHINA)); + newIssue.at(location); + newIssue.save(); + LOG.debug("[KeyWare]>>保存问题项:{}, {}, {}", context.project().key(), ruleKey.toString(), message.getText(Locale.CHINA)); + } + }); + } + private void saveViolations(InputFile inputFile, SourceFile sourceFile) { if (sourceFile.hasCheckMessages()) { for (var message : sourceFile.getCheckMessages()) { diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java new file mode 100644 index 0000000..7b970e0 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules; + +/** + * C++ 安全设计准则检查规则属性 + * + * @author GuoXin + * @date 2024/1/18 + */ +public class SecurityDesignRuleProperties { + +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java new file mode 100644 index 0000000..4de9a5e --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java @@ -0,0 +1,133 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.cxx.rules.checkers; + +import com.sonar.cxx.sslr.api.AstNode; +import com.sonar.cxx.sslr.api.Grammar; +import org.sonar.api.utils.log.Logger; +import org.sonar.api.utils.log.Loggers; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.parser.CxxGrammarImpl; +import org.sonar.cxx.squidbridge.api.CheckMessage; +import org.sonar.cxx.squidbridge.api.SourceCode; +import org.sonar.cxx.visitors.MultiLocatitionSquidCheck; + +import javax.annotation.Nonnull; +import java.util.Set; + + +/** + * 应通过用户名口令、数字证书等其他手段对主机身份进行鉴别 + *

仅检测代码中有没有用户名口令和数字证书

+ * + * @author GuoXin + * @date 2024/1/24 + */ +@Rule(key = "HostIdentityVerifyChecker", name = "程序中未识别到通过用户名口令或者数字证书验证等安全认证逻辑", description = "应通过用户名口令、数字证书等其他手段对主机身份进行鉴别", priority = Priority.MAJOR, tags = {"28suo"}) +public class HostIdentityVerifyChecker extends MultiLocatitionSquidCheck { + private static final Logger LOG = Loggers.get(HostIdentityVerifyChecker.class); + private SourceCode project; + + private boolean hasUsername = false; + private boolean hasPassword = false; + private boolean hasCertificate = false; + + private final Set SSL_FUNCTIONS = Set.of( + "SSL_use_certificate_file", + "SSL_use_PrivateKey_file", + "SSL_use_RSAPrivateKey_file", + "SSL_CTX_use_certificate_file", + "SSL_CTX_use_RSAPrivateKey_file", + "SSL_CTX_use_PrivateKey_file", + "SSL_CTX_use_certificate_chain_file", + "SSL_use_certificate_chain_file", + "SSL_library_init", + "PEM_read_X509", + "d2i_X509_bio", + "X509_verify", + "X509_check_issued", + "X509_get_notBefore", + "X509_get_notAfter", + "X509_get_subject_name", + "X509_get_issuer_name", + "X509_get_pubkey", + "X509_STORE_CTX_init", + "X509_STORE_add_cert", + "X509_verify_cert" + ); + + @Override + public void init() { + LOG.info("[KeyWare][C++检查] >> 应通过用户名口令、数字证书等其他手段对主机身份进行鉴别"); + if (project == null) { + project = getContext().peekSourceCode(); + } + subscribeTo(CxxGrammarImpl.functionDefinition, CxxGrammarImpl.simpleDeclaration, CxxGrammarImpl.postfixExpression); + } + + + @Override + public void visitNode(@Nonnull AstNode astNode) { + if ((hasUsername && hasPassword) || hasCertificate) { + return; + } + + if (astNode.is(CxxGrammarImpl.functionDefinition)) { + visitFunctionDefinition(astNode); + } else if (astNode.is(CxxGrammarImpl.simpleDeclaration)) { + visitSimpleDeclaration(astNode); + } else if (astNode.is(CxxGrammarImpl.postfixExpression)) { + visitPostfixExpression(astNode); + } + } + + private void visitFunctionDefinition(@Nonnull AstNode astNode) { + astNode.getDescendants(CxxGrammarImpl.parameterDeclaration).forEach(this::checkDeclarationNode); + } + + private void visitSimpleDeclaration(@Nonnull AstNode astNode) { + astNode.getDescendants(CxxGrammarImpl.declarator).forEach(this::checkDeclarationNode); + } + + private void visitPostfixExpression(@Nonnull AstNode astNode) { + var nameNode = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId); + if (nameNode == null) { + nameNode = astNode.getFirstDescendant(CxxGrammarImpl.className); + } + if (nameNode != null) { + var nameStr = nameNode.getTokenValue(); + if (SSL_FUNCTIONS.contains(nameStr)) { + hasCertificate = true; + } + } + } + + private void checkDeclarationNode(@Nonnull AstNode astNode) { + var paramNode = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId); + if (paramNode != null) { + var paramName = paramNode.getTokenValue(); + paramName = paramName.toLowerCase().replace("-", "").replace("_", ""); + if ("username".equals(paramName)) { + hasUsername = true; + } else if ("password".equals(paramName)) { + hasPassword = true; + } + } + } + + /** + * 当访问器销毁时执行,代表所有文件已经被访问完毕,可以进行最后的处理。 + */ + @Override + public void destroy() { + if (!(hasPassword && hasUsername) && !hasCertificate) { + project.log(new CheckMessage(this, "应通过用户名口令、数字证书等其他手段对主机身份进行鉴别")); + } + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java new file mode 100644 index 0000000..e19ffd3 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.cxx.rules.checkers; + +import com.keyware.sonar.cxx.CxxFileTesterHelper; +import org.junit.jupiter.api.Test; +import org.sonar.api.batch.fs.InputFile; +import org.sonar.cxx.CxxAstScanner; +import org.sonar.cxx.config.CxxSquidConfiguration; +import org.sonar.cxx.squidbridge.api.SourceCode; +import org.sonar.cxx.squidbridge.api.SourceProject; +import org.sonar.cxx.squidbridge.indexer.QueryByType; + +import java.io.IOException; +import java.util.Collection; +import java.util.Set; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * 测试规则:应通过用户名口令、数字证书等其他手段对主机身份进行鉴别 + * + * @author GuoXin + * @date 2024/1/24 + */ +public class HostIdentityVerifyCheckerTest { + @Test + public void checkTest() throws IOException { + var checker = new HostIdentityVerifyChecker(); + var tester = CxxFileTesterHelper.create("HostIdentityVerifyChecker.cc"); + var scanner = CxxAstScanner.create(new CxxSquidConfiguration(), checker); + Set inputFiles = Set.of(tester.asInputFile()); + scanner.scanInputFiles(inputFiles); + Collection squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceProject.class)); + assertThat(squidSourceFiles).size().isEqualTo(1); + squidSourceFiles.forEach(sourceCode -> { + assertThat(sourceCode.getCheckMessages()).size().isEqualTo(1); + }); + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc new file mode 100644 index 0000000..d1d04f9 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc @@ -0,0 +1,80 @@ +#include +#include +#include +// 本示例中对合规代码进行了注释 + +// 假设有一个函数去异步验证用户名和密码 +/*void verify_credentials(const std::string& username, const std::string& password) { + // 如果验证成功,则执行相应操作 + if (is_valid(username, password)) { + std::cout << "Authentication successful." << std::endl; + } else { + std::cout << "Invalid credentials." << std::endl; + } +}*/ + +int main() { + /*std::string user_name, pass_word; + std::cout << "Enter your username: "; + std::cin >> user_name; + std::cout << "Enter your password: "; + std::getline(std::cin, pass_word); + + // 调用验证函数 + verify_credentials(user_name, pass_word);*/ + + return 0; +} + +#include +#include +#include +#include + +bool verifyCertificate(const std::string& certPath) { + // 初始化OpenSSL库 + /*SSL_library_init(); + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + + // 加载证书文件 + FILE* certFile = fopen(certPath.c_str(), "r"); + if (!certFile) { + perror("Failed to open certificate file"); + return false; + } + + X509* x509Cert = PEM_read_X509(certFile, NULL, NULL, NULL); + fclose(certFile); + + if (!x509Cert) { + ERR_print_errors_fp(stderr); + return false; + } + + // 这里只做简单的证书有效性检查,真实场景下需要构建完整的信任链并验证到根CA + int result = X509_verify(x509Cert, NULL); + + + // 释放资源 + X509_free(x509Cert); + + // 返回验证结果 + return (result == 1);*/ +} + +int main2() { + const std::string certPath = "/path/to/certificate.pem"; + bool isVerified = verifyCertificate(certPath); + if (isVerified) { + std::cout << "The certificate has been verified successfully." << std::endl; + } else { + std::cout << "Failed to verify the certificate." << std::endl; + } + + // 清理OpenSSL库 + EVP_cleanup(); + ERR_free_strings(); + + return 0; +} \ No newline at end of file