新增准则：应通过用户名口令、数字证书等其他手段对主机身份进行鉴别

8 months ago · c0365cb297
parent aaee78b3fd
commit c0365cb297
5 changed files with 318 additions and 14 deletions
--- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java
+++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java
@ -38,6 +38,7 @@ import org.sonar.cxx.sensors.utils.CxxUtils;
 import org.sonar.cxx.squidbridge.SquidAstVisitor;
 import org.sonar.cxx.squidbridge.api.SourceCode;
 import org.sonar.cxx.squidbridge.api.SourceFile;
 import org.sonar.cxx.squidbridge.api.SourceProject;
 import org.sonar.cxx.squidbridge.indexer.QueryByType;
 import org.sonar.cxx.visitors.CxxCpdVisitor;
 import org.sonar.cxx.visitors.CxxHighlighterVisitor;
@ -286,7 +287,7 @@ public class CxxSquidSensor implements ProjectSensor {
    public void describe(SensorDescriptor descriptor) {
        descriptor
                .name("CXX")
-                .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY,ConfigurationFileLanguage.KEY)
+                .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY)
                .onlyOnFileType(InputFile.Type.MAIN)
                .onlyWhenConfiguration(conf -> !conf.getBoolean(SQUID_DISABLED_KEY).orElse(false));
    }
@ -315,7 +316,7 @@ public class CxxSquidSensor implements ProjectSensor {
        Iterable<InputFile> inputFiles = getInputFiles(context, squidConfig);
        scanner.scanInputFiles(inputFiles);
-        Collection<SourceCode> squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceFile.class));
+        Collection<SourceCode> squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceProject.class), new QueryByType(SourceFile.class));
        save(squidSourceFiles);
    }
@ -373,7 +374,7 @@ public class CxxSquidSensor implements ProjectSensor {
    private Iterable<InputFile> getInputFiles(SensorContext context, CxxSquidConfiguration squidConfig) {
        Iterable<InputFile> inputFiles = context.fileSystem().inputFiles(
                context.fileSystem().predicates().and(
-                        context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY,ConfigurationFileLanguage.KEY),
+                        context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY),
                        context.fileSystem().predicates().hasType(InputFile.Type.MAIN)
                )
        );
@ -400,9 +401,10 @@ public class CxxSquidSensor implements ProjectSensor {
    }
    private void save(Collection<SourceCode> sourceCodeFiles) {
-        for (var sourceCodeFile : sourceCodeFiles) {
+        for (var sourceCode : sourceCodeFiles) {
            try {
-                var sourceFile = (SourceFile) sourceCodeFile;
+                if (sourceCode instanceof SourceFile) {
                    var sourceFile = (SourceFile) sourceCode;
                    InputFile inputFile = context.fileSystem().inputFile(
                            context.fileSystem().predicates().hasPath(sourceFile.getKey())
                    );
@ -411,8 +413,13 @@ public class CxxSquidSensor implements ProjectSensor {
                    saveFileLinesContext(inputFile, sourceFile);
                    saveCpdTokens(inputFile, sourceFile);
                    saveHighlighting(inputFile, sourceFile);
                } else if (sourceCode instanceof SourceProject) {
                    var sourceProject = (SourceProject) sourceCode;
                    saveProjectViolations(sourceProject);
                }
            } catch (IllegalStateException e) {
-                var msg = "Cannot save all measures for file '" + sourceCodeFile.getKey() + "'";
+                var msg = "Cannot save all measures for file '" + sourceCode.getKey() + "'";
                CxxUtils.validateRecovery(msg, e, context.config());
            }
        }
@ -451,6 +458,28 @@ public class CxxSquidSensor implements ProjectSensor {
        saveMetric(inputFile, CxxMetrics.BIG_FUNCTIONS_LOC, sourceFile.getInt(CxxMetric.BIG_FUNCTIONS_LOC));
    }
    /**
     * 保存项目问题
     *
     * @param sourceProject
     */
    private void saveProjectViolations(SourceProject sourceProject) {
        sourceProject.getCheckMessages().forEach(message -> {
            var checker = (SquidAstVisitor<Grammar>) message.getCheck();
            RuleKey ruleKey = checks.ruleKey(checker);
            if (ruleKey != null) {
                var newIssue = context.newIssue().forRule(ruleKey);
                var location = newIssue.newLocation()
                        .on(context.project())
                        .message(message.getText(Locale.CHINA));
                newIssue.at(location);
                newIssue.save();
                LOG.debug("[KeyWare]>>保存问题项：{}, {}, {}", context.project().key(), ruleKey.toString(), message.getText(Locale.CHINA));
            }
        });
    }
    private void saveViolations(InputFile inputFile, SourceFile sourceFile) {
        if (sourceFile.hasCheckMessages()) {
            for (var message : sourceFile.getCheckMessages()) {
--- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java
+++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java
@ -0,0 +1,17 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：信息安全性设计准则检查插件
 * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.cxx.rules;
 /**
 * C++ 安全设计准则检查规则属性
 *
 * @author GuoXin
 * @date 2024/1/18
 */
 public class SecurityDesignRuleProperties {
 }
--- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java
+++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.java
@ -0,0 +1,133 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：信息安全性设计准则检查插件
 * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.cxx.rules.checkers;
 import com.sonar.cxx.sslr.api.AstNode;
 import com.sonar.cxx.sslr.api.Grammar;
 import org.sonar.api.utils.log.Logger;
 import org.sonar.api.utils.log.Loggers;
 import org.sonar.check.Priority;
 import org.sonar.check.Rule;
 import org.sonar.cxx.parser.CxxGrammarImpl;
 import org.sonar.cxx.squidbridge.api.CheckMessage;
 import org.sonar.cxx.squidbridge.api.SourceCode;
 import org.sonar.cxx.visitors.MultiLocatitionSquidCheck;
 import javax.annotation.Nonnull;
 import java.util.Set;
 /**
 * 应通过用户名口令、数字证书等其他手段对主机身份进行鉴别
 * <p>仅检测代码中有没有用户名口令和数字证书</p>
 *
 * @author GuoXin
 * @date 2024/1/24
 */
@Rule(key = "HostIdentityVerifyChecker", name = "程序中未识别到通过用户名口令或者数字证书验证等安全认证逻辑", description = "应通过用户名口令、数字证书等其他手段对主机身份进行鉴别", priority = Priority.MAJOR, tags = {"28suo"})
 public class HostIdentityVerifyChecker extends MultiLocatitionSquidCheck<Grammar> {
    private static final Logger LOG = Loggers.get(HostIdentityVerifyChecker.class);
    private SourceCode project;
    private boolean hasUsername = false;
    private boolean hasPassword = false;
    private boolean hasCertificate = false;
    private final Set<String> SSL_FUNCTIONS = Set.of(
            "SSL_use_certificate_file",
            "SSL_use_PrivateKey_file",
            "SSL_use_RSAPrivateKey_file",
            "SSL_CTX_use_certificate_file",
            "SSL_CTX_use_RSAPrivateKey_file",
            "SSL_CTX_use_PrivateKey_file",
            "SSL_CTX_use_certificate_chain_file",
            "SSL_use_certificate_chain_file",
            "SSL_library_init",
            "PEM_read_X509",
            "d2i_X509_bio",
            "X509_verify",
            "X509_check_issued",
            "X509_get_notBefore",
            "X509_get_notAfter",
            "X509_get_subject_name",
            "X509_get_issuer_name",
            "X509_get_pubkey",
            "X509_STORE_CTX_init",
            "X509_STORE_add_cert",
            "X509_verify_cert"
    );
    @Override
    public void init() {
        LOG.info("[KeyWare][C++检查] >> 应通过用户名口令、数字证书等其他手段对主机身份进行鉴别");
        if (project == null) {
            project = getContext().peekSourceCode();
        }
        subscribeTo(CxxGrammarImpl.functionDefinition, CxxGrammarImpl.simpleDeclaration, CxxGrammarImpl.postfixExpression);
    }
    @Override
    public void visitNode(@Nonnull AstNode astNode) {
        if ((hasUsername && hasPassword) || hasCertificate) {
            return;
        }
        if (astNode.is(CxxGrammarImpl.functionDefinition)) {
            visitFunctionDefinition(astNode);
        } else if (astNode.is(CxxGrammarImpl.simpleDeclaration)) {
            visitSimpleDeclaration(astNode);
        } else if (astNode.is(CxxGrammarImpl.postfixExpression)) {
            visitPostfixExpression(astNode);
        }
    }
    private void visitFunctionDefinition(@Nonnull AstNode astNode) {
        astNode.getDescendants(CxxGrammarImpl.parameterDeclaration).forEach(this::checkDeclarationNode);
    }
    private void visitSimpleDeclaration(@Nonnull AstNode astNode) {
        astNode.getDescendants(CxxGrammarImpl.declarator).forEach(this::checkDeclarationNode);
    }
    private void visitPostfixExpression(@Nonnull AstNode astNode) {
        var nameNode = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId);
        if (nameNode == null) {
            nameNode = astNode.getFirstDescendant(CxxGrammarImpl.className);
        }
        if (nameNode != null) {
            var nameStr = nameNode.getTokenValue();
            if (SSL_FUNCTIONS.contains(nameStr)) {
                hasCertificate = true;
            }
        }
    }
    private void checkDeclarationNode(@Nonnull AstNode astNode) {
        var paramNode = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId);
        if (paramNode != null) {
            var paramName = paramNode.getTokenValue();
            paramName = paramName.toLowerCase().replace("-", "").replace("_", "");
            if ("username".equals(paramName)) {
                hasUsername = true;
            } else if ("password".equals(paramName)) {
                hasPassword = true;
            }
        }
    }
    /**
     * 当访问器销毁时执行，代表所有文件已经被访问完毕，可以进行最后的处理。
     */
    @Override
    public void destroy() {
        if (!(hasPassword && hasUsername) && !hasCertificate) {
            project.log(new CheckMessage(this, "应通过用户名口令、数字证书等其他手段对主机身份进行鉴别"));
        }
    }
 }
--- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java
+++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyCheckerTest.java
@ -0,0 +1,45 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：信息安全性设计准则检查插件
 * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.cxx.rules.checkers;
 import com.keyware.sonar.cxx.CxxFileTesterHelper;
 import org.junit.jupiter.api.Test;
 import org.sonar.api.batch.fs.InputFile;
 import org.sonar.cxx.CxxAstScanner;
 import org.sonar.cxx.config.CxxSquidConfiguration;
 import org.sonar.cxx.squidbridge.api.SourceCode;
 import org.sonar.cxx.squidbridge.api.SourceProject;
 import org.sonar.cxx.squidbridge.indexer.QueryByType;
 import java.io.IOException;
 import java.util.Collection;
 import java.util.Set;
 import static org.assertj.core.api.Assertions.assertThat;
 /**
 * 测试规则：应通过用户名口令、数字证书等其他手段对主机身份进行鉴别
 *
 * @author GuoXin
 * @date 2024/1/24
 */
 public class HostIdentityVerifyCheckerTest {
    @Test
    public void checkTest() throws IOException {
        var checker = new HostIdentityVerifyChecker();
        var tester = CxxFileTesterHelper.create("HostIdentityVerifyChecker.cc");
        var scanner = CxxAstScanner.create(new CxxSquidConfiguration(), checker);
        Set<InputFile> inputFiles = Set.of(tester.asInputFile());
        scanner.scanInputFiles(inputFiles);
        Collection<SourceCode> squidSourceFiles = scanner.getIndex().search(new QueryByType(SourceProject.class));
        assertThat(squidSourceFiles).size().isEqualTo(1);
        squidSourceFiles.forEach(sourceCode -> {
            assertThat(sourceCode.getCheckMessages()).size().isEqualTo(1);
        });
    }
 }
--- a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc
+++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/HostIdentityVerifyChecker.cc
@ -0,0 +1,80 @@
 #include <iostream>
 #include <string>
 #include <boost/asio.hpp>
 // 本示例中对合规代码进行了注释
 // 假设有一个函数去异步验证用户名和密码
 /*void verify_credentials(const std::string& username, const std::string& password) {
    // 如果验证成功，则执行相应操作
    if (is_valid(username, password)) {
        std::cout << "Authentication successful." << std::endl;
    } else {
        std::cout << "Invalid credentials." << std::endl;
    }
 }*/
 int main() {
    /*std::string user_name, pass_word;
    std::cout << "Enter your username: ";
    std::cin >> user_name;
    std::cout << "Enter your password: ";
    std::getline(std::cin, pass_word);
    // 调用验证函数
    verify_credentials(user_name, pass_word);*/
    return 0;
 }
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 bool verifyCertificate(const std::string& certPath) {
    // 初始化OpenSSL库
    /*SSL_library_init();
    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();
    // 加载证书文件
    FILE* certFile = fopen(certPath.c_str(), "r");
    if (!certFile) {
        perror("Failed to open certificate file");
        return false;
    }
    X509* x509Cert = PEM_read_X509(certFile, NULL, NULL, NULL);
    fclose(certFile);
    if (!x509Cert) {
        ERR_print_errors_fp(stderr);
        return false;
    }
    // 这里只做简单的证书有效性检查，真实场景下需要构建完整的信任链并验证到根CA
    int result = X509_verify(x509Cert, NULL);
    // 释放资源
    X509_free(x509Cert);
    // 返回验证结果
    return (result == 1);*/
 }
 int main2() {
    const std::string certPath = "/path/to/certificate.pem";
    bool isVerified = verifyCertificate(certPath);
    if (isVerified) {
        std::cout << "The certificate has been verified successfully." << std::endl;
    } else {
        std::cout << "Failed to verify the certificate." << std::endl;
    }
    // 清理OpenSSL库
    EVP_cleanup();
    ERR_free_strings();
    return 0;
 }