parameters = methodTree.parameters();
+ for (VariableTree variable : parameters) {
+ if (variable.type().symbolType().name().endsWith("ServletRequest")) {
+ return true;
}
}
+ //}
return false;
}
@@ -79,30 +79,30 @@ public class UserStatusVerifyChecker extends IssuableSubscriptionVisitor {
@Override
public void visitMethodInvocation(MethodInvocationTree tree) {
ExpressionTree expressionTree = tree.methodSelect();
- if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){
+ if (expressionTree.is(Tree.Kind.MEMBER_SELECT)) {
//判断是否调用指定的方法
MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree;
- if("getParameter".equals(selectExpressionTree.identifier().name()) || "getSession".equals(selectExpressionTree.identifier().name())){
+ if ("getParameter".equals(selectExpressionTree.identifier().name()) || "getSession".equals(selectExpressionTree.identifier().name())) {
//获取到调用方法的参数
Arguments arguments = tree.arguments();
//调用判断参数的方法
verifyParam(arguments);
- }else if ("invalidate".equals(selectExpressionTree.identifier().name())){
+ } else if ("invalidate".equals(selectExpressionTree.identifier().name())) {
booFour = true;
}
}
}
- public void verifyParam(Arguments arguments){
+ public void verifyParam(Arguments arguments) {
for (ExpressionTree argument : arguments) {
- if(argument.is(Tree.Kind.STRING_LITERAL)){
+ if (argument.is(Tree.Kind.STRING_LITERAL)) {
LiteralTree literalTree = (LiteralTree) argument;
String strName = literalTree.value().replace("\"", "").toLowerCase();
- if("username".equals(strName)){
+ if ("username".equals(strName)) {
booOne = true;
- }else if("password".equals(strName)){
+ } else if ("password".equals(strName)) {
booTwo = true;
- }else if("false".equals(strName)){
+ } else if ("false".equals(strName)) {
booThree = true;
}
}
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.html
new file mode 100644
index 0000000..2427f4b
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.html
@@ -0,0 +1,16 @@
+
+
+通过用户名口令、数据证书等其他手段对主机身份进行鉴别
+通过用户名口令、数据证书等其他手段对主机身份进行鉴别
+
+
+
+合规解决方案
+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.json
new file mode 100644
index 0000000..d1e405d
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HostIdentityChecker.json
@@ -0,0 +1,13 @@
+{
+ "title": "通过用户名口令、数据证书等其他手段对主机身份进行鉴别",
+ "type": "CODE_SMELL",
+ "status": "ready",
+ "remediation": {
+ "func": "Constant\/Issue",
+ "constantCost": "5min"
+ },
+ "tags": [
+ "28suo"
+ ],
+ "defaultSeverity": "Minor"
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.html
new file mode 100644
index 0000000..f6ec286
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.html
@@ -0,0 +1,16 @@
+
+
+Java用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显
+Java用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显
+
+
+
+合规解决方案
+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.json
new file mode 100644
index 0000000..0b27eb4
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagJavaChecker.json
@@ -0,0 +1,13 @@
+{
+ "title": "Java用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显",
+ "type": "CODE_SMELL",
+ "status": "ready",
+ "remediation": {
+ "func": "Constant\/Issue",
+ "constantCost": "15min"
+ },
+ "tags": [
+ "28suo"
+ ],
+ "defaultSeverity": "Major"
+}
diff --git a/sonar-keyware-plugins-java/src/test/files/FileCheck.java b/sonar-keyware-plugins-java/src/test/files/FileCheck.java
index 47d46e5..888aa99 100644
--- a/sonar-keyware-plugins-java/src/test/files/FileCheck.java
+++ b/sonar-keyware-plugins-java/src/test/files/FileCheck.java
@@ -1,22 +1,38 @@
-public class FileCheck{
+public class FileCheck {
- public String FileName(){
+ public String FileName() {
String fileName = "";
String fileExt = "";
String fileSuffix = "";
- if(fileName.endsWith("png") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+ if (fileName.endsWith("png")) {// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
}
- if(fileExt.equals("jpg") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+ if (fileExt.equals("jpg")) {// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
}
- if(fileSuffix.equals("jpg")){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+ if (fileSuffix.equals("jpg")) {// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
}
return null;
}
+ public void imageBeauty(HttpServletRequest request) { //处理图像文件
+ DiskFileltemFactory factory = new DiskFileltemFactory();
+ ServletFileUpload upload = new ServletFileUpload(factory);
+ List items = upload.parseRequest(request);
+ Iterator iter = items.iterator();
+ while (iter.hasNext()) {
+ FileItem item = iter.next();
+ String fileName = item.getName();
+ String fileEnd = fileName.substring(fileName.lastlndexOf(".") + 1).toLowerCase();
+ //依赖文件扩展名进行验证
+ if (fileEnd != null && fileEnd.matches(regex)) {// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+ //对文件的相关操作
+ }
+ }
+ }
+
}
diff --git a/sonar-keyware-plugins-java/src/test/files/HashSaltPassWordRule.java b/sonar-keyware-plugins-java/src/test/files/HashSaltPassWordRule.java
index 5068c1f..145f000 100644
--- a/sonar-keyware-plugins-java/src/test/files/HashSaltPassWordRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/HashSaltPassWordRule.java
@@ -1,7 +1,7 @@
public class HashSaltPassWordRule {
- public static void cs(Student student){
+ public static void cs(Student student) {
// 结合盐值和口令进行散列计算
// String hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt());
@@ -29,4 +29,22 @@ public class HashSaltPassWordRule {
}
}
+ public class Example {
+ private String encrypt(String password, KeySpec key) { //加密函数,返回加密后的字符串
+ MessageDigest md = MessageDigest.getInstance("SHA-256");
+ }
+
+ public void storePassword(String password) {
+ byte[] salt = new byte[length];
+ Random random = new SecureRandom();
+ random.nextBytes(salt);//随机生成盐值
+ // 使用盐值生成密钥KeySpec key = new PBEKeySpec(password.toCharArray(),salt,iterationCount);
+// KeySpec keyspec = new PBEKeySpec(ssword.toCharArray(),salt,iterationCount);//生成密钥
+ KeySpec keyspec = new PBEKeySpec(ssword.toCharArray());// Noncompliant {{应使用盐值计算口令}}
+
+ //仅使用单向加密,还是容易被攻击者用彩虹表等方式破解口令
+ String encryptedPassword = encrypt(password, key);
+ //将 encryptedPassword 存放到数据库
+ }
+ }
}
diff --git a/sonar-keyware-plugins-java/src/test/files/HostIdentityChecker.java b/sonar-keyware-plugins-java/src/test/files/HostIdentityChecker.java
new file mode 100644
index 0000000..8ff0234
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/HostIdentityChecker.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:信息安全性设计准则检查插件
+ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+import java.net.*;
+
+public class Example {
+ private boolean trusted;
+
+ public void getTrust(HttpServletRequest request) {// Noncompliant {{通过用户名口令、数据证书等其他手段对主机身份进行鉴别}}
+ String ip = request.getRemoteAddr();
+ InetAddress address = InetAddress.getByName(ip);
+ //攻击者可通过DNS欺骗绕过依赖域名的主机身份鉴别
+ if (address.getCanonicalHostName().endsWith("trustme.com")) {
+ trusted = true;
+ }
+
+// String username = request.getParameter("username");
+// String password = request.getParameter("password");
+// if (username != null &.&.password != null){
+// }
+ }
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/InputSQLVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/InputSQLVerifyRule.java
index f073695..fa2b13d 100644
--- a/sonar-keyware-plugins-java/src/test/files/InputSQLVerifyRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/InputSQLVerifyRule.java
@@ -37,4 +37,15 @@ public class InputSQLVerifyRile {
e.printStackTrace();
}
}
+
+ public class Example{
+ public ResultSet getUserData(ServletRequest req,Connection con) throws SQLException{
+ String owner = req.getParameter("owner");
+ //采用拼接字符串的方式形成SQL语句,没有对用户输入数据owner进行验证
+ String query ="SELECT * FROM user_data WHERE userid ="+ owner +"";
+ Statement statement = con.createStatement();
+ ResultSet results = statement.executeQuery(query);// Noncompliant {{使用sql语句前应对其进行验证}}
+ return results;
+ }
+ }
}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/Md5PassWordVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/Md5PassWordVerifyRule.java
index 5315022..8c2c7e5 100644
--- a/sonar-keyware-plugins-java/src/test/files/Md5PassWordVerifyRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/Md5PassWordVerifyRule.java
@@ -1,5 +1,5 @@
-public class Md5PassWordVerifyRule{
- public static void cs(Student student){
+public class Md5PassWordVerifyRule {
+ public static void cs(Student student) {
// 结合盐值和口令进行散列计算
// String password = DigestUtils.md5Hex(str);
@@ -26,4 +26,20 @@ public class Md5PassWordVerifyRule{
}
}
-}
\ No newline at end of file
+}
+
+
+public class Example {
+
+ public String encrypt(String str) {
+ Cipher cipher = Cipher.getInstance("AES");// Noncompliant {{应使用单向不可逆的加密算法}}
+ //使用双向可逆的 AES算法
+ }
+ public void storePassword(Connection con, String id, String password) {
+ PreparedStatement ps = con.prepareStatement("UPDATE user SET password =? WHERE id =?");
+ String psw = encrypt(password);//加密 password
+ ps.setString(1, psw);//存储加密后的 psw
+ ps.setString(2, id);
+ ResultSet results = ps.executeQuery();
+ }
+}
diff --git a/sonar-keyware-plugins-java/src/test/files/PasswordInputTagJavaChecker.java b/sonar-keyware-plugins-java/src/test/files/PasswordInputTagJavaChecker.java
new file mode 100644
index 0000000..6f89a5a
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/PasswordInputTagJavaChecker.java
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:信息安全性设计准则检查插件
+ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+import javax.swing.*;
+public class SevneTeen{
+ public void exampleFun(){
+ //口令域使用明文输入的JTextField 控件
+ JTextField passwordfield = new JTextField();// Noncompliant {{Java用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显}}
+// passwordfield.setEchoChar("*");//设置回显的符号为*’
+ }
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/RSAEncryptionRule.java b/sonar-keyware-plugins-java/src/test/files/RSAEncryptionRule.java
index 9d8186e..23bd914 100644
--- a/sonar-keyware-plugins-java/src/test/files/RSAEncryptionRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/RSAEncryptionRule.java
@@ -5,6 +5,8 @@ import java.security.*;
public class RSAEncryptionRule {
+ private static final String ALGORITHM = "AES";
+
public static void main(String[] args) throws Exception {
// 生成RSA密钥对
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
@@ -16,7 +18,7 @@ public class RSAEncryptionRule {
// 待加密的数据
String message = "Hello, RSA!";
-
+ Cipher cipher = Cipher.getInstance(ALGORITHM);// Noncompliant {{使用RSA最优加密填充}}
// 使用公钥进行加密
Cipher encryptCipher = Cipher.getInstance("OAEPWithAndPadding");// Noncompliant {{使用RSA最优加密填充}}
encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey);
diff --git a/sonar-keyware-plugins-java/src/test/files/RedirectUrlChecker.java b/sonar-keyware-plugins-java/src/test/files/RedirectUrlChecker.java
index 3ff2969..643b8c5 100644
--- a/sonar-keyware-plugins-java/src/test/files/RedirectUrlChecker.java
+++ b/sonar-keyware-plugins-java/src/test/files/RedirectUrlChecker.java
@@ -6,6 +6,13 @@ import org.springframework.web.servlet.view.RedirectView;
@Controller
public class RedirectUrlChecker {
+
+ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ String url = request.getParameter("url");
+ //未经验证的 url可能是恶意的
+ response.sendRedirect(url);// Noncompliant {{在重定向前对输入数据进行验证}}
+ return;
+ }
@GetMapping("/old-url")
public RedirectView redirectOldUrl(String url) { // Compliant,因为重定向的路径不是由方法传递进来的
RedirectView redirectView = new RedirectView();
diff --git a/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java b/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java
index e4fa328..6d33575 100644
--- a/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java
@@ -10,10 +10,10 @@ public class SecurityCookieRule {
Cookie cookie = new Cookie("cookieName", "cookieValue");
// 设置HttpOnly属性(防止通过JavaScript访问)
- cookie.setHttpOnly(true);
+// cookie.setHttpOnly(true);
// 设置Secure属性(表示该Cookie只能通过HTTPS连接传输)
- cookie.setSecure(true);
+// cookie.setSecure(true);
// 设置其他属性,比如过期时间等
// cookie.setMaxAge(3600); // 有效期为1小时
@@ -21,4 +21,17 @@ public class SecurityCookieRule {
// 将Cookie添加到HTTP响应头中
response.addCookie(cookie);
}
+}
+
+public class Example{
+ private String encrypt(String plaintext){ //加密函数,返回加密后的字符串
+ Cipher cipher = Cipher.getInstance("AES");
+ }
+ public void doPost(HttpServletRequest request, HttpServletResponse response)throws ServletException,IOException{// Noncompliant {{设置HTTPS会话中cookie的安全属性}}
+ String userlD= request.getParameter("userlD");
+ String id = encrypt(userlD);//加密敏感信息 userlD
+ Cookie cookieID = new Cookie("userlD",id);
+ response.addCookie(cookieID);//没有设置 cookieID的 secure属性
+
+ }
}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java b/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
index 21332be..3e9c897 100644
--- a/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
+++ b/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
@@ -12,6 +12,7 @@ public class SessionCacheParamsChecker {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
// 直接从request获取参数
+ String prices = request.getParameter("price"); // Noncompliant {{页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取}}
String param = request.getParameter("userId"); // Noncompliant {{页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取}}
request.getParameter("userpassword");// Noncompliant {{页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取}}
request.getParameter("token");// Noncompliant {{页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取}}
diff --git a/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
index c06ede9..f0cfb47 100644
--- a/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
@@ -50,4 +50,17 @@ public class UploadFileVerifyRule {
return filename.substring(filename.lastIndexOf(".") + 1);
}
}
+
+ public class Example{
+ public void exampleFun(HttpServletRequest request){
+ DiskFileltemFactory factory = new DiskFileltemFactory();
+ ServletFileUpload upload = new ServletFileUpload(factory);
+ List items = upload.parseRequest(request);
+ Iterator iter = items.iterator();
+ while(iter.hasNext()){
+ Fileltem item = iter.next(); // Noncompliant {{程序设计时,应以“白名单”方式限制允许用户上传的文件的类型}}
+ //对文件的相关操作,但没有判断文件类型
+ }
+ }
+ }
}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java b/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java
index cbe3d82..69ab9dd 100644
--- a/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java
+++ b/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java
@@ -69,4 +69,22 @@ public class UserStatusVerifyChecker {
}
}
}
+
+ public class Example {
+ private boolean userExists(String username, String password) { //判断用户名口令是否正确
+ }
+
+ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}}
+ String username = request.getParameter("username");
+ String password = request.getParameter("password");
+ if (username != null && password != null) {
+
+ }
+ //通过用户名口令进行身份鉴别
+ if (userExists(username, password)) {
+ //没有建立新的会话并让原来的会话失效
+ HttpSession session = request.getSession(true);
+ }
+ }
+ }
}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyOneRule.java b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyOneRule.java
index bf67dab..8a383ec 100644
--- a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyOneRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyOneRule.java
@@ -1,4 +1,3 @@
-
import org.springframework.web.WebApplicationInitializer;
import org.springframework.web.filter.OncePerRequestFilter;
@@ -10,7 +9,7 @@ import java.io.IOException;
public class OptionsVerifyOneRule extends OncePerRequestFilter {
@Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Noncompliant {{应设置X-Frame-Options的值为deny}}
response.setHeader("X-Frame-Options", "SAMEORIGIN"); // 或者使用SAMEORIGIN,ALLOW-FROM等其他策略
filterChain.doFilter(request, response);
}
@@ -24,4 +23,22 @@ class WebConfig implements WebApplicationInitializer {
// ...其他配置...
FilterRegistration.Dynamic registration = servletContext.addFilter("xFrameOptionsFilter", new OptionsVerifyOneRule());
}
+}
+
+public class OptionsVerifyTwoRule implements Filter {
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ HttpServletResponse res = (HttpServletResponse) response;// Noncompliant {{应设置X-Frame-Options的值为deny}}
+ res.addHeader("X-Frame-Options", "iframe");
+ chain.doFilter(request, response);
+ }
+
+ @Override
+ public void destroy() {
+ }
}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java
index 1de99bf..a503e90 100644
--- a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java
@@ -9,9 +9,8 @@ public class OptionsVerifyTwoRule implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {}
@Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- HttpServletResponse res = (HttpServletResponse) response;
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ HttpServletResponse res = (HttpServletResponse) response;// Noncompliant {{应设置X-Frame-Options的值为deny}}
res.addHeader("X-Frame-Options", "iframe");
chain.doFilter(request, response);
}
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/HostIdentityCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/HostIdentityCheckerTest.java
new file mode 100644
index 0000000..ba1b27d
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/HostIdentityCheckerTest.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:信息安全性设计准则检查插件
+ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+package com.keyware.sonar.java.rules.checkers;
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+/**
+ * 通过用户名口令、数据证书等其他手段对主机身份进行鉴别
+ *
+ * @author RenFengJiang
+ * @date 2024/7/3
+ */
+public class HostIdentityCheckerTest {
+
+ @Test
+ void detected() {
+ HostIdentityChecker rule = new HostIdentityChecker();
+
+
+ CheckVerifier.newVerifier()
+ .onFile("src/test/files/HostIdentityChecker.java")
+ .withCheck(rule)
+ .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+ .verifyIssues();
+ }
+}
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyCheckerTest.java
index 60a3d64..b5f3dd1 100644
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyCheckerTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/OptionsVerifyCheckerTest.java
@@ -21,19 +21,14 @@ import java.util.Collection;
* @date 2024/1/22
*/
public class OptionsVerifyCheckerTest {
- Collection lists = new ArrayList(){
- {
- add("src/test/files/options/OptionsVerifyOneRule.java");
- add("src/test/files/options/OptionsVerifyTwoRule.java");
- }
- };
+
@Test
void detected() {
CheckVerifier.newVerifier()
- .onFiles(lists)
+ .onFiles("src/test/files/options/OptionsVerifyOneRule.java")
.withCheck(new OptionsVerifyChecker())
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
- .verifyIssueOnProject("应设置X-Frame-Options的值为deny");
+ .verifyIssues();
}
}
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaCheckerTest.java
new file mode 100644
index 0000000..f28414f
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagJavaCheckerTest.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:信息安全性设计准则检查插件
+ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+
+package com.keyware.sonar.java.rules.checkers;
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+/**
+ * Java用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显
+ *
+ * @author RenFengJiang
+ * @date 2024/7/3
+ */
+public class PasswordInputTagJavaCheckerTest {
+ @Test
+ public void test(){
+ CheckVerifier.newVerifier()
+ .onFile("src/test/files/PasswordInputTagJavaChecker.java")
+ .withCheck(new PasswordInputTagJavaChecker())
+ .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+ .verifyIssues();
+ }
+}