From e6fb96d32c0e439a2b61944af379dc9cac35090a Mon Sep 17 00:00:00 2001 From: wuhaoyang <2507865306@qq.com> Date: Fri, 19 Jan 2024 10:24:52 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99:=E6=8F=90?= =?UTF-8?q?=E4=BE=9B=E7=89=B9=E5=AE=9A=E5=AD=97=E6=AE=B5=E6=A3=80=E6=B5=8B?= =?UTF-8?q?=E6=98=AF=E5=90=A6=E4=BD=BF=E7=94=A8VirtualLock()=E5=87=BD?= =?UTF-8?q?=E6=95=B0=E9=94=81=E5=AE=9A=E5=AD=98=E6=94=BE=E6=95=8F=E6=84=9F?= =?UTF-8?q?=E4=BF=A1=E6=81=AF=E7=9A=84=E5=86=85=E5=AD=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../checkers/EncryptionAlgorithmChecker.java | 5 +- .../checkers/VirtualLockUsageChecker.java | 88 +++++++++++++++++++ .../checkers/VirtualLockUsageCheckerTest.java | 35 ++++++++ .../rules/checkers/VirtualLockUsageChecker.cc | 32 +++++++ 4 files changed, 157 insertions(+), 3 deletions(-) create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java create mode 100644 sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java create mode 100644 sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/EncryptionAlgorithmChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/EncryptionAlgorithmChecker.java index 45664aa..5c69301 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/EncryptionAlgorithmChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/EncryptionAlgorithmChecker.java @@ -59,14 +59,13 @@ public class EncryptionAlgorithmChecker extends SquidCheck { return name != null && name.contains("password"); })){ cache.remove(varName); - break; } } next = next.getNextSibling(); } cache.values().forEach(item->{ - System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用VirtualLock()函数锁定存放敏感信息的内存"); - getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item); + System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用单向加密算法对口令进行加密并存储"); + getContext().createLineViolation(this, "单向加密算法对口令进行加密并存储", item); }); } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java new file mode 100644 index 0000000..ac70a77 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.java @@ -0,0 +1,88 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + + +import com.sonar.cxx.sslr.api.AstNode; +import com.sonar.cxx.sslr.api.Grammar; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.parser.CxxGrammarImpl; +import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; +import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; +import org.sonar.cxx.squidbridge.checks.SquidCheck; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +/** + * 使用VirtualLock()函数锁定存放敏感信息的内存 + * + * @author WuHaoYang + * @date 2024/1/6 + */ + +@Rule(key = "VirtualLockUsageChecker", name = "使用VirtualLock()函数锁定存放敏感信息的内存", description = "使用VirtualLock()函数锁定存放敏感信息的内存", priority = Priority.INFO, tags = {"28suo"}) +@ActivatedByDefault +@SqaleConstantRemediation("5min") +public class VirtualLockUsageChecker extends SquidCheck { + + private List keywords = Arrays.asList("add", "keyword2", "keyword3"); + private Map> caches = new HashMap<>(); + + @Override + public void init() { + subscribeTo(CxxGrammarImpl.declarationStatement); + } + + @Override + public void visitNode(AstNode astNode) { + String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue(); + + for (String keyword : keywords) { + if (varName.contains(keyword) && (!caches.containsKey(keyword) || !caches.get(keyword).containsKey(varName))) { + caches.putIfAbsent(keyword, new HashMap<>()); + caches.get(keyword).put(varName, astNode); + processNode(astNode, keyword); + } + } + } + + private void processNode(AstNode astNode, String keyword) { + String varName = astNode.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue(); + + AstNode currentNode = astNode.getNextAstNode(); + while (currentNode != null) { + AstNode callNode = currentNode.getFirstDescendant(CxxGrammarImpl.postfixExpression); + if (callNode != null && callNode.getTokenOriginalValue().equalsIgnoreCase("VirtualLock")) { + List paramList = callNode.getDescendants(CxxGrammarImpl.expressionList); + if (paramList.stream().anyMatch(item -> item.getTokenOriginalValue().contains(keyword))) { + caches.get(keyword).remove(varName); + break; + } + } + currentNode = currentNode.getNextSibling(); + } + } + + @Override + public void leaveFile(AstNode astNode) { + reportViolations(); + } + + private void reportViolations() { + caches.values().forEach(cache -> + cache.values().forEach(item -> { + System.out.println("特定字段"+item.getFirstDescendant(CxxGrammarImpl.declaratorId).getTokenOriginalValue()+"未使用VirtualLock()函数锁定存放敏感信息的内存"); + getContext().createLineViolation(this, "特定字段未使用VirtualLock()函数锁定存放敏感信息的内存", item); + }) + ); + caches.clear(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java new file mode 100644 index 0000000..7dc67ba --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageCheckerTest.java @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import com.keyware.sonar.cxx.CxxFileTesterHelper; +import org.junit.jupiter.api.Test; +import org.sonar.cxx.CxxAstScanner; +import org.sonar.cxx.squidbridge.api.SourceFile; +import org.sonar.cxx.squidbridge.checks.CheckMessagesVerifier; + +import java.io.IOException; + +/** + * TODO VirtualLockUsageCheckerTest + * + * @author WuHaoYang + * @date 2024/1/15 + */ +public class VirtualLockUsageCheckerTest { + + + @Test + public void checkTest() throws IOException { + var checker = new VirtualLockUsageChecker(); + var tester = CxxFileTesterHelper.create("VirtualLockUsageChecker.cc"); + SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); + CheckMessagesVerifier.verify(file.getCheckMessages()) + .next().atLine(8).withMessage("特定字段未使用VirtualLock()函数锁定存放敏感信息的内存") + .noMore(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc new file mode 100644 index 0000000..d8f7fc0 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/test/resources/com/keyware/sonar/cxx/rules/checkers/VirtualLockUsageChecker.cc @@ -0,0 +1,32 @@ +#include +#include +#include +using namespace std; + +int main() { + + string add = "北京市"; //error + +// string keyword2 = "北京市"; //error +// +// string keyword3 = "北京市"; //error + + // 利用vector管理内存 +// vector addressBuffer(add.begin(), add.end()); +// +// addressBuffer.push_back('\0'); +// +// BOOL bResult = VirtualLock(addressBuffer.data(), addressBuffer.size()); +// if (bResult == FALSE) { +// return 1; +// } +// +// +// // 解除锁定 +// bResult = VirtualUnlock(addressBuffer.data(), addressBuffer.size()); +// if (bResult == FALSE) { +// return 1; +// } +// +// return 0; +} \ No newline at end of file