From e76715936e2edc940c3a13b017b3033954d58bca Mon Sep 17 00:00:00 2001 From: wuhaoyang <2507865306@qq.com> Date: Thu, 1 Feb 2024 17:40:19 +0800 Subject: [PATCH] =?UTF-8?q?=E6=AD=A6=E6=B5=A9=E9=98=B3=20=E5=B7=A5?= =?UTF-8?q?=E4=BD=9C=E6=9A=82=E5=AD=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../pom.xml | 268 +++++++++++++++++ .../Configuration}/ConfigFileSquidSensor.java | 11 +- .../ConfigurationFileLanguage.java | 2 +- ...onfigurationSecurityDesignRulesPlugin.java | 37 +++ ...ConfigurationSecurityDesignWayProfile.java | 29 ++ .../sonar/Configuration/package-info.java | 10 +- ...gurationSecurityDesignRulesRepository.java | 55 ++++ .../rules/checkers/ConfigCheck.java | 23 ++ .../checkers/ConfigurationFileChecker.java | 250 ++++++++++++++++ .../rules/checkers/SessionDateChecker.java | 96 ++++++ .../Configuration/rules/package-info.java | 13 + .../src/main/resources/license-header.txt | 4 + .../rules/java/ConfigurationFileChecker.html | 9 + .../rules/java/ConfigurationFileChecker.json | 13 + .../java/rules/java/SessionDateChecker.html | 16 + .../java/rules/java/SessionDateChecker.json | 13 + .../configFile/ConfigurationFileChecker.conf | 2 + .../configFile/ConfigurationFileChecker.ini | 3 + .../configFile/ConfigurationFileChecker.json | 5 + .../ConfigurationFileChecker.properties | 2 + .../configFile/ConfigurationFileChecker.xml | 7 + .../configFile/ConfigurationFileChecker.yml | 3 + .../files/sessionDates/application.properties | 9 + .../test/files/sessionDates/application.yml | 4 + ...gurationSecurityDesignRulesPluginTest.java | 70 +++++ ...tionSecurityDesignRulesRepositoryTest.java | 34 +++ .../keyware/sonar/java/utils/FilesUtils.java | 75 +++++ .../java/utils/HtmlCheckMessagesVerifier.java | 113 +++++++ .../utils/HtmlCheckMessagesVerifierRule.java | 43 +++ .../sonar/java/utils/HtmlTestHelper.java | 66 +++++ sonar-keyware-plugins-cxx/pom.xml | 4 +- .../sonar/cxx/ConfigurationFileLanguage.java | 30 -- .../java/com/keyware/sonar/cxx/CxxPlugin.java | 11 +- .../keyware/sonar/cxx/CxxSonarWayProfile.java | 11 +- .../com/keyware/sonar/cxx/CxxSquidSensor.java | 6 +- .../com/keyware/sonar/cxx/FlagLineSensor.java | 47 +++ .../com/keyware/sonar/cxx/LogLanguage.java | 37 ++- .../keyware/sonar/cxx/LogRuleRepository.java | 31 ++ .../rules/SecurityDesignRuleRepository.java | 18 +- .../cxx/rules/SecurityDesignWayProfile.java | 32 +- .../checkers/ConfigurationFileChecker.java | 265 ----------------- .../cxx/rules/checkers/FlagLineRule.java | 16 + .../cxx/rules/checkers/SqlVarNameChecker.java | 78 +++++ .../sonar/cxx/CxxRuleRepositoryTest.java | 6 +- .../ConfigurationFileCheckerTest.java | 72 ----- .../java/JavaSecurityDesignRulesPlugin.java | 14 +- .../java/JavaSecurityDesignWayProfile.java | 8 +- .../JavaSecurityDesignRulesRepository.java | 10 +- .../checkers/ConfigurationFileChecker.java | 276 ------------------ .../JavaSecurityDesignRulesPluginTest.java | 9 +- 50 files changed, 1562 insertions(+), 704 deletions(-) create mode 100644 sonar-keyware-plugins-ConfigurationDetection/pom.xml rename {sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java => sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration}/ConfigFileSquidSensor.java (83%) rename {sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java => sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration}/ConfigurationFileLanguage.java (98%) create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignRulesPlugin.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignWayProfile.java rename sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java => sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/package-info.java (77%) create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/ConfigurationSecurityDesignRulesRepository.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigCheck.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigurationFileChecker.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/package-info.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/resources/license-header.txt create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.conf create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.ini create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.json create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.properties create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.xml create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.yml create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.properties create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.yml create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/ConfigurationSecurityDesignRulesPluginTest.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/rules/ConfigurationSecurityDesignRulesRepositoryTest.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/FilesUtils.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifier.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifierRule.java create mode 100644 sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlTestHelper.java delete mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/ConfigurationFileLanguage.java create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/FlagLineSensor.java create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogRuleRepository.java delete mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileChecker.java create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FlagLineRule.java create mode 100644 sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SqlVarNameChecker.java delete mode 100644 sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileCheckerTest.java delete mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java diff --git a/sonar-keyware-plugins-ConfigurationDetection/pom.xml b/sonar-keyware-plugins-ConfigurationDetection/pom.xml new file mode 100644 index 0000000..733a482 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/pom.xml @@ -0,0 +1,268 @@ + + + 4.0.0 + + + com.keyware.sonar + sonar-keyware + 1.0 + + + 配置文件信息安全性设计准则 + sonar-keyware-plugins-configurationDetection + sonar-plugin + 1.0 + 用于检查配置文件信息的安全性设计准则的Sonarqube插件 + + + src/main/java,src/main/resources + + + + + + + org.sonarsource.api.plugin + sonar-plugin-api + 9.9.0.229 + provided + + + + org.slf4j + slf4j-api + provided + + + + org.sonarsource.html + sonar-html-plugin + ${sonar.html.version} + + compile + + + + org.sonarsource.analyzer-commons + sonar-analyzer-commons + + + org.apache.logging.log4j + log4j-slf4j-impl + test + + + + org.apache.logging.log4j + log4j-core + test + + + + + org.assertj + assertj-core + test + + + org.junit.jupiter + junit-jupiter + test + + + org.junit.jupiter + junit-jupiter-api + test + + + org.junit.jupiter + junit-jupiter-engine + test + + + org.junit.jupiter + junit-jupiter-migrationsupport + test + + + org.sonarsource.sonarqube + sonar-plugin-api-impl + test + + + com.fasterxml.jackson.core + jackson-databind + 2.16.0 + compile + + + org.yaml + snakeyaml + 1.28 + compile + + + + com.fasterxml.jackson.core + jackson-core + 2.12.3 + + + xerces + xercesImpl + 2.12.2 + compile + + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + 2.16.1 + + + + + + + + org.sonarsource.sonar-packaging-maven-plugin + sonar-packaging-maven-plugin + true + + keywareConfigurationDetectionPlugin + 配置文件信息设计准则 + com.keyware.sonar.Configuration.ConfigurationSecurityDesignRulesPlugin + true + true + 8.9 + 11 + + + + + org.apache.maven.plugins + maven-shade-plugin + + + + + package + + shade + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 11 + 11 + + + + + org.jacoco + jacoco-maven-plugin + ${version.jacoco.plugin} + + + prepare-agent + + prepare-agent + + + + report + + report + + + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + copy + test-compile + + copy + + + + + org.slf4j + slf4j-api + 1.7.30 + jar + + + org.apache.commons + commons-collections4 + 4.0 + jar + + + javax + javaee-api + 6.0 + jar + + + org.springframework + spring-webmvc + 4.3.3.RELEASE + jar + + + org.springframework + spring-web + 4.3.3.RELEASE + jar + + + org.springframework + spring-context + 4.3.3.RELEASE + jar + + + junit + junit + 4.13.2 + jar + + + ${project.build.directory}/test-jars + + + + + + com.mycila + license-maven-plugin + +
${project.basedir}/src/main/resources/license-header.txt
+ + + **/*.properties + *.sh + *.yml + .editorconfig + .gitignore + **/*.md + **/*.xml + + + + + + \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigFileSquidSensor.java similarity index 83% rename from sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java rename to sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigFileSquidSensor.java index 0881079..d2bf2c2 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigFileSquidSensor.java +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigFileSquidSensor.java @@ -4,11 +4,11 @@ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ -package com.keyware.sonar.java; +package com.keyware.sonar.Configuration; -import com.keyware.sonar.java.rules.checkers.ConfigCheck; -import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker; -import com.keyware.sonar.java.rules.checkers.SessionDateChecker; +import com.keyware.sonar.Configuration.rules.checkers.SessionDateChecker; +import com.keyware.sonar.Configuration.rules.checkers.ConfigCheck; +import com.keyware.sonar.Configuration.rules.checkers.ConfigurationFileChecker; import org.sonar.api.batch.fs.FilePredicates; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.batch.rule.CheckFactory; @@ -44,8 +44,7 @@ public class ConfigFileSquidSensor implements Sensor { check.execute(context, inputFile, checks.ruleKey(check)); }); } - - checks.all().forEach(check->check.endOfCheck(context, checks.ruleKey(check))); + checks.all().forEach(check -> check.endOfCheck(context, checks.ruleKey(check))); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationFileLanguage.java similarity index 98% rename from sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java rename to sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationFileLanguage.java index 609a3e4..751d558 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/ConfigurationFileLanguage.java +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationFileLanguage.java @@ -4,7 +4,7 @@ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ -package com.keyware.sonar.java; +package com.keyware.sonar.Configuration; import org.sonar.api.config.Configuration; import org.sonar.api.config.PropertyDefinition; diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignRulesPlugin.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignRulesPlugin.java new file mode 100644 index 0000000..b634b3f --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignRulesPlugin.java @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.Configuration; + +import com.keyware.sonar.Configuration.rules.ConfigurationSecurityDesignRulesRepository; +import org.sonar.api.Plugin; + +/** + * 安全性设计准则插件 + * + * @author GuoXin + * @date 2024/1/6 + */ +public class ConfigurationSecurityDesignRulesPlugin implements Plugin { + @Override + public void define(Context context) { + // 服务器扩展 - >对象在服务器启动期间实例化 + context.addExtension(ConfigurationSecurityDesignRulesRepository.class); + + // 服务器扩展 - >对象在服务器启动期间实例化 + context.addExtension(ConfigurationSecurityDesignWayProfile.class); + + + context.addExtension(ConfigurationFileLanguage.class); + + + context.addExtension(ConfigFileSquidSensor.class); + + + context.addExtensions(ConfigurationFileLanguage.getProperties()); + + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignWayProfile.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignWayProfile.java new file mode 100644 index 0000000..532b8b3 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/ConfigurationSecurityDesignWayProfile.java @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.Configuration; + +import org.sonar.api.server.profile.BuiltInQualityProfilesDefinition; +import org.sonarsource.api.sonarlint.SonarLintSide; + +/** + * 定义配置信息安全性质量配置 + * + * @author GuoXin + * @date 2024/1/11 + */ +@SonarLintSide +public class ConfigurationSecurityDesignWayProfile implements BuiltInQualityProfilesDefinition { + + @Override + public void define(Context context) { + + var cfgWay = context.createBuiltInQualityProfile("配置信息安全性设计规则", ConfigurationFileLanguage.KEY); + cfgWay.activateRule("config", "ConfigurationFileChecker"); + cfgWay.activateRule("config", "SessionDateChecker"); + cfgWay.done(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/package-info.java similarity index 77% rename from sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java rename to sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/package-info.java index 7b970e0..1f992d4 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleProperties.java +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/package-info.java @@ -4,14 +4,10 @@ * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ -package com.keyware.sonar.cxx.rules; - /** - * C++ 安全设计准则检查规则属性 + * TODO package-info * * @author GuoXin - * @date 2024/1/18 + * @date 2024/1/12 */ -public class SecurityDesignRuleProperties { - -} +package com.keyware.sonar.Configuration; \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/ConfigurationSecurityDesignRulesRepository.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/ConfigurationSecurityDesignRulesRepository.java new file mode 100644 index 0000000..86783fa --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/ConfigurationSecurityDesignRulesRepository.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.Configuration.rules; + +import com.keyware.sonar.Configuration.rules.checkers.SessionDateChecker; +import com.keyware.sonar.Configuration.rules.checkers.ConfigurationFileChecker; +import org.sonar.api.SonarRuntime; +import org.sonar.api.server.rule.RulesDefinition; +import org.sonarsource.analyzer.commons.RuleMetadataLoader; + +import java.util.*; + +/** + * 用于定义出现在规则页面中规则的元数据 + * + * @author GuoXin + * @date 2024/1/6 + */ +public class ConfigurationSecurityDesignRulesRepository implements RulesDefinition { + // 不要修改这个值,因为路径在 CheckVerifier 中是硬编码的 + private static final String RESOURCE_BASE_PATH = "org/sonar/l10n/java/rules/java"; + + // 添加需要视为模板规则的规则的规则键 + private static final Set RULE_TEMPLATES_KEY = Collections.emptySet(); + + private final SonarRuntime runtime; + + public ConfigurationSecurityDesignRulesRepository(SonarRuntime runtime) { + this.runtime = runtime; + } + + @Override + public void define(RulesDefinition.Context context) { + RuleMetadataLoader ruleMetadataLoader = new RuleMetadataLoader(RESOURCE_BASE_PATH, runtime); + + + RulesDefinition.NewRepository configRepo = context.createRepository("config", "cfg").setName("config"); + ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class, SessionDateChecker.class)); + setTemplates(configRepo); + configRepo.done(); + } + + private static void setTemplates(RulesDefinition.NewRepository repository) { + RULE_TEMPLATES_KEY.stream() + .map(repository::rule) + .filter(Objects::nonNull) + .forEach(rule -> rule.setTemplate(true)); + } + + +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigCheck.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigCheck.java new file mode 100644 index 0000000..a841b2b --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigCheck.java @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.Configuration.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.rule.RuleKey; + +/** + * ConfigCheck + * + * @author RenFengJiang + * @date 2024/1/23 + */ +public interface ConfigCheck { + default void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){} + default void endOfCheck(SensorContext context, RuleKey ruleKey){} +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigurationFileChecker.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigurationFileChecker.java new file mode 100644 index 0000000..19eff91 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/ConfigurationFileChecker.java @@ -0,0 +1,250 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.Configuration.rules.checkers; + +import com.fasterxml.jackson.core.JsonFactory; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.JsonToken; +import com.fasterxml.jackson.databind.MappingJsonFactory; +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.batch.sensor.issue.NewIssue; +import org.sonar.api.rule.RuleKey; +import org.sonar.check.Rule; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.yaml.snakeyaml.Yaml; + +import javax.xml.parsers.*; +import java.io.*; +import java.util.Map; +import java.util.Scanner; + + +/** + * 通过用户名口令、数据证书等其他手段对用户身份进行验证。 + * + * @author WuHaoYang + * @date 2024/1/22 + */ +@Rule(key = "ConfigurationFileChecker") +public class ConfigurationFileChecker implements ConfigCheck{ + + + public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ + //文件名称 + String filename = inputFile.filename(); + System.out.println("[ConfigurationFileChecker]>>>>>" + filename); + + //校验文件后缀 + if (filename.endsWith(".properties")) { + try { + File file = new File(inputFile.absolutePath()); + try (Scanner scanner = new Scanner(file)) { + int lineNum = 1; + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + + String[] keyValue = line.split("="); // 分割行的内容 + + // 检查键是否为 "password" 且其对应的值不为空 + if (keyValue.length == 2 && keyValue[0].trim().equals("password") + && !keyValue[1].trim().isEmpty()) { + NewIssue newIssue = context.newIssue(); + newIssue.forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + } + lineNum++; + } + } + } catch (FileNotFoundException e) { + System.out.println("文件未找到: " + e.getMessage()); + } + } + + if (filename.endsWith(".ini")) { + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + + try (BufferedReader br = new BufferedReader(new FileReader(file1))) { + String line; + int lineNum = 1; + while ((line = br.readLine()) != null) { + if (line.trim().startsWith("password")) { + NewIssue newIssue = context.newIssue(); + newIssue.forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + break; + } + lineNum++; + } + } catch (IOException e) { + e.printStackTrace(); + } + } + + if (filename.endsWith(".conf")) { + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + + int lineNum = 0; // 初始化行数 + + try { + BufferedReader br = new BufferedReader(new FileReader(file1)); + String line; + + while ((line = br.readLine()) != null) { + lineNum++; // 递增行数 + + String[] keyValue = line.split("="); // 分割行的内容 + + // 进行基本有效性检查 && keyValue[0]可能包含前导空格, keyValue[1]可能包含尾随空格 + if (keyValue.length == 2 && keyValue[0].trim().equals("password")) { + + // 如果键是 "password", 输出其值 + NewIssue newIssue = context.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + } + } + br.close(); + } catch(FileNotFoundException ex) { + ex.printStackTrace(); + } catch(IOException ex) { + ex.printStackTrace(); + } + } + + if (filename.endsWith(".xml") && !filename.equals("pom.xml")){ + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + + File absoluteFile = file1.getAbsoluteFile(); + + File xmlFile = absoluteFile; + + processXML(xmlFile); + } + + if (filename.endsWith(".json")) { + try { + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + + JsonFactory f = new MappingJsonFactory(); + JsonParser jp = f.createParser(file1); + JsonToken current; + + current = jp.nextToken(); + if (current != JsonToken.START_OBJECT) { + return; + } + + while (jp.nextToken() != JsonToken.END_OBJECT) { + String fieldName = jp.getCurrentName(); + current = jp.nextToken(); + + if ("password".equals(fieldName)) { + + int lineNum = jp.getCurrentLocation().getLineNr(); + + String passwordValue = jp.getText(); + + NewIssue newIssue = context.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(inputFile) + .at(inputFile.selectLine(lineNum))) + .save(); + break; + } + } + } catch (IOException e) { + e.printStackTrace(); + } + } + + if (filename.endsWith(".yml")){ + + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + + Yaml yaml = new Yaml(); + try (FileInputStream fis = new FileInputStream(file1)) { + Map obj = yaml.load(fis); + if (obj != null) { + String password = searchPassword(obj, 1); + if (password != null) { + } + } + } catch (IOException e) { + e.printStackTrace(); + } + } + + } + + private static String searchPassword(Map map, int lineNum) { + for (String key : map.keySet()) { + if ("password".equals(key) && map.get(key) instanceof String) { + return (String) map.get(key); + } else if (map.get(key) instanceof Map) { + lineNum++; + String password = searchPassword((Map) map.get(key), lineNum); + if (password != null) { + return password; + } + } + } + return null; + } + + public static int getLineNumber(Node node) { + Document document = node.getOwnerDocument(); + document.getDocumentElement().normalize(); + String xmlContent = document.getDocumentElement().getTextContent(); + String[] lines = xmlContent.split("\n"); + for(int i = 0; i < lines.length; i++) { + if(lines[i].contains(node.getTextContent())) { + return i+2; + } + } + return -1; + } + + public static void processXML(File xmlFile) { + try { + DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); + Document doc = dBuilder.parse(xmlFile); + doc.getDocumentElement().normalize(); + NodeList nList = doc.getElementsByTagName("password"); + for (int i = 0; i < nList.getLength(); i++) { + Node nNode = nList.item(i); + if (nNode.getNodeType() == Node.ELEMENT_NODE) { + Element eElement = (Element) nNode; + int lineNumber = getLineNumber(nNode); + } + } + } catch (Exception e) { + e.printStackTrace(); + } + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java new file mode 100644 index 0000000..dcb293e --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/checkers/SessionDateChecker.java @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.Configuration.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.rule.RuleKey; +import org.sonar.check.Rule; +import org.yaml.snakeyaml.Yaml; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.util.Map; +import java.util.Scanner; + +/** + * 设置会话过期的日期 + * + * @author RenFengJiang + * @date 2024/1/22 + */ +@Rule(key = "SessionDateChecker") +public class SessionDateChecker implements ConfigCheck { + + private boolean boo = true; + public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ + if(boo){ + //文件名称 + String filename = inputFile.filename(); + //校验文件后缀 + if (filename.endsWith(".properties")) { + try { + File file = new File(inputFile.absolutePath()); + try (Scanner scanner = new Scanner(file)) { + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + if (line.contains("server.servlet.session.timeout")) { + boo = false; + break; + } + } + } + } catch (FileNotFoundException e) { + System.out.println("文件未找到: " + e.getMessage()); + return; // 文件未找到时立即返回 + } + } + if (filename.endsWith(".yml")){ + // 获取当前输入文件的绝对路径 + File file1 = inputFile.file(); + File absoluteFile = file1.getAbsoluteFile(); + // 构建目录路径 + Yaml yaml = new Yaml(); + try (FileInputStream fis = new FileInputStream(file1)) { + Map obj = yaml.load(fis); + if (obj != null){ + String sessionTimeout = searchForSessionTimeout(obj, "server", "servlet", "session", "timeout"); + if (sessionTimeout != null) { + boo = false; + } + } + } catch (IOException e) { + e.printStackTrace(); + } + } + } + } + + private String searchForSessionTimeout(Map map, String... keys) { + Map currentLevel = map; + for (int i = 0; i < keys.length - 1; ++i) { + Object nextLevel = currentLevel.get(keys[i]); + if (nextLevel instanceof Map) { + currentLevel = (Map) nextLevel; + } else { + return null; + } + } + return currentLevel.get(keys[keys.length - 1]).toString(); + } + + @Override + public void endOfCheck(SensorContext context, RuleKey ruleKey) { + if(boo){ + var issue = context.newIssue(); + issue.at(issue.newLocation().on(context.project()).message("设置会话过期的日期")).forRule(ruleKey).save(); + } + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/package-info.java b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/package-info.java new file mode 100644 index 0000000..8efafe1 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/java/com/keyware/sonar/Configuration/rules/package-info.java @@ -0,0 +1,13 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +/** + * TODO package-info + * + * @author GuoXin + * @date 2024/1/12 + */ +package com.keyware.sonar.Configuration.rules; \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/license-header.txt b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/license-header.txt new file mode 100644 index 0000000..5f3aead --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/license-header.txt @@ -0,0 +1,4 @@ +Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. +项目名称:信息安全性设计准则检查插件 +项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 +版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html new file mode 100644 index 0000000..7f14d75 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.html @@ -0,0 +1,9 @@ +

禁止在容易受攻击的地方明文存储口令密码

+

禁止在容易受攻击的地方明文存储口令密码,如果需要,考虑存储口令的单向加密散列,以替代明文口令存储。

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json new file mode 100644 index 0000000..cf2fffc --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/ConfigurationFileChecker.json @@ -0,0 +1,13 @@ +{ + "title": "禁止在容易受攻击的地方明文存储口令密码", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html new file mode 100644 index 0000000..d0627b8 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.html @@ -0,0 +1,16 @@ + + +

设置会话过期的日期

+

设置会话过期的日期

+
+
+
+

合规解决方案

+
+
+
\ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json new file mode 100644 index 0000000..f59df08 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/main/resources/org/sonar/l10n/java/rules/java/SessionDateChecker.json @@ -0,0 +1,13 @@ +{ + "title": "设置会话过期的日期", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.conf b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.conf new file mode 100644 index 0000000..66b164a --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.conf @@ -0,0 +1,2 @@ +# 这是一个.conf配置文件 +password = confPassword \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.ini b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.ini new file mode 100644 index 0000000..2361077 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.ini @@ -0,0 +1,3 @@ +[UserCredentials] +username = exampleUser +password = iniPassword \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.json b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.json new file mode 100644 index 0000000..fb056e5 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.json @@ -0,0 +1,5 @@ +{ + "username": "john_doe", + "password": "jsonPassword", + "email": "john.doe@example.com" +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.properties b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.properties new file mode 100644 index 0000000..39585ab --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.properties @@ -0,0 +1,2 @@ +# ConfigurationFileChecker.properties +password=propertiesPassword \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.xml b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.xml new file mode 100644 index 0000000..757e3c6 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.xml @@ -0,0 +1,7 @@ + + + + exampleUser + xmlPassword + + diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.yml b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.yml new file mode 100644 index 0000000..29c8a20 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/configFile/ConfigurationFileChecker.yml @@ -0,0 +1,3 @@ +database: + user: admin + password: ymlPassword \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.properties b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.properties new file mode 100644 index 0000000..b918494 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.properties @@ -0,0 +1,9 @@ +# +# Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. +# 项目名称:信息安全性设计准则检查插件 +# 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 +# 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 +# + +# 设置会话超时时间为30分钟 +server.servlet.session.timeout=30m \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.yml b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.yml new file mode 100644 index 0000000..191582c --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/files/sessionDates/application.yml @@ -0,0 +1,4 @@ +server: + servlet: + session: + timeout: 30m \ No newline at end of file diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/ConfigurationSecurityDesignRulesPluginTest.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/ConfigurationSecurityDesignRulesPluginTest.java new file mode 100644 index 0000000..cabb1b3 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/ConfigurationSecurityDesignRulesPluginTest.java @@ -0,0 +1,70 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java; + +import com.keyware.sonar.Configuration.ConfigurationSecurityDesignRulesPlugin; +import org.junit.jupiter.api.Test; +import org.sonar.api.*; +import org.sonar.api.config.PropertyDefinition; +import org.sonar.api.utils.Version; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * TODO JavaSecurityDesignRulesPluginTest + * + * @author GuoXin + * @date 2024/1/6 + */ +public class ConfigurationSecurityDesignRulesPluginTest { + @Test + void testName() { + Plugin.Context context = new Plugin.Context(new MockedSonarRuntime()); + + new ConfigurationSecurityDesignRulesPlugin().define(context); + + assertThat(context.getExtensions()) + .extracting((ext) -> { + var type = ext.getClass().getSimpleName(); + if("Class".equals(type)){ + return ((Class) ext).getSimpleName(); + }else if("PropertyDefinition".equals(type)){ + return ((PropertyDefinition) ext).name(); + } + return ext.getClass().getSimpleName(); + }) + .containsExactlyInAnyOrder( + "ConfigurationSecurityDesignRulesRepository", + "ConfigurationSecurityDesignWayProfile", + "ConfigurationFileLanguage", + "ConfigFileSquidSensor", + "File Suffixes"); + } + + public static class MockedSonarRuntime implements SonarRuntime { + + @Override + public Version getApiVersion() { + return Version.create(9, 9); + } + + @Override + public SonarProduct getProduct() { + return SonarProduct.SONARQUBE; + } + + @Override + public SonarQubeSide getSonarQubeSide() { + return SonarQubeSide.SCANNER; + } + + @Override + public SonarEdition getEdition() { + return SonarEdition.COMMUNITY; + } + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/rules/ConfigurationSecurityDesignRulesRepositoryTest.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/rules/ConfigurationSecurityDesignRulesRepositoryTest.java new file mode 100644 index 0000000..16f9633 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/rules/ConfigurationSecurityDesignRulesRepositoryTest.java @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules; + +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * TODO JavaSecurityDesignRulesRepositoryTest + * + * @author GuoXin + * @date 2024/1/6 + */ +public class ConfigurationSecurityDesignRulesRepositoryTest { + + @Test + void test() { +// JavaSecurityDesignRulesRepository rulesDefinition = new JavaSecurityDesignRulesRepository(new JavaSecurityDesignRulesRepository.MockedSonarRuntime()); +// RulesDefinition.Context context = new RulesDefinition.Context(); +// rulesDefinition.define(context); +// RulesDefinition.Repository repository = context.repository(JavaSecurityDesignRulesRepository.REPOSITORY_KEY); +// +// assertThat(repository.name()).isEqualTo(JavaSecurityDesignRulesRepository.REPOSITORY_NAME); +// assertThat(repository.language()).isEqualTo("java"); +// assertThat(repository.rules()).hasSize(RulesList.getJavaRules().size()); +// assertThat(repository.rules().stream().filter(RulesDefinition.Rule::template)).isEmpty(); + + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/FilesUtils.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/FilesUtils.java new file mode 100644 index 0000000..d40c033 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/FilesUtils.java @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.utils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.*; +import java.nio.file.attribute.BasicFileAttributes; +import java.util.ArrayList; +import java.util.LinkedList; +import java.util.List; + +/** + * Duplicates org.sonar.java.checks.verifier.FilesUtils to locate test jars within the custom-rules plugin + */ +public class FilesUtils { + + private FilesUtils() { + } + + /** + * Default location of the jars/zips to be taken into account when performing the analysis. + */ + private static final String DEFAULT_TEST_JARS_DIRECTORY = "target/test-jars"; + + public static List getClassPath(String jarsDirectory) { + List classpath = new LinkedList<>(); + Path testJars = Paths.get(jarsDirectory); + if (testJars.toFile().exists()) { + classpath = getFilesRecursively(testJars, "jar", "zip"); + } else if (!DEFAULT_TEST_JARS_DIRECTORY.equals(jarsDirectory)) { + throw new AssertionError("The directory to be used to extend class path does not exists (" + + testJars.toAbsolutePath() + + ")."); + } + classpath.add(new File("target/test-classes")); + return classpath; + } + + private static List getFilesRecursively(Path root, String... extensions) { + final List files = new ArrayList<>(); + + FileVisitor visitor = new SimpleFileVisitor() { + @Override + public FileVisitResult visitFile(Path filePath, BasicFileAttributes attrs) { + for (String extension : extensions) { + if (filePath.toString().endsWith("." + + extension)) { + files.add(filePath.toFile()); + break; + } + } + return FileVisitResult.CONTINUE; + } + + @Override + public FileVisitResult visitFileFailed(Path file, IOException exc) { + return FileVisitResult.CONTINUE; + } + }; + + try { + Files.walkFileTree(root, visitor); + } catch (IOException e) { + // we already ignore errors in the visitor + } + + return files; + } + +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifier.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifier.java new file mode 100644 index 0000000..43178d0 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifier.java @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.utils; + +import org.sonar.plugins.html.checks.HtmlIssue; +import org.sonar.plugins.html.checks.PreciseHtmlIssue; + +import javax.annotation.Nullable; +import java.util.*; + +/** + * Html检查消息验证器 + * + * @author GuoXin + * @date 2024/1/20 + */ +public final class HtmlCheckMessagesVerifier { + + public static HtmlCheckMessagesVerifier verify(Collection messages) { + return new HtmlCheckMessagesVerifier(messages); + } + + private final Iterator iterator; + private HtmlIssue current; + + private static final Comparator ORDERING = (left, right) -> { + if (Objects.equals(left.line(), right.line())) { + return left.message().compareTo(right.message()); + } else if (left.line() == null) { + return -1; + } else if (right.line() == null) { + return 1; + } else { + return left.line().compareTo(right.line()); + } + }; + + private HtmlCheckMessagesVerifier(Collection messages) { + ArrayList messagesList = new ArrayList<>(messages); + messagesList.sort(ORDERING); + iterator = messagesList.iterator(); + } + + public HtmlCheckMessagesVerifier next() { + if (!iterator.hasNext()) { + throw new AssertionError("\nExpected violation"); + } + current = iterator.next(); + return this; + } + + public void noMore() { + if (iterator.hasNext()) { + HtmlIssue next = iterator.next(); + throw new AssertionError("\nNo more violations expected\ngot: at line " + next.line()); + } + } + + private void checkStateOfCurrent() { + if (current == null) { + throw new IllegalStateException("Prior to this method you should call next()"); + } + } + + public HtmlCheckMessagesVerifier atLine(@Nullable Integer expectedLine) { + checkStateOfCurrent(); + if (!Objects.equals(expectedLine, current.line())) { + throw new AssertionError("\nExpected: " + expectedLine + "\ngot: " + current.line()); + } + return this; + } + + public HtmlCheckMessagesVerifier atLocation(int startLine, int startColumn, int endLine, int endColumn) { + checkStateOfCurrent(); + PreciseHtmlIssue preciseHtmlIssue = (PreciseHtmlIssue) current; + if (!Objects.equals(startLine, current.line())) { + throw new AssertionError("\nExpected: " + startLine + "\ngot: " + current.line()); + } + if (!Objects.equals(startColumn, preciseHtmlIssue.startColumn())) { + throw new AssertionError("\nExpected: " + startColumn + "\ngot: " + preciseHtmlIssue.startColumn()); + } + if (!Objects.equals(endLine, preciseHtmlIssue.endLine())) { + throw new AssertionError("\nExpected: " + endLine + "\ngot: " + preciseHtmlIssue.endLine()); + } + if (!Objects.equals(endColumn, preciseHtmlIssue.endColumn())) { + throw new AssertionError("\nExpected: " + endColumn + "\ngot: " + preciseHtmlIssue.endColumn()); + } + return this; + } + + public HtmlCheckMessagesVerifier withMessage(String expectedMessage) { + checkStateOfCurrent(); + String actual = current.message(); + if (!actual.equals(expectedMessage)) { + throw new AssertionError("\nExpected: \"" + expectedMessage + "\"\ngot: \"" + actual + "\""); + } + return this; + } + + public HtmlCheckMessagesVerifier withCost(@Nullable Double expectedCost) { + checkStateOfCurrent(); + if (!Objects.equals(expectedCost, current.cost())) { + throw new AssertionError("\nExpected: " + expectedCost + "\ngot: " + current.cost()); + } + return this; + } + +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifierRule.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifierRule.java new file mode 100644 index 0000000..08a2215 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlCheckMessagesVerifierRule.java @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.utils; + +import org.junit.jupiter.api.extension.AfterEachCallback; +import org.junit.jupiter.api.extension.ExtensionContext; +import org.sonar.plugins.html.checks.HtmlIssue; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +/** + * Html规则校验 + * + * @author GuoXin + * @date 2024/1/20 + */ +public class HtmlCheckMessagesVerifierRule implements AfterEachCallback { + private final List verifiers = new ArrayList<>(); + + public HtmlCheckMessagesVerifier verify(Collection messages) { + HtmlCheckMessagesVerifier verifier = HtmlCheckMessagesVerifier.verify(messages); + verifiers.add(verifier); + return verifier; + } + + protected void verify() { + for (HtmlCheckMessagesVerifier verifier : verifiers) { + verifier.noMore(); + } + } + + @Override + public void afterEach(ExtensionContext extensionContext) throws Exception { + verify(); + } +} diff --git a/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlTestHelper.java b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlTestHelper.java new file mode 100644 index 0000000..4cd5b36 --- /dev/null +++ b/sonar-keyware-plugins-ConfigurationDetection/src/test/java/com/keyware/sonar/java/utils/HtmlTestHelper.java @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.utils; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.fs.internal.TestInputFileBuilder; +import org.sonar.plugins.html.analyzers.ComplexityVisitor; +import org.sonar.plugins.html.analyzers.PageCountLines; +import org.sonar.plugins.html.api.HtmlConstants; +import org.sonar.plugins.html.lex.PageLexer; +import org.sonar.plugins.html.lex.VueLexer; +import org.sonar.plugins.html.visitor.DefaultNodeVisitor; +import org.sonar.plugins.html.visitor.HtmlAstScanner; +import org.sonar.plugins.html.visitor.HtmlSourceCode; + +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.nio.charset.StandardCharsets; +import java.util.List; + +/** + * Html测试工具类 + * + * @author GuoXin + * @date 2024/1/20 + */ +public class HtmlTestHelper { + + private HtmlTestHelper() { + } + + public static HtmlSourceCode scan(File file, DefaultNodeVisitor visitor) { + FileReader fileReader; + try { + fileReader = new FileReader(file); + } catch (FileNotFoundException e) { + throw new IllegalStateException(e); + } + + HtmlSourceCode result = new HtmlSourceCode( + new TestInputFileBuilder("key", file.getPath()) + .setLanguage(HtmlConstants.LANGUAGE_KEY) + .setType(InputFile.Type.MAIN) + .setModuleBaseDir(new File(".").toPath()) + .setCharset(StandardCharsets.UTF_8) + .build() + ); + + HtmlAstScanner walker = new HtmlAstScanner(List.of(new PageCountLines(), new ComplexityVisitor())); + PageLexer lexer = file.getName().endsWith(".vue") ? new VueLexer() : new PageLexer(); + walker.addVisitor(visitor); + walker.scan( + lexer.parse(fileReader), + result + ); + + return result; + } + +} diff --git a/sonar-keyware-plugins-cxx/pom.xml b/sonar-keyware-plugins-cxx/pom.xml index 2dc831e..0733c98 100644 --- a/sonar-keyware-plugins-cxx/pom.xml +++ b/sonar-keyware-plugins-cxx/pom.xml @@ -17,8 +17,8 @@ --> - C++ 信息安全性设计准则 - sonar-keyware-plugins-cxx + 28所 C++ 信息安全性设计准则 + sonar-keyware-plugins-cxx-28suo 1.0 sonar-plugin 用于检查C++源代码的安全性设计准则的Sonarqube插件 diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/ConfigurationFileLanguage.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/ConfigurationFileLanguage.java deleted file mode 100644 index 87e8107..0000000 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/ConfigurationFileLanguage.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 - * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 - * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 - */ - - -package com.keyware.sonar.cxx; - -import org.sonar.api.resources.AbstractLanguage; - -import java.lang.module.Configuration; - -public final class ConfigurationFileLanguage extends AbstractLanguage { - - public static final String NAME = "Configuration"; - public static final String KEY = "cfg"; - private final Configuration config; - - public ConfigurationFileLanguage (Configuration config) { - super(KEY, NAME); - this.config = config; - } - - @Override - public String[] getFileSuffixes() { - return new String[] {".yml", ".properties", ".ini",".conf" ,".xml" ,".json"}; - } -} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxPlugin.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxPlugin.java index 91d2e69..d549345 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxPlugin.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxPlugin.java @@ -1,6 +1,6 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ @@ -62,17 +62,21 @@ public final class CxxPlugin implements Plugin { var l = new ArrayList(); // plugin elements + l.add(FlagLineSensor.class); l.add(CxxLanguage.class); + l.add(LogLanguage.class); l.add(CxxSonarWayProfile.class); l.add(SecurityDesignWayProfile.class); l.add(CxxRuleRepository.class); + l.add(LogRuleRepository.class); l.add(SecurityDesignRuleRepository.class); - // reusable elements l.addAll(getSensorsImpl()); // properties elements l.addAll(CxxLanguage.properties()); + l.addAll(LogLanguage.properties()); + l.addAll(CxxSquidSensor.properties()); l.addAll(CxxCppCheckSensor.properties()); l.addAll(CxxValgrindSensor.properties()); @@ -98,8 +102,7 @@ public final class CxxPlugin implements Plugin { static private List getSensorsImpl() { var l = new ArrayList(); - l.add(LogLanguage.class); - l.add(ConfigurationFileLanguage.class); +// l.add(ConfigurationFileLanguage.class); // utility classes l.add(CxxUnitTestResultsAggregator.class); diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSonarWayProfile.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSonarWayProfile.java index e85b9df..9d22587 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSonarWayProfile.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSonarWayProfile.java @@ -1,6 +1,6 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ @@ -8,7 +8,6 @@ package com.keyware.sonar.cxx; import com.google.common.io.Resources; import com.google.gson.Gson; -import com.keyware.sonar.cxx.rules.SecurityDesignRuleRepository; import org.sonar.api.server.profile.BuiltInQualityProfilesDefinition; import org.sonar.cxx.checks.CheckList; import org.sonarsource.api.sonarlint.SonarLintSide; @@ -45,6 +44,14 @@ public class CxxSonarWayProfile implements BuiltInQualityProfilesDefinition { sonarWay.activateRule(CheckList.REPOSITORY_KEY, key); }); sonarWay.done(); + + + var sonarWay1 = context.createBuiltInQualityProfile("log", LogLanguage.KEY); + Profile jsonProfile1 = readProfile(); + jsonProfile1.ruleKeys.forEach((key) -> { + sonarWay1.activateRule(CheckList.REPOSITORY_KEY, key); + }); + sonarWay1.done(); } static class Profile { diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java index 22649ef..93e7999 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/CxxSquidSensor.java @@ -1,6 +1,6 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ @@ -287,7 +287,7 @@ public class CxxSquidSensor implements ProjectSensor { public void describe(SensorDescriptor descriptor) { descriptor .name("CXX") - .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY) + .onlyOnLanguages(CxxLanguage.KEY, LogLanguage.KEY) .onlyOnFileType(InputFile.Type.MAIN) .onlyWhenConfiguration(conf -> !conf.getBoolean(SQUID_DISABLED_KEY).orElse(false)); } @@ -374,7 +374,7 @@ public class CxxSquidSensor implements ProjectSensor { private Iterable getInputFiles(SensorContext context, CxxSquidConfiguration squidConfig) { Iterable inputFiles = context.fileSystem().inputFiles( context.fileSystem().predicates().and( - context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY, ConfigurationFileLanguage.KEY), + context.fileSystem().predicates().hasLanguages(CxxLanguage.KEY, LogLanguage.KEY), context.fileSystem().predicates().hasType(InputFile.Type.MAIN) ) ); diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/FlagLineSensor.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/FlagLineSensor.java new file mode 100644 index 0000000..6e43272 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/FlagLineSensor.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:28所 C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx; + +import com.keyware.sonar.cxx.rules.checkers.FlagLineRule; +import com.keyware.sonar.cxx.rules.checkers.SqlVarNameChecker; +import org.sonar.api.batch.fs.FilePredicates; +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.rule.CheckFactory; +import org.sonar.api.batch.rule.Checks; +import org.sonar.api.batch.sensor.Sensor; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.batch.sensor.SensorDescriptor; + +public class FlagLineSensor implements Sensor { + private final Checks checks; + + + public FlagLineSensor(CheckFactory checkFactory) { + checks = checkFactory.create("cxx-security-design-rules"); + checks.addAnnotatedChecks(SqlVarNameChecker.class); + } + + @Override + public void describe(SensorDescriptor descriptor) { + //传感器名称 + descriptor.name("FlagLine1Rule" + "sensor"); + //传感器识别的语言 + descriptor.onlyOnLanguages(CxxLanguage.KEY); + //传感器扫描的规则库 + descriptor.createIssuesForRuleRepository("cxx-security-design-rules"); + } + + @Override + public void execute(SensorContext context) { + FilePredicates p = context.fileSystem().predicates(); + for (InputFile inputFile : context.fileSystem().inputFiles(p.hasLanguages(CxxLanguage.KEY))) { + checks.all().forEach(check -> { + check.execute(context, inputFile, checks.ruleKey(check)); + }); + } + } +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogLanguage.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogLanguage.java index 135a383..3e457ae 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogLanguage.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogLanguage.java @@ -1,14 +1,19 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ package com.keyware.sonar.cxx; +import org.sonar.api.config.PropertyDefinition; import org.sonar.api.resources.AbstractLanguage; +import org.sonar.api.resources.Qualifiers; + +import java.util.List; + +import static java.util.Arrays.asList; -import java.lang.module.Configuration; /** * TODO LogLanguage @@ -16,21 +21,35 @@ import java.lang.module.Configuration; * @author RenFengJiang * @date 2024/1/16 */ -public final class LogLanguage extends AbstractLanguage { +public class LogLanguage extends AbstractLanguage { public static final String NAME = "LOG"; public static final String KEY = "log"; - private final Configuration config; + public static final String FILE_SUFFIXES_KEY = "sonar.log.file.suffixes"; - public LogLanguage( Configuration config) { + public static final String DEFAULT_FILE_SUFFIXES = ".log"; + + public LogLanguage() { super(KEY, NAME); - this.config = config; } @Override public String[] getFileSuffixes() { - String[] arr = new String[1]; - arr[0] = ".log"; - return arr; + return new String[] {".log"}; } + + + public static List properties() { + return asList( + PropertyDefinition.builder(FILE_SUFFIXES_KEY) + .multiValues(true) + .defaultValue(DEFAULT_FILE_SUFFIXES) + .category("FileType") + .name("File Suffixes") + .description("List of suffixes for files to analyze.") + .onQualifiers(Qualifiers.PROJECT) + .build() + ); + } + } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogRuleRepository.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogRuleRepository.java new file mode 100644 index 0000000..de9efd4 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/LogRuleRepository.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:28所 C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx; + +import org.sonar.api.server.rule.RulesDefinition; + +public class LogRuleRepository implements RulesDefinition { + private static final String REPOSITORY_NAME = "SonarQube"; + + @Override + public void define(Context context) { + // 创建规则仓库 + NewRepository repository = context.createRepository("log", LogLanguage.KEY) + .setName(REPOSITORY_NAME); + + // 创建新规则 + + NewRule errorRecoveryRule = repository.createRule("ParsingErrorRecovery"); + errorRecoveryRule.setName("Parsing Error Recovery"); + + // 为另一个规则设置描述 + errorRecoveryRule.setHtmlDescription("

This rule checks for parsing error recovery issues

"); + + // 完成规则创建 + repository.done(); + } +} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleRepository.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleRepository.java index b2afaa9..6c824ba 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleRepository.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignRuleRepository.java @@ -1,13 +1,14 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ package com.keyware.sonar.cxx.rules; import com.keyware.sonar.cxx.CxxLanguage; -import com.keyware.sonar.cxx.rules.checkers.ABCVarNameChecker; +import com.keyware.sonar.cxx.LogLanguage; +import com.keyware.sonar.cxx.rules.checkers.*; import org.sonar.api.server.rule.RulesDefinition; import org.sonar.cxx.squidbridge.annotations.AnnotationBasedRulesDefinition; @@ -22,10 +23,16 @@ import java.util.List; */ public class SecurityDesignRuleRepository implements RulesDefinition { public final static String REPOSITORY_KEY = "cxx-security-design-rules"; + public final static String REPOSITORY_log_key = "log-security-design-rules"; public final static String REPOSITORY_NAME = "C++信息安全性设计准则"; // 规则检查器的集合,当有新的规则开发完毕后,需要添加到下面的集合中 - public final static List RULE_CHECKERS = Arrays.asList(ABCVarNameChecker.class); + public final static List RULE_CHECKERS = Arrays.asList(ABCVarNameChecker.class,BufferDataChecker.class, CmdDataVerifyChecker.class, + DLLVerifyChecker.class,EncryptionAlgorithmChecker.class,ErrorMessageChecker.class, + FileAccessChecker.class,FormatFunctionCheck.class,FVNRPassWordChecker.class,FVNRShaChecker.class,HighEncryptDesChecker.class, + HostIdentityVerifyChecker.class,IntegerCountVerifyChecker.class,LogChecker.class,LogFileWriteChecker.class,NumericalCopyChecker.class, + PassWordCountChecker.class,PathVerifyChecker.class,PRNGVerifyChecker.class,ReallocMainChecker.class,SendMessageChecker.class, + SQLVerifyChecker.class,UserInputPasswordChecker.class,ValidatePasswordCheck.class,VerificationPathChecker.class,VirtualLockUsageChecker.class); @Override public void define(Context context) { @@ -33,5 +40,10 @@ public class SecurityDesignRuleRepository implements RulesDefinition { setName(REPOSITORY_NAME); new AnnotationBasedRulesDefinition(repository, CxxLanguage.KEY).addRuleClasses(false, RULE_CHECKERS); repository.done(); + + var repository1 = context.createRepository(REPOSITORY_log_key, LogLanguage.KEY). + setName(REPOSITORY_NAME); + new AnnotationBasedRulesDefinition(repository1, LogLanguage.KEY).addRuleClasses(false, RULE_CHECKERS); + repository1.done(); } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignWayProfile.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignWayProfile.java index df8d7a8..d9994b0 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignWayProfile.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/SecurityDesignWayProfile.java @@ -1,12 +1,13 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ package com.keyware.sonar.cxx.rules; import com.keyware.sonar.cxx.CxxLanguage; +import com.keyware.sonar.cxx.LogLanguage; import org.sonar.api.server.profile.BuiltInQualityProfilesDefinition; import org.sonarsource.api.sonarlint.SonarLintSide; @@ -22,6 +23,35 @@ public class SecurityDesignWayProfile implements BuiltInQualityProfilesDefinitio public void define(Context context) { var way = context.createBuiltInQualityProfile("C++信息安全性设计准则", CxxLanguage.KEY); way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "ABCVarNameChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "BufferDataChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "CmdDataVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "DLLVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "EncryptionAlgorithmChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "ErrorMessageChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "FileAccessChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "FormatFunctionCheck"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "FVNRPassWordChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "FVNRShaChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "HighEncryptDesChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "HostIdentityVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "IntegerCountVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "LogFileWriteChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "NumericalCopyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "PassWordCountChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "PathVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "PRNGVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "ReallocMainChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "SendMessageChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "FlagLine1Rule"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "SQLVerifyChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "UserInputPasswordChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "ValidatePasswordCheck"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "VerificationPathChecker"); + way.activateRule(SecurityDesignRuleRepository.REPOSITORY_KEY, "VirtualLockUsageChecker"); way.done(); + + var way1 = context.createBuiltInQualityProfile("LogLanguage信息安全性设计准则", LogLanguage.KEY); + way1.activateRule(SecurityDesignRuleRepository.REPOSITORY_log_key, "LogChecker"); + way1.done(); } } diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileChecker.java deleted file mode 100644 index 26c420c..0000000 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileChecker.java +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 - * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 - * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 - */ -package com.keyware.sonar.cxx.rules.checkers; - -import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.sonar.cxx.sslr.api.AstNode; -import com.sonar.cxx.sslr.api.Grammar; -import org.sonar.check.Rule; -import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; -import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; -import org.sonar.cxx.squidbridge.checks.SquidCheck; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; -import org.yaml.snakeyaml.Yaml; - -import javax.annotation.Nullable; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import java.io.*; -import java.util.Iterator; -import java.util.Map; -import java.util.Properties; -import java.util.Scanner; - -/** - * TODO LogChecker - * - * @author WuHaoYang - * @date 2024/1/19 - */ -@Rule(key = "ConfigurationFileChecker", name = "避免在容易受攻击的地方存储口令", description = "避免在容易受攻击的地方存储口令") -@ActivatedByDefault -@SqaleConstantRemediation("5min") -public class ConfigurationFileChecker extends SquidCheck { - - - @Override - public void visitFile(@Nullable AstNode astNode) { - String filename = getContext().getInputFile().filename(); - - if (filename.endsWith(".properties")) { - try { - File file = new File(getContext().getInputFile().absolutePath()); - try (Scanner scanner = new Scanner(file)) { - while (scanner.hasNextLine()) { - String line = scanner.nextLine(); - if (line.contains("password")) { - System.out.println(line); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - break; - } - } - } - } catch (FileNotFoundException e) { - System.out.println("文件未找到: " + e.getMessage()); - } - } - - if (filename.endsWith(".yml")){ - // 获取当前输入文件的绝对路径 - File inputFile = getContext().getInputFile().file(); - String absolutePath = inputFile.getAbsolutePath(); - - // 构建目录路径 - File dir = new File(absolutePath).getParentFile(); - - Yaml yaml = new Yaml(); - for (File file : dir.listFiles()) { - if (file.isFile() && file.getName().endsWith(".yml")) { - try (FileInputStream fis = new FileInputStream(file)) { - Map obj = yaml.load(fis); - if (obj != null){ - String password = searchPassword(obj); - if (password != null) { - System.out.println("password="+password); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - } - } - } catch (IOException e) { - e.printStackTrace(); - } - } - } - } - - if (filename.endsWith(".ini")){ - // 获取当前输入文件的绝对路径 - File inputFile = getContext().getInputFile().file(); - String absolutePath = inputFile.getAbsolutePath(); - - // 构建目录路径 - File folder = new File(absolutePath).getParentFile(); - File[] listOfFiles = folder.listFiles(); - - for (File file : listOfFiles) { - if (file.isFile() && file.getName().endsWith(".ini")) { - Properties properties = new Properties(); - - try (FileInputStream fileInput = new FileInputStream(file)) { - properties.load(fileInput); - String password = properties.getProperty("password"); - System.out.println("password=" + password); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - } catch (IOException e) { - e.printStackTrace(); - } - } - } - } - - - if (filename.endsWith(".xml")){ - // 获取当前输入文件的绝对路径 - File inputFile = getContext().getInputFile().file(); - String absolutePath = inputFile.getAbsolutePath(); - - // 构建目录路径 - File dir = new File(absolutePath).getParentFile(); - - FilenameFilter filter = new FilenameFilter() { - public boolean accept(File dir, String name) { - return name.endsWith(".xml"); - } - }; - - String[] children = dir.list(filter); - if (children == null) { - System.out.println("目录不存在或不是目录"); - } else { - for (int i = 0; i < children.length; i++) { - String filename1 = children[i]; - File xmlFile = new File(dir, filename1); - processXML(xmlFile); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - } - } - } - - - if (filename.endsWith(".json")){ - try { - // 获取当前输入文件的绝对路径 - File inputFile = getContext().getInputFile().file(); - String absolutePath = inputFile.getAbsolutePath(); - - // 构建目录路径 - File folder = new File(absolutePath).getParentFile(); - - File[] listOfFiles = folder.listFiles(); - - if (listOfFiles != null) { - ObjectMapper mapper = new ObjectMapper(); - for (File file : listOfFiles) { - if (file.isFile() && file.getName().endsWith(".json")) { - JsonNode rootNode = mapper.readTree(file); - extractPassword(rootNode); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - } - } - } - - } catch (IOException e) { - e.printStackTrace(); - } - } - - - if (filename.endsWith(".conf")){ - // 获取当前输入文件的绝对路径 - File inputFile = getContext().getInputFile().file(); - String absolutePath = inputFile.getAbsolutePath(); - - // 构建目录路径 - File folder = new File(absolutePath).getParentFile(); - - File[] listOfFiles = folder.listFiles((dir, name) -> name.endsWith(".conf")); - - for (File file : listOfFiles) { - if (file.isFile()) { - Properties prop = new Properties(); - InputStream input = null; - - try { - input = new FileInputStream(file); - prop.load(input); - - if (prop.containsKey("password")) { - System.out.println("password="+ prop.getProperty("password")); - getContext().createFileViolation(this, "避免在容易受攻击的地方存储口令"); - } - - } catch (IOException ex) { - ex.printStackTrace(); - } finally { - if (input != null) { - try { - input.close(); - } catch (IOException e) { - e.printStackTrace(); - } - } - } - } - } - } - } - - - - public static void extractPassword(JsonNode node) { - Iterator fieldNames = node.fieldNames(); - while (fieldNames.hasNext()) { - String fieldName = fieldNames.next(); - if (fieldName.equals("password")) { - System.out.println("Password= " + node.get(fieldName).asText()); - } - if (node.get(fieldName).isContainerNode()) { - extractPassword(node.get(fieldName)); - } - } - } - - public static void processXML(File xmlFile) { - try { - DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); - DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); - Document doc = dBuilder.parse(xmlFile); - doc.getDocumentElement().normalize(); - - NodeList nList = doc.getElementsByTagName("password"); - - for (int i = 0; i < nList.getLength(); i++) { - Node nNode = nList.item(i); - if (nNode.getNodeType() == Node.ELEMENT_NODE) { - Element eElement = (Element) nNode; - System.out.println("Password="+ eElement.getTextContent()); - - } - } - } catch (Exception e) { - e.printStackTrace(); - } - } - - private static String searchPassword(Map map) { - for (String key : map.keySet()) { - if ("password".equals(key) && map.get(key) instanceof String) { - return (String) map.get(key); - } else if (map.get(key) instanceof Map) { - String password = searchPassword((Map) map.get(key)); - if (password != null) { - return password; - } - } - } - return null; - } -} diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FlagLineRule.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FlagLineRule.java new file mode 100644 index 0000000..7b9ff82 --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/FlagLineRule.java @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:28所 C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.rule.RuleKey; + +public interface FlagLineRule { + + void execute(SensorContext sensorContext, InputFile file, RuleKey ruleKey); +} \ No newline at end of file diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SqlVarNameChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SqlVarNameChecker.java new file mode 100644 index 0000000..2eabd8f --- /dev/null +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/SqlVarNameChecker.java @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:28所 C++ 信息安全性设计准则 + * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.cxx.rules.checkers; + +import org.sonar.api.batch.fs.InputFile; +import org.sonar.api.batch.sensor.SensorContext; +import org.sonar.api.batch.sensor.issue.NewIssue; +import org.sonar.api.rule.RuleKey; +import org.sonar.check.Priority; +import org.sonar.check.Rule; +import org.sonar.cxx.squidbridge.annotations.ActivatedByDefault; +import org.sonar.cxx.squidbridge.annotations.SqaleConstantRemediation; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.Scanner; + +/** + * C++规则检查器的实现示例 + * + * @author GuoXin + * @date 2024/1/6 + */ +@Rule(key = "FlagLine1Rule", name = "sql注入", description = "sql注入有一定风险", priority = Priority.INFO, tags = {"28suo"}) +@ActivatedByDefault +@SqaleConstantRemediation("5min") +public class SqlVarNameChecker implements FlagLineRule { + + @Override + public void execute(SensorContext sensorContext, InputFile file, RuleKey ruleKey) { + try (Scanner scanner = new Scanner(file.inputStream(), StandardCharsets.UTF_8.name())) { + int lineNumber = 1; + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + if (line.contains("= '") || line.contains("OR 1=1") || line.contains("='") + || line.contains("DROP TABLE") || line.contains("' OR 'a'='a") || line.contains("'; DROP TABLE users; --") + || line.contains("'; EXEC xp_cmdshell 'dir'") || line.contains("' OR username LIKE '%") || line.contains("' AND SLEEP(5)") + || line.contains("= \\'' +") || line.contains("= ?")) { // 根据特定的关键词或模式匹配来定位 SQL 注入 + NewIssue newIssue = sensorContext.newIssue(); + newIssue + .forRule(ruleKey) + .at(newIssue.newLocation() + .on(file) + .at(file.selectLine(lineNumber))) + .save(); + } + lineNumber++; + } + } catch (IOException e) { + throw new RuntimeException(e); + } + } +/* + @Override + public void visitNode(AstNode node) { + File file = getContext().getFile(); + System.out.println("文件路径: " + file.getAbsolutePath()); + try (BufferedReader reader = new BufferedReader(new FileReader(file))) { + String line; + int lineNumber = 0; + while ((line = reader.readLine()) != null) { + lineNumber++; + if (line.contains("= '") || line.contains("OR 1=1") || line.contains("='") + || line.contains("DROP TABLE") || line.contains("' OR 'a'='a") || line.contains("'; DROP TABLE users; --") + || line.contains("'; EXEC xp_cmdshell 'dir'") || line.contains("' OR username LIKE '%") || line.contains("' AND SLEEP(5)") + || line.contains("= \\'' +") || line.contains("= ?")) { + getContext().createLineViolation(ABCVarNameChecker.this, "sql 注入有一定风险", lineNumber); + } + } + } catch (IOException e) { + e.printStackTrace(); + } + }*/ +} diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/CxxRuleRepositoryTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/CxxRuleRepositoryTest.java index c11baf3..d6ef82f 100644 --- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/CxxRuleRepositoryTest.java +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/CxxRuleRepositoryTest.java @@ -1,6 +1,6 @@ /* * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 + * 项目名称:28所 C++ 信息安全性设计准则 * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 */ @@ -18,9 +18,11 @@ class CxxRuleRepositoryTest { var context = new RulesDefinition.Context(); assertThat(context.repositories()).isEmpty(); new CxxRuleRepository().define(context); + new LogRuleRepository().define(context); - assertThat(context.repositories()).hasSize(1); + assertThat(context.repositories()).hasSize(2); assertThat(context.repository("cxx").rules()).hasSize(27); + assertThat(context.repository("log").rules()).hasSize(1); } } diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileCheckerTest.java deleted file mode 100644 index 787c36d..0000000 --- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ConfigurationFileCheckerTest.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:C++ 信息安全性设计准则 - * 项目描述:用于检查C++源代码的安全性设计准则的Sonarqube插件 - * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 - */ -package com.keyware.sonar.cxx.rules.checkers; - - -import com.keyware.sonar.cxx.CxxFileTesterHelper; -import org.junit.jupiter.api.Test; -import org.sonar.cxx.CxxAstScanner; -import org.sonar.cxx.squidbridge.api.CheckMessage; -import org.sonar.cxx.squidbridge.api.SourceFile; - -import java.io.File; -import java.io.FilenameFilter; -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; - -/** - * TODO ConfigurationFileCheckerTest - * - * @author WuHaoYang - * @date 2024/1/19 - */ -public class ConfigurationFileCheckerTest { - - @Test - public void checkDirectory() throws IOException { - - - File folder = new File("src/test/resources/com/keyware/sonar/cxx/rules/checkers/configFile"); // 文件夹路径 - - File[] files = folder.listFiles(new FilenameFilter() { - public boolean accept(File dir, String name) { - return name.endsWith(".yml") || name.endsWith(".ini") || name.endsWith(".properties") || - name.endsWith(".xml") || name.endsWith(".json") || name.endsWith(".conf"); - } - }); - - List problems = new ArrayList<>(); // 存储问题的列表 - - for (File file : files) { - - try { - if (file.isFile()) { - var tester = CxxFileTesterHelper.create("configFile/" + file.getName()); - System.out.println("配置文件名称:" + file.getName()); - var checker = new ConfigurationFileChecker(); - SourceFile sourceFile = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); - - for (CheckMessage message : sourceFile.getCheckMessages()) { - if (message.formatDefaultMessage().equals("避免在容易受攻击的地方存储口令")) { - problems.add("文件:" + file.getName() + " ,问题:" + message.getDefaultMessage()); - } - } - } - } catch (Exception e) { - System.out.println("在处理文件时遇到问题:" + file.getName()); - e.printStackTrace(); - } - } - - for (String problem : problems) { - System.out.println(problem); - } - } - - -} diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java index d271efc..0bdb7b7 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignRulesPlugin.java @@ -29,13 +29,13 @@ public class JavaSecurityDesignRulesPlugin implements Plugin { context.addExtension(JavaFileCheckRegistrar.class); - context.addExtension(ConfigurationFileLanguage.class); - - - context.addExtension(ConfigFileSquidSensor.class); - - - context.addExtensions(ConfigurationFileLanguage.getProperties()); +// context.addExtension(ConfigurationFileLanguage.class); +// +// +// context.addExtension(ConfigFileSquidSensor.class); +// +// +// context.addExtensions(ConfigurationFileLanguage.getProperties()); } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java index 5acf99d..5c6a0b5 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/JavaSecurityDesignWayProfile.java @@ -31,9 +31,9 @@ public class JavaSecurityDesignWayProfile implements BuiltInQualityProfilesDefin RulesList.getHtmlRules().forEach(check -> webWay.activateRule(JavaSecurityDesignRulesRepository.REPOSITORY_KEY + "-" + HtmlConstants.LANGUAGE_KEY, check.getSimpleName())); webWay.done(); - var cfgWay = context.createBuiltInQualityProfile("配置信息安全性设计规则", ConfigurationFileLanguage.KEY); - cfgWay.activateRule("config", "ConfigurationFileChecker"); - cfgWay.activateRule("config", "SessionDateChecker"); - cfgWay.done(); +// var cfgWay = context.createBuiltInQualityProfile("配置信息安全性设计规则", ConfigurationFileLanguage.KEY); +// cfgWay.activateRule("config", "ConfigurationFileChecker"); +// cfgWay.activateRule("config", "SessionDateChecker"); +// cfgWay.done(); } } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java index 9577a04..57d8725 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/JavaSecurityDesignRulesRepository.java @@ -6,8 +6,6 @@ */ package com.keyware.sonar.java.rules; -import com.keyware.sonar.java.rules.checkers.ConfigurationFileChecker; -import com.keyware.sonar.java.rules.checkers.SecurityCookieChecker; import com.keyware.sonar.java.rules.checkers.SessionDateChecker; import org.sonar.api.SonarEdition; import org.sonar.api.SonarProduct; @@ -55,10 +53,10 @@ public class JavaSecurityDesignRulesRepository implements RulesDefinition { setTemplates(htmlRepo); htmlRepo.done(); - RulesDefinition.NewRepository configRepo = context.createRepository("config", "cfg").setName("config"); - ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class, SessionDateChecker.class)); - setTemplates(configRepo); - configRepo.done(); +// RulesDefinition.NewRepository configRepo = context.createRepository("config", "cfg").setName("config"); +// ruleMetadataLoader.addRulesByAnnotatedClass(configRepo, List.of(ConfigurationFileChecker.class, SessionDateChecker.class)); +// setTemplates(configRepo); +// configRepo.done(); } private static void setTemplates(RulesDefinition.NewRepository repository) { diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java deleted file mode 100644 index ee17ae2..0000000 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/ConfigurationFileChecker.java +++ /dev/null @@ -1,276 +0,0 @@ -/* - * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:信息安全性设计准则检查插件 - * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 - * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 - */ -package com.keyware.sonar.java.rules.checkers; - -import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; -import org.sonar.api.batch.fs.InputFile; -import org.sonar.api.batch.sensor.SensorContext; -import org.sonar.api.batch.sensor.issue.NewIssue; -import org.sonar.api.rule.RuleKey; -import org.sonar.check.Rule; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; -import org.yaml.snakeyaml.Yaml; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import java.io.*; -import java.util.Iterator; -import java.util.Map; -import java.util.Properties; -import java.util.Scanner; - - -/** - * 通过用户名口令、数据证书等其他手段对用户身份进行验证。 - * - * @author WuHaoYang - * @date 2024/1/22 - */ -@Rule(key = "ConfigurationFileChecker") -public class ConfigurationFileChecker implements ConfigCheck{ - - - public void execute(SensorContext context, InputFile inputFile, RuleKey ruleKey){ - //文件名称 - String filename = inputFile.filename(); - System.out.println("[ConfigurationFileChecker]>>>>>" + filename); - - //校验文件后缀 - if (filename.endsWith(".properties")) { - try { - File file = new File(inputFile.absolutePath()); - System.out.println("---------------properties文件路径----------------"+file); - try (Scanner scanner = new Scanner(file)) { - int lineNum = 1; - while (scanner.hasNextLine()) { - String line = scanner.nextLine(); - if (line.contains("password")) { - System.out.println(line); - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - break; - } - lineNum ++; - } - } - } catch (FileNotFoundException e) { - System.out.println("文件未找到: " + e.getMessage()); - } - } - - - if (filename.endsWith(".ini")){ - // 获取当前输入文件的绝对路径 - File file1 = inputFile.file(); - - // 构建目录路径 - System.out.println("---------------ini文件路径----------------"+file1); - - int lineNum = 1; - Properties properties = new Properties(); - - try (FileInputStream fileInput = new FileInputStream(file1)) { - properties.load(fileInput); - String password = properties.getProperty("password"); - System.out.println("password=" + password); - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - } catch (IOException e) { - e.printStackTrace(); - } - lineNum++; - } - - - - if (filename.endsWith(".conf")){ - // 获取当前输入文件的绝对路径 - File file1 = inputFile.file(); - - // 构建目录路径 - System.out.println("---------------conf文件路径----------------"+file1); - - - int lineNum = 1; - Properties prop = new Properties(); - InputStream input = null; - - try { - input = new FileInputStream(file1); - prop.load(input); - - if (prop.containsKey("password")) { - System.out.println("password="+ prop.getProperty("password")); - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - } - } catch (IOException ex) { - ex.printStackTrace(); - } finally { - if (input != null) { - try { - input.close(); - } catch (IOException e) { - e.printStackTrace(); - } - } - } - lineNum++; - } - - - - if (filename.endsWith(".xml")){ - // 获取当前输入文件的绝对路径 - File file1 = inputFile.file(); - File absoluteFile = file1.getAbsoluteFile(); - - // 构建目录路径 - File dir = new File(String.valueOf(absoluteFile)).getParentFile(); - System.out.println("---------------xml文件路径----------------"+file1); - File xmlFile = new File(dir, filename); - processXML(xmlFile); - int lineNum = 1; - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - } - - - if (filename.endsWith(".json")){ - try { - // 获取当前输入文件的绝对路径 - File file1 = inputFile.file(); - File absoluteFile = file1.getAbsoluteFile(); - - // 构建目录路径 - File folder = new File(String.valueOf(absoluteFile)).getParentFile(); - - System.out.println("---------------json文件路径----------------"+file1); - ObjectMapper mapper = new ObjectMapper(); - JsonNode rootNode = mapper.readTree(file1); - extractPassword(rootNode); - int lineNum = 1; - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - - } catch (IOException e) { - e.printStackTrace(); - } - } - - - if (filename.endsWith(".yml")){ - // 获取当前输入文件的绝对路径 - File file1 = inputFile.file(); - File absoluteFile = file1.getAbsoluteFile(); - - // 构建目录路径 - File dir = new File(String.valueOf(absoluteFile)).getParentFile(); - System.out.println("---------------yml文件路径----------------"+file1); - Yaml yaml = new Yaml(); - try (FileInputStream fis = new FileInputStream(file1)) { - Map obj = yaml.load(fis); - if (obj != null){ - String password = searchPassword(obj); - if (password != null) { - System.out.println("password="+password); - int lineNum = 1; - NewIssue newIssue = context.newIssue(); - newIssue - .forRule(ruleKey) - .at(newIssue.newLocation() - .on(inputFile) - .at(inputFile.selectLine(lineNum))) - .save(); - } - } - } catch (IOException e) { - e.printStackTrace(); - } - } - - } - public static void processXML(File xmlFile) { - try { - DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); - DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); - Document doc = dBuilder.parse(xmlFile); - doc.getDocumentElement().normalize(); - - NodeList nList = doc.getElementsByTagName("password"); - - for (int i = 0; i < nList.getLength(); i++) { - Node nNode = nList.item(i); - if (nNode.getNodeType() == Node.ELEMENT_NODE) { - Element eElement = (Element) nNode; - System.out.println("Password="+ eElement.getTextContent()); - } - } - } catch (Exception e) { - e.printStackTrace(); - } - } - - - public static void extractPassword(JsonNode node) { - Iterator fieldNames = node.fieldNames(); - while (fieldNames.hasNext()) { - String fieldName = fieldNames.next(); - if (fieldName.equals("password")) { - System.out.println("Password= " + node.get(fieldName).asText()); - } - if (node.get(fieldName).isContainerNode()) { - extractPassword(node.get(fieldName)); - } - } - } - - - - private static String searchPassword(Map map) { - for (String key : map.keySet()) { - if ("password".equals(key) && map.get(key) instanceof String) { - return (String) map.get(key); - } else if (map.get(key) instanceof Map) { - String password = searchPassword((Map) map.get(key)); - if (password != null) { - return password; - } - } - } - return null; - } -} diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java index 3410494..451e313 100644 --- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/JavaSecurityDesignRulesPluginTest.java @@ -39,10 +39,11 @@ public class JavaSecurityDesignRulesPluginTest { .containsExactlyInAnyOrder( "JavaSecurityDesignRulesRepository", "JavaSecurityDesignWayProfile", - "JavaFileCheckRegistrar", - "ConfigurationFileLanguage", - "ConfigFileSquidSensor", - "File Suffixes"); + "JavaFileCheckRegistrar" +// "ConfigurationFileLanguage", +// "ConfigFileSquidSensor", +// "File Suffixes" + ); } public static class MockedSonarRuntime implements SonarRuntime {