diff --git a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java index fdcbdb8..a3eb1d8 100644 --- a/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java +++ b/sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java @@ -92,7 +92,7 @@ public class ReallocMainChecker extends SquidCheck { String name = as.getToken().getValue(); //判断参数是否存在在集合中 if(!lists.contains(name)){ - reportIssue(as, "使用realloc函数前应先清楚敏感信息"); + reportIssue(as, "使用realloc函数前应先清空敏感信息"); } } } diff --git a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java index 5c434f8..84e02c1 100644 --- a/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java +++ b/sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java @@ -27,7 +27,7 @@ public class ReallocMainCheckerTest { var tester = CxxFileTesterHelper.create("ReallocMainChecker.cc"); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); CheckMessagesVerifier.verify(file.getCheckMessages()) - .next().atLine(27).withMessage("使用realloc函数前应先清楚敏感信息") + .next().atLine(27).withMessage("使用realloc函数前应先清空敏感信息") .noMore(); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java index e4351ab..e3b508b 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java @@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; -import org.sonar.plugins.java.api.semantic.Symbol; import org.sonar.plugins.java.api.semantic.Type; import org.sonar.plugins.java.api.tree.*; @@ -32,7 +31,7 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { "url", "userpassword" ); - private static final String requestType = "javax.servlet.http.HttpServletRequest"; + private static final String requestType = "HttpServletRequest"; @Override public List nodesToVisit() { @@ -42,19 +41,19 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { @Override public void visitNode(@Nonnull Tree tree) { MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; - Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.methodSymbol(); //获取参数 ExpressionTree expressionTree = methodInvocationTree.methodSelect(); if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){ MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree; //获取参数类型 Type type = selectExpressionTree.expression().symbolType(); + String fierName = selectExpressionTree.identifier().name(); if(type != null){ //判断参数类型和调用方法符不符合要求 - if(requestType.equals(type.fullyQualifiedName()) - && ("getParameter".equals(methodSymbol.name()) || "getCookies".equals(methodSymbol.name()))) { + if(type.fullyQualifiedName().contains(requestType) + && ("getParameter".equals(fierName) || "getCookies".equals(fierName))) { //如果是getCookies方法直接抛错 - if("getCookies".equals(methodSymbol.name())){ + if("getCookies".equals(fierName)){ reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); }else { //获取参数 @@ -65,7 +64,6 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { .replace("\"", "").toLowerCase(); //判断是否是违规项 if(HIDED_PARAMS.contains(name)){ - System.out.println(methodInvocationTree); reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); break; } diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html index e8a20d8..e940b1e 100644 --- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html @@ -1,5 +1,5 @@ -

通过用户名口令、数据证书等其他手段对用户身份进行验证

-

通过用户名口令、数据证书等其他手段对用户身份进行验证

+

应通过用户名口令、数据证书等其他手段对用户身份进行验证

+

应通过用户名口令、数据证书等其他手段对用户身份进行验证
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json index 93ee759..b15a7c8 100644 --- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json @@ -1,5 +1,5 @@ { - "title": "通过用户名口令、数据证书等其他手段对用户身份进行验证", + "title": "应通过用户名口令、数据证书等其他手段对用户身份进行验证", "type": "CODE_SMELL", "status": "ready", "remediation": { diff --git a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java index 3708167..1de99bf 100644 --- a/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java +++ b/sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java @@ -12,7 +12,7 @@ public class OptionsVerifyTwoRule implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse) response; -// res.addHeader("X-Frame-Options", "DENY"); + res.addHeader("X-Frame-Options", "iframe"); chain.doFilter(request, response); } diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsCheckerTest.java index 6a17a9a..3558fa3 100644 --- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsCheckerTest.java +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsCheckerTest.java @@ -12,7 +12,7 @@ import org.junit.jupiter.api.Test; import org.sonar.java.checks.verifier.CheckVerifier; /** - * TODO SessionCacheParamsCheckerTest + * TODO 将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中,程序使用该数据须通过会话获取 * * @author RenFengJiang * @date 2024/1/24 diff --git a/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java b/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java index 18d6be8..13ddeab 100644 --- a/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java +++ b/uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java @@ -15,7 +15,7 @@ public class OptionsVerifyRule implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse) response; - res.addHeader("X-Frame-Options", "DENY"); + res.addHeader("X-Frame-Options", "iframe"); chain.doFilter(request, response); }