优化:优化误报问题

master
RenFengJiang 9 months ago
parent 867f67b964
commit f1f377f8c1
  1. 2
      sonar-keyware-plugins-cxx/src/main/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainChecker.java
  2. 2
      sonar-keyware-plugins-cxx/src/test/java/com/keyware/sonar/cxx/rules/checkers/ReallocMainCheckerTest.java
  3. 12
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
  4. 4
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html
  5. 2
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json
  6. 2
      sonar-keyware-plugins-java/src/test/files/options/OptionsVerifyTwoRule.java
  7. 2
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsCheckerTest.java
  8. 2
      uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java

@ -92,7 +92,7 @@ public class ReallocMainChecker extends SquidCheck<Grammar> {
String name = as.getToken().getValue(); String name = as.getToken().getValue();
//判断参数是否存在在集合中 //判断参数是否存在在集合中
if(!lists.contains(name)){ if(!lists.contains(name)){
reportIssue(as, "使用realloc函数前应先清敏感信息"); reportIssue(as, "使用realloc函数前应先清敏感信息");
} }
} }
} }

@ -27,7 +27,7 @@ public class ReallocMainCheckerTest {
var tester = CxxFileTesterHelper.create("ReallocMainChecker.cc"); var tester = CxxFileTesterHelper.create("ReallocMainChecker.cc");
SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker); SourceFile file = CxxAstScanner.scanSingleInputFile(tester.asInputFile(), checker);
CheckMessagesVerifier.verify(file.getCheckMessages()) CheckMessagesVerifier.verify(file.getCheckMessages())
.next().atLine(27).withMessage("使用realloc函数前应先清敏感信息") .next().atLine(27).withMessage("使用realloc函数前应先清敏感信息")
.noMore(); .noMore();
} }

@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule; import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.semantic.Type; import org.sonar.plugins.java.api.semantic.Type;
import org.sonar.plugins.java.api.tree.*; import org.sonar.plugins.java.api.tree.*;
@ -32,7 +31,7 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor {
"url", "url",
"userpassword" "userpassword"
); );
private static final String requestType = "javax.servlet.http.HttpServletRequest"; private static final String requestType = "HttpServletRequest";
@Override @Override
public List<Tree.Kind> nodesToVisit() { public List<Tree.Kind> nodesToVisit() {
@ -42,19 +41,19 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor {
@Override @Override
public void visitNode(@Nonnull Tree tree) { public void visitNode(@Nonnull Tree tree) {
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.methodSymbol();
//获取参数 //获取参数
ExpressionTree expressionTree = methodInvocationTree.methodSelect(); ExpressionTree expressionTree = methodInvocationTree.methodSelect();
if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){ if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){
MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree; MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree;
//获取参数类型 //获取参数类型
Type type = selectExpressionTree.expression().symbolType(); Type type = selectExpressionTree.expression().symbolType();
String fierName = selectExpressionTree.identifier().name();
if(type != null){ if(type != null){
//判断参数类型和调用方法符不符合要求 //判断参数类型和调用方法符不符合要求
if(requestType.equals(type.fullyQualifiedName()) if(type.fullyQualifiedName().contains(requestType)
&& ("getParameter".equals(methodSymbol.name()) || "getCookies".equals(methodSymbol.name()))) { && ("getParameter".equals(fierName) || "getCookies".equals(fierName))) {
//如果是getCookies方法直接抛错 //如果是getCookies方法直接抛错
if("getCookies".equals(methodSymbol.name())){ if("getCookies".equals(fierName)){
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取");
}else { }else {
//获取参数 //获取参数
@ -65,7 +64,6 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor {
.replace("\"", "").toLowerCase(); .replace("\"", "").toLowerCase();
//判断是否是违规项 //判断是否是违规项
if(HIDED_PARAMS.contains(name)){ if(HIDED_PARAMS.contains(name)){
System.out.println(methodInvocationTree);
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取");
break; break;
} }

@ -1,5 +1,5 @@
<p>通过用户名口令、数据证书等其他手段对用户身份进行验证</p> <p>通过用户名口令、数据证书等其他手段对用户身份进行验证</p>
<h2>通过用户名口令、数据证书等其他手段对用户身份进行验证</h2> <h2>通过用户名口令、数据证书等其他手段对用户身份进行验证</h2>
<pre> <pre>
</pre> </pre>

@ -1,5 +1,5 @@
{ {
"title": "通过用户名口令、数据证书等其他手段对用户身份进行验证", "title": "通过用户名口令、数据证书等其他手段对用户身份进行验证",
"type": "CODE_SMELL", "type": "CODE_SMELL",
"status": "ready", "status": "ready",
"remediation": { "remediation": {

@ -12,7 +12,7 @@ public class OptionsVerifyTwoRule implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response; HttpServletResponse res = (HttpServletResponse) response;
// res.addHeader("X-Frame-Options", "DENY"); res.addHeader("X-Frame-Options", "iframe");
chain.doFilter(request, response); chain.doFilter(request, response);
} }

@ -12,7 +12,7 @@ import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier; import org.sonar.java.checks.verifier.CheckVerifier;
/** /**
* TODO SessionCacheParamsCheckerTest * TODO 将页面隐藏域字段CookieURL等关键参数缓存到服务器端的会话中程序使用该数据须通过会话获取
* *
* @author RenFengJiang * @author RenFengJiang
* @date 2024/1/24 * @date 2024/1/24

@ -15,7 +15,7 @@ public class OptionsVerifyRule implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response; HttpServletResponse res = (HttpServletResponse) response;
res.addHeader("X-Frame-Options", "DENY"); res.addHeader("X-Frame-Options", "iframe");
chain.doFilter(request, response); chain.doFilter(request, response);
} }

Loading…
Cancel
Save