新增准则:应使用单向不可逆的加密算法

wuhaoyang
RenFengJiang 11 months ago
parent 918bd7a7a1
commit f650fbb209
  1. 93
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/Md5PassWordVerifyChecker.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/Md5PassWordVerifyChecker.htm
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/Md5PassWordVerifyChecker.json
  4. 10
      sonar-keyware-plugins-java/src/test/files/Md5PassWordVerifyRule.java
  5. 31
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/Md5PassWordVerifyCheckerTest.java

@ -0,0 +1,93 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.parser.ArgumentListTreeImpl;
import org.sonar.java.model.declaration.VariableTreeImpl;
import org.sonar.java.model.expression.IdentifierTreeImpl;
import org.sonar.java.model.expression.MemberSelectExpressionTreeImpl;
import org.sonar.java.model.expression.MethodInvocationTreeImpl;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
/**
* TODO Md5PassWordVerifyChecker
*
* @author RenFengJiang
* @date 2024/1/13
*/
@Rule(key = "Md5PassWordVerifyChecker")
public class Md5PassWordVerifyChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
/**
* Tree.Kind.METHOD方法节点
* Tree.Kind.BLOCK方法的代码块节点
* Tree.Kind.METHOD_INVOCATION 方法的调用节点
*/
return Collections.singletonList(Tree.Kind.METHOD);
}
@Override
public void visitNode(Tree tree) {
MethodTree node = (MethodTree) tree;
var bodyVisitor = new MethodeBodyVisitor(this);
node.block().accept(bodyVisitor);
}
static class MethodeBodyVisitor extends BaseTreeVisitor {
//存放盐值后的密码
public String strPassWord = "";
private final Md5PassWordVerifyChecker checker;
MethodeBodyVisitor(Md5PassWordVerifyChecker checker) {
this.checker = checker;
}
@Override
public void visitMethodInvocation(MethodInvocationTree tree) {
//获取到方法调用
ExpressionTree expressionTree = tree.methodSelect();
if (expressionTree instanceof MemberSelectExpressionTreeImpl) {
//获取到调用的方法
MemberSelectExpressionTreeImpl memberSelectExpressionTree = (MemberSelectExpressionTreeImpl) expressionTree;
if ("setPassWord".equals(memberSelectExpressionTree.identifier().name())) {
Tree parent = tree.arguments();
if (parent instanceof ArgumentListTreeImpl) {
for (ExpressionTree expressionTree1 : (ArgumentListTreeImpl) parent) {
if (expressionTree1 instanceof IdentifierTreeImpl) {
IdentifierTreeImpl identifierTree = (IdentifierTreeImpl) expressionTree1;
//判断set中使用的参数
if(!identifierTree.name().equals(strPassWord)){
checker.context.reportIssue(checker, identifierTree, "应使用单向不可逆的加密算法");
}
}
}
}
//判断是否使用单向不可逆加密方式
}else if(memberSelectExpressionTree.identifier().name().toLowerCase(Locale.ROOT).contains("md5hex") || memberSelectExpressionTree.identifier().name().toLowerCase(Locale.ROOT).contains("encrypt")){
Tree parent = memberSelectExpressionTree.parent();
if(parent instanceof MethodInvocationTreeImpl){
MethodInvocationTreeImpl methodInvocationTree = (MethodInvocationTreeImpl) parent;
Tree parent1 = methodInvocationTree.parent();
if(parent1 instanceof VariableTreeImpl){
VariableTreeImpl variableTree = (VariableTreeImpl) parent1;
//获取加密后的名称
strPassWord = variableTree.simpleName().name();
}
}
}
}
}
}
}

@ -0,0 +1,9 @@
<p>应使用单向不可逆的加密算法</p>
<h2>使用单向不可逆的加密算法对口令进行加密并存储在外部文件或数据库中</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "应使用单向不可逆的加密算法",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,10 @@
class Md5PassWordVerifyRule{
public static void cs(Student studnet){
// 结合盐值和口令进行散列计算
// String password = DigestUtils.md5Hex(str);
studnet.setPassWord(password);// Noncompliant {{应使用单向不可逆的加密算法}}
}
}

@ -0,0 +1,31 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
* TODO Md5PassWordVerifyCheckerTest
*
* @author RenFengJiang
* @date 2024/1/13
*/
public class Md5PassWordVerifyCheckerTest {
@Test
void detected() {
Md5PassWordVerifyChecker rule = new Md5PassWordVerifyChecker();
CheckVerifier.newVerifier()
.onFile("src/test/files/Md5PassWordVerifyRule.java")
.withCheck(rule)
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save