From 14e2b4e68b1a81c5e347500fd5a78d73eba7ba45 Mon Sep 17 00:00:00 2001 From: wuhaoyang <2507865306@qq.com> Date: Fri, 12 Jan 2024 14:17:36 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?= =?UTF-8?q?=E6=85=8E=E9=87=8D=E8=80=83=E8=99=91=E5=86=99=E5=85=A5=E6=97=A5?= =?UTF-8?q?=E5=BF=97=E6=96=87=E4=BB=B6=E4=BF=A1=E6=81=AF=E7=9A=84=E9=9A=90?= =?UTF-8?q?=E7=A7=81=E6=80=A7=EF=BC=8C=E9=81=BF=E5=85=8D=E6=8A=8A=E6=95=8F?= =?UTF-8?q?=E6=84=9F=E4=BF=A1=E6=81=AF=E5=86=99=E5=85=A5=E6=97=A5=E5=BF=97?= =?UTF-8?q?=E6=96=87=E4=BB=B6=EF=BC=8C=E5=A6=82=E6=96=87=E7=94=B5=E6=AD=A3?= =?UTF-8?q?=E6=96=87=E5=90=8D=E7=A7=B0=E3=80=81=E9=83=A8=E9=98=9F=E7=BC=96?= =?UTF-8?q?=E6=88=90=E4=BF=A1=E6=81=AF=E3=80=81=E6=AD=A6=E5=99=A8=E6=80=A7?= =?UTF-8?q?=E8=83=BD=E5=8F=82=E6=95=B0=E7=AD=89=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../AvoidSensitiveInfoInLogsCheck.java | 58 +++++++++++++++++++ .../java/AvoidSensitiveInfoInLogsCheck.html | 9 +++ .../java/AvoidSensitiveInfoInLogsCheck.json | 13 +++++ .../files/AvoidSensitiveInfoInLogsCheck.java | 20 +++++++ .../AvoidSensitiveInfoInLogsCheckTest.java | 30 ++++++++++ 5 files changed, 130 insertions(+) create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json create mode 100644 sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java create mode 100644 sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java new file mode 100644 index 0000000..e94e613 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.check.Rule; +import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; +import org.sonar.plugins.java.api.semantic.Symbol; +import org.sonar.plugins.java.api.tree.*; + +import java.util.*; + +@Rule(key = "AvoidSensitiveInfoInLogsCheck") +public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor { + + + private static final List SENSITIVE_KEYWORDS = Arrays.asList("password", "token", "secret"); + + @Override + public List nodesToVisit() { + return Arrays.asList(Tree.Kind.METHOD_INVOCATION); + } + + @Override + public void visitNode(Tree tree) { + MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; + Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.symbol(); + if (isLoggerErrorMethod(methodSymbol)) { + checkLogArguments(methodInvocationTree.arguments()); + } + } + + private boolean isLoggerErrorMethod(Symbol.MethodSymbol methodSymbol) { + Symbol.TypeSymbol enclosingClass = methodSymbol.owner().enclosingClass(); + return enclosingClass != null + && "org.slf4j.Logger".equals(enclosingClass.type().fullyQualifiedName()) + && "error".equals(methodSymbol.name()) + || "info".equals(methodSymbol.name()) + || "debug".equals(methodSymbol.name()) + || "warn".equals(methodSymbol.name()) + || "trace".equals(methodSymbol.name()); + } + + private void checkLogArguments(List arguments) { + for (ExpressionTree argument : arguments) { + if (argument.is(Tree.Kind.IDENTIFIER)) { + String identifierName = ((IdentifierTree) argument).name(); + if (SENSITIVE_KEYWORDS.contains(identifierName)) { + System.out.println("日志中包含敏感信息: " + identifierName); + reportIssue(argument, "日志中包含敏感信息"); + } + } + } + } +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html new file mode 100644 index 0000000..1e3015d --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html @@ -0,0 +1,9 @@ +

日志中包含敏感信息

+

日志中包含敏感信息

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json new file mode 100644 index 0000000..28ce595 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json @@ -0,0 +1,13 @@ +{ + "title": "日志中包含敏感信息", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java b/sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java new file mode 100644 index 0000000..af7a874 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java @@ -0,0 +1,20 @@ +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class ExampleClass { + private static final Logger logger = LoggerFactory.getLogger(ExampleClass.class); + + public void sensitiveOperation() { + String password = "password"; + String token = "password"; + String secret = "password"; + + + logger.error(password); // Noncompliant {{日志中包含敏感信息}} + logger.info(token); // Noncompliant {{日志中包含敏感信息}} + logger.debug(secret); // Noncompliant {{日志中包含敏感信息}} + logger.warn(password); // Noncompliant {{日志中包含敏感信息}} + logger.trace(password); // Noncompliant {{日志中包含敏感信息}} + + } +} diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java new file mode 100644 index 0000000..e16fb2a --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import com.keyware.sonar.java.utils.FilesUtils; +import org.junit.jupiter.api.Test; +import org.sonar.java.checks.verifier.CheckVerifier; + +/** + * + * @author WuHaoYang + * @date 2024/1/12 + */ + +public class AvoidSensitiveInfoInLogsCheckTest { + + @Test + void detected() { + + CheckVerifier.newVerifier() + .onFile("src/test/files/AvoidSensitiveInfoInLogsCheck.java") + .withCheck(new AvoidSensitiveInfoInLogsCheck()) + .withClassPath(FilesUtils.getClassPath("target/test-jars")) + .verifyIssues(); + } +}