commit
fb0b5d6e39
@ -0,0 +1,58 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import org.sonar.check.Rule; |
||||
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
||||
import org.sonar.plugins.java.api.semantic.Symbol; |
||||
import org.sonar.plugins.java.api.tree.*; |
||||
|
||||
import java.util.*; |
||||
|
||||
@Rule(key = "AvoidSensitiveInfoInLogsCheck") |
||||
public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor { |
||||
|
||||
|
||||
private static final List<String> SENSITIVE_KEYWORDS = Arrays.asList("password", "token", "secret"); |
||||
|
||||
@Override |
||||
public List<Tree.Kind> nodesToVisit() { |
||||
return Arrays.asList(Tree.Kind.METHOD_INVOCATION); |
||||
} |
||||
|
||||
@Override |
||||
public void visitNode(Tree tree) { |
||||
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; |
||||
Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.symbol(); |
||||
if (isLoggerErrorMethod(methodSymbol)) { |
||||
checkLogArguments(methodInvocationTree.arguments()); |
||||
} |
||||
} |
||||
|
||||
private boolean isLoggerErrorMethod(Symbol.MethodSymbol methodSymbol) { |
||||
Symbol.TypeSymbol enclosingClass = methodSymbol.owner().enclosingClass(); |
||||
return enclosingClass != null |
||||
&& "org.slf4j.Logger".equals(enclosingClass.type().fullyQualifiedName()) |
||||
&& "error".equals(methodSymbol.name()) |
||||
|| "info".equals(methodSymbol.name()) |
||||
|| "debug".equals(methodSymbol.name()) |
||||
|| "warn".equals(methodSymbol.name()) |
||||
|| "trace".equals(methodSymbol.name()); |
||||
} |
||||
|
||||
private void checkLogArguments(List<? extends ExpressionTree> arguments) { |
||||
for (ExpressionTree argument : arguments) { |
||||
if (argument.is(Tree.Kind.IDENTIFIER)) { |
||||
String identifierName = ((IdentifierTree) argument).name(); |
||||
if (SENSITIVE_KEYWORDS.contains(identifierName)) { |
||||
System.out.println("日志中包含敏感信息: " + identifierName); |
||||
reportIssue(argument, "日志中包含敏感信息"); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} |
@ -0,0 +1,9 @@ |
||||
<p>日志中包含敏感信息</p> |
||||
<h2>日志中包含敏感信息</h2> |
||||
<pre> |
||||
|
||||
</pre> |
||||
<h2>合规解决方案</h2> |
||||
<pre> |
||||
|
||||
</pre> |
@ -0,0 +1,13 @@ |
||||
{ |
||||
"title": "日志中包含敏感信息", |
||||
"type": "CODE_SMELL", |
||||
"status": "ready", |
||||
"remediation": { |
||||
"func": "Constant\/Issue", |
||||
"constantCost": "5min" |
||||
}, |
||||
"tags": [ |
||||
"28suo" |
||||
], |
||||
"defaultSeverity": "Minor" |
||||
} |
@ -0,0 +1,20 @@ |
||||
import org.slf4j.Logger; |
||||
import org.slf4j.LoggerFactory; |
||||
|
||||
public class ExampleClass { |
||||
private static final Logger logger = LoggerFactory.getLogger(ExampleClass.class); |
||||
|
||||
public void sensitiveOperation() { |
||||
String password = "password"; |
||||
String token = "password"; |
||||
String secret = "password"; |
||||
|
||||
|
||||
logger.error(password); // Noncompliant {{日志中包含敏感信息}}
|
||||
logger.info(token); // Noncompliant {{日志中包含敏感信息}}
|
||||
logger.debug(secret); // Noncompliant {{日志中包含敏感信息}}
|
||||
logger.warn(password); // Noncompliant {{日志中包含敏感信息}}
|
||||
logger.trace(password); // Noncompliant {{日志中包含敏感信息}}
|
||||
|
||||
} |
||||
} |
@ -0,0 +1,30 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import com.keyware.sonar.java.utils.FilesUtils; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.sonar.java.checks.verifier.CheckVerifier; |
||||
|
||||
/** |
||||
* |
||||
* @author WuHaoYang |
||||
* @date 2024/1/12 |
||||
*/ |
||||
|
||||
public class AvoidSensitiveInfoInLogsCheckTest { |
||||
|
||||
@Test |
||||
void detected() { |
||||
|
||||
CheckVerifier.newVerifier() |
||||
.onFile("src/test/files/AvoidSensitiveInfoInLogsCheck.java") |
||||
.withCheck(new AvoidSensitiveInfoInLogsCheck()) |
||||
.withClassPath(FilesUtils.getClassPath("target/test-jars")) |
||||
.verifyIssues(); |
||||
} |
||||
} |
Loading…
Reference in new issue