Merge remote-tracking branch 'origin/master'

wuhaoyang
RenFengJiang 11 months ago
commit fb0b5d6e39
  1. 58
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheck.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.html
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AvoidSensitiveInfoInLogsCheck.json
  4. 20
      sonar-keyware-plugins-java/src/test/files/AvoidSensitiveInfoInLogsCheck.java
  5. 30
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AvoidSensitiveInfoInLogsCheckTest.java

@ -0,0 +1,58 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.*;
import java.util.*;
@Rule(key = "AvoidSensitiveInfoInLogsCheck")
public class AvoidSensitiveInfoInLogsCheck extends IssuableSubscriptionVisitor {
private static final List<String> SENSITIVE_KEYWORDS = Arrays.asList("password", "token", "secret");
@Override
public List<Tree.Kind> nodesToVisit() {
return Arrays.asList(Tree.Kind.METHOD_INVOCATION);
}
@Override
public void visitNode(Tree tree) {
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.symbol();
if (isLoggerErrorMethod(methodSymbol)) {
checkLogArguments(methodInvocationTree.arguments());
}
}
private boolean isLoggerErrorMethod(Symbol.MethodSymbol methodSymbol) {
Symbol.TypeSymbol enclosingClass = methodSymbol.owner().enclosingClass();
return enclosingClass != null
&& "org.slf4j.Logger".equals(enclosingClass.type().fullyQualifiedName())
&& "error".equals(methodSymbol.name())
|| "info".equals(methodSymbol.name())
|| "debug".equals(methodSymbol.name())
|| "warn".equals(methodSymbol.name())
|| "trace".equals(methodSymbol.name());
}
private void checkLogArguments(List<? extends ExpressionTree> arguments) {
for (ExpressionTree argument : arguments) {
if (argument.is(Tree.Kind.IDENTIFIER)) {
String identifierName = ((IdentifierTree) argument).name();
if (SENSITIVE_KEYWORDS.contains(identifierName)) {
System.out.println("日志中包含敏感信息: " + identifierName);
reportIssue(argument, "日志中包含敏感信息");
}
}
}
}
}

@ -0,0 +1,9 @@
<p>日志中包含敏感信息</p>
<h2>日志中包含敏感信息</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "日志中包含敏感信息",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,20 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class ExampleClass {
private static final Logger logger = LoggerFactory.getLogger(ExampleClass.class);
public void sensitiveOperation() {
String password = "password";
String token = "password";
String secret = "password";
logger.error(password); // Noncompliant {{日志中包含敏感信息}}
logger.info(token); // Noncompliant {{日志中包含敏感信息}}
logger.debug(secret); // Noncompliant {{日志中包含敏感信息}}
logger.warn(password); // Noncompliant {{日志中包含敏感信息}}
logger.trace(password); // Noncompliant {{日志中包含敏感信息}}
}
}

@ -0,0 +1,30 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
*
* @author WuHaoYang
* @date 2024/1/12
*/
public class AvoidSensitiveInfoInLogsCheckTest {
@Test
void detected() {
CheckVerifier.newVerifier()
.onFile("src/test/files/AvoidSensitiveInfoInLogsCheck.java")
.withCheck(new AvoidSensitiveInfoInLogsCheck())
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save