特别指出:
所以,sonarqube默认过滤掉了resources下的文件;
以下代码可以扫出yml / xml /properties 等文件中的敏感字符,当然是放在src/main下的,不是resources;
下载源码与使用详情参考:
假设你已经有了sonarqube-java源码,并且已经把sonarqube部署到电脑上;因为我的代码是基于SonarSource / sonar-java源码中示例项目docs/java-custom-rules-example
就进行如下步骤:
1、创建CustomNameCheck
package org.sonar.samples.java.custom;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.fs.InputFile;
import org.sonar.api.batch.fs.TextRange;
import org.sonar.api.batch.sensor.Sensor;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.batch.sensor.SensorDescriptor;
import org.sonar.api.batch.sensor.issue.NewIssue;
import org.sonar.api.batch.sensor.issue.NewIssueLocation;
import org.sonar.api.rule.RuleKey;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.JavaCheck;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.util.regex.Pattern;
@Rule(key = "CustomName")
//@Rule(key = "CustomName",name = "Custom Sensitive Information Rule txt txt",description = "ddddddddddddddddddddddddddd",tags = { "bugs", "gandalf", "magic"},priority = Priority.CRITICAL)
public class CustomNameCheck implements Sensor ,JavaCheck{
private static final Pattern SENSITIVE_PATTERN = Pattern.compile(".*(username|password).*", Pattern.CASE_INSENSITIVE);
// private final FileSystem fs;
@Override
public void describe(SensorDescriptor descriptor) {
// System.out.println("------------------------------describe--");
descriptor.name("Hardcoding is not allowed, username or password")
.onlyOnLanguage("java");
}
@Override
public void execute(SensorContext context) {
// System.out.println("------------------------------execute--");
FileSystem fileSystem = context.fileSystem();
Iterable<InputFile> inputFiles = fileSystem.inputFiles(fileSystem.predicates().all());
String absolutePath;
for(InputFile input:inputFiles ){
absolutePath = input.absolutePath();
try {
scanFile(input,context,absolutePath);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
private void scanFile(InputFile inputFile, SensorContext context,String absolutePath) throws IOException {
// System.out.println("---------------------scanFile----" + absolutePath);
try(BufferedReader reader = new BufferedReader(new FileReader(absolutePath))) {
String line;
int lineNumber = 0;
while ((line = reader.readLine()) != null) {
lineNumber++;
if (SENSITIVE_PATTERN.matcher(line.toLowerCase()).matches()) {
NewIssue newIssue = context.newIssue().forRule(RuleKey.of("mycompany-java", "CustomName"));
TextRange range = inputFile.newRange(lineNumber, 0, lineNumber, line.length());
NewIssueLocation newIssueLocation = newIssue.newLocation()
.on(inputFile)
.message("Hardcoding is not allowed, username or password").at(range);
newIssue.at(newIssueLocation).save();
}
}
}
}
}
2、将CustomNameCheck 加入到RulesList
3、编写.html .json文件
CustomName.html如下
<!DOCTYPE html>
<html>
<head>
<title>Custom Sensitive Information Rule - implements Sensor</title>
</head>
<body>
<h1>Sensitive Information Rule TXT TXT</h1>
<p>This rule detects hardcoded sensitive information such as 'username' or 'password' in the code.</p>
<h2>Rule Description</h2>
<p>Hardcoding sensitive information can lead to security vulnerabilities and is considered a bad practice. This rule helps identify such cases in your codebase.</p>
<h2>Examples</h2>
<h3>Non-compliant Code</h3>
<pre>
private static final String username = "myUsername";
private static final String password = "myPassword";
</pre>
<h3>Compliant Code</h3>
<pre>
private static final String someValue = "value"; // Use configuration files or environment variables
</pre>
<h2>Best Practices</h2>
<ul>
<li>Do not hardcode sensitive information in your codebase.</li>
<li>Use configuration files or environment variables to manage sensitive data securely.</li>
</ul>
</body>
</html>
CustomName.json如下
{
"title": "Custom Sensitive Information Rule - implements Sensor",
"type": "Bug",
"status": "ready",
"tags": [
"bugs",
"gandalf",
"magic"
],
"defaultSeverity": "Critical"
}
4、将CustomNameCheck 加入到MyJavaRulesPlugin
(为什么要把CustomNameCheck 加入到MyJavaRulesPlugin? 我也不知道,只是如果不加入,扫描时无法使用这条规则)
5、测试代码也要加入,不然打包会报错;
5、打包
mvn clean install -f .\pom_SQ_9_9_LTS.xml
6、将新生成的jar放到sonarqube\安装目录\extensions\plugins,然后重启项目
接下来如何在sonarqube使用这些规则?请参考:
SonarQube使用新增的自定义规则,进行maven项目扫描 - yxchun - 博客园 (cnblogs.com)
标签:username,java,自定义,sonarqube,Rule,api,org,sonar,import From: https://www.cnblogs.com/ychun/p/18367259