Sonarqube，标识代码中的username/password关键字，分别使用Tree.Kind.STRING_LITERAL 、Tree.Kind.IDENTIFIER、Tree.Kind.TEXT_BLOCK

公告

昵称： yxchun
园龄： 4年11个月
粉丝： 9
关注： 4

+加关注

随笔档案

阅读排行榜

评论排行榜

View Post

关于Tree.Kind.STRING_LITERAL 、Tree.Kind.IDENTIFIER、Tree.Kind.TEXT_BLOCK等各个区别，请参考：

Tree.Kind.STRING_LITERAL 、Tree.Kind.IDENTIFIER、Tree.Kind.TEXT_BLOCK 区别 - yxchun - 博客园 (cnblogs.com)

1、使用 Tree.Kind.STRING_LITERAL

package org.sonar.samples.java.checks;

import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.JavaFileScanner;

import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.Tree;

import java.util.Arrays;
import java.util.List;

@Rule(key = "HardcodedSensitiveInfo2Rule")
public class HardcodedSensitiveInfo2Rule extends IssuableSubscriptionVisitor implements JavaFileScanner {

  private static final List<String> SENSITIVE_KEYWORDS = Arrays.asList("username", "password");

  @Override
  public List<Tree.Kind> nodesToVisit() {
    return Arrays.asList(Tree.Kind.STRING_LITERAL);
  }

  @Override
  public void visitNode(Tree tree) {

    if (tree.is(Tree.Kind.STRING_LITERAL)) {

      LiteralTree stringLiteral = (LiteralTree) tree;

        String value = stringLiteral.value().toLowerCase();
        for (String keyword : SENSITIVE_KEYWORDS) {
          if (value.contains(keyword)) {
            reportIssue(tree, "Avoid hardcoding sensitive information such as " + keyword);
          }
        }
      }

    }
    
}

2、使用Tree.Kind.IDENTIFIER

package org.sonar.samples.java.checks;

import org.sonar.check.Rule;
import org.sonar.plugins.java.api.JavaFileScanner;
import org.sonar.plugins.java.api.JavaFileScannerContext;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;

import java.util.Collections;
import java.util.List;
import java.util.Arrays;

@Rule(key = "HardcodedSensitiveInfoRule")
public class HardcodedSensitiveInfoRule extends IssuableSubscriptionVisitor implements JavaFileScanner {

  @Override
  public List<Tree.Kind> nodesToVisit() {
    return Collections.singletonList(Tree.Kind.IDENTIFIER);
  }

  @Override
  public void visitNode(Tree tree) {
    IdentifierTree identifier = (IdentifierTree) tree;
    String value=identifier.name().toLowerCase();
    if (value.contains("username")||value.contains("password")) {
      reportIssue(identifier, "Hardcoding sensitive : Method or parameter, Identifier name should not contain 'username' or 'password'.");
    }
  }
}

3、使用Tree.Kind.TEXT_BLOCK

package org.sonar.samples.java.checks;

import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.Tree.Kind;

import java.util.Collections;
import java.util.List;

@Rule(key = "MyTxtBlockCheck")
public class MyTxtBlockCheck extends IssuableSubscriptionVisitor {


  @Override
  public List<Kind> nodesToVisit() {

    return Collections.singletonList(Kind.TEXT_BLOCK);
  }

  @Override
  public void visitNode(Tree tree) {

    if (tree.is(Kind.TEXT_BLOCK)) {
      LiteralTree textBlock = (LiteralTree) tree;
      String value = textBlock.value().toLowerCase();
      if (value.contains("username") || value.contains("password")) {
        reportIssue(tree, "Sensitive information detected: 'username' or 'password'.");
      }
    }

  }


}