程式碼審計[findbugs外掛介紹]
阿新 • • 發佈:2019-02-10
外掛檔案:sonar-findbugs-plugin-3.7.0.jar
findbugs.xml 主配置檔案:程式碼規則分析
<Detector class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" reports="DES_USAGE"/>
# class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" 引用的資料包
# reports="DES_USAGE" 對應規則定義的key
org.sonar.plugins.findbugs.rules.FindSecurityBugsRulesDefinition 規則對應說明配置檔案
package org.sonar.plugins.findbugs.rules; import org.sonar.api.server.rule.RulesDefinition; import org.sonar.api.server.rule.RulesDefinition.Context; import org.sonar.api.server.rule.RulesDefinition.NewRepository; import org.sonar.api.server.rule.RulesDefinitionXmlLoader; public final class FindSecurityBugsRulesDefinition implements RulesDefinition { public static final String REPOSITORY_KEY = "findsecbugs"; #資源庫key public static final String REPOSITORY_NAME = "Find Security Bugs"; #資源庫名稱 public static final int RULE_COUNT = 104; public void define(RulesDefinition.Context context) { RulesDefinition.NewRepository repository = context.createRepository("findsecbugs", "java").setName("Find Security Bugs"); RulesDefinitionXmlLoader ruleLoader = new RulesDefinitionXmlLoader(); ruleLoader.load(repository, FindSecurityBugsRulesDefinition.class.getResourceAsStream("/org/sonar/plugins/findbugs/rules-findsecbugs.xml"), "UTF-8"); repository.done(); } }
org.sonar.plugins.findbugs.rules-findsebus.xml # 規則對應說明配置檔案
<rule key='DES_USAGE' priority='MAJOR'> <name>Security - DES/DESede is insecure</name> <configKey>DES_USAGE</configKey> <description><p> DES and DESede (3DES) are not considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES/3DES. </p> <p> <b>Example weak code:</b> <pre>Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText);</pre> </p> <p> <b>Example solution:</b> <pre>Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText);</pre> </p> <br/> <p> <b>References</b><br/> <a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p></description> <tag>owasp-a6</tag> <tag>cryptography</tag> <tag>cwe</tag> <tag>security</tag> </rule>