插件文件:sonar-findbugs-plugin-3.7.0.jar
findbugs.xml 主配置文件:代码规则分析
<Detector class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" reports="DES_USAGE"/>
# class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" 引用的数据包
# reports="DES_USAGE" 对应规则定义的key
org.sonar.plugins.findbugs.rules.FindSecurityBugsRulesDefinition 规则对应说明配置文件
package org.sonar.plugins.findbugs.rules;
import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.api.server.rule.RulesDefinition.Context;
import org.sonar.api.server.rule.RulesDefinition.NewRepository;
import org.sonar.api.server.rule.RulesDefinitionXmlLoader;
public final class FindSecurityBugsRulesDefinition
implements RulesDefinition
{
public static final String REPOSITORY_KEY = "findsecbugs"; #资源库key
public static final String REPOSITORY_NAME = "Find Security Bugs"; #资源库名称
public static final int RULE_COUNT = 104;
public void define(RulesDefinition.Context context)
{
RulesDefinition.NewRepository repository = context.createRepository("findsecbugs", "java").setName("Find Security Bugs");
RulesDefinitionXmlLoader ruleLoader = new RulesDefinitionXmlLoader();
ruleLoader.load(repository, FindSecurityBugsRulesDefinition.class.getResourceAsStream("/org/sonar/plugins/findbugs/rules-findsecbugs.xml"), "UTF-8");
repository.done();
}
}
org.sonar.plugins.findbugs.rules-findsebus.xml # 规则对应说明配置文件
<rule key='DES_USAGE' priority='MAJOR'>
<name>Security - DES/DESede is insecure</name>
<configKey>DES_USAGE</configKey>
<description><p>
DES and DESede (3DES) are not considered strong ciphers for modern applications. Currently, NIST recommends the
usage of AES block ciphers instead of DES/3DES.
</p>
<p>
<b>Example weak code:</b>
<pre>Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);</pre>
</p>
<p>
<b>Example solution:</b>
<pre>Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/>
<a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a>
</p></description>
<tag>owasp-a6</tag>
<tag>cryptography</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>