diff --git a/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json b/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json index 613874e73b5..3e21d84caf8 100644 --- a/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json +++ b/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json @@ -1931,12 +1931,6 @@ "falseNegatives": 37, "falsePositives": 0 }, - { - "ruleKey": "S4792", - "hasTruePositives": true, - "falseNegatives": 19, - "falsePositives": 0 - }, { "ruleKey": "S4830", "hasTruePositives": true, diff --git a/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedDatabaseCheckSample.java b/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedDatabaseCheckSample.java deleted file mode 100644 index 61c49d7df54..00000000000 --- a/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedDatabaseCheckSample.java +++ /dev/null @@ -1,108 +0,0 @@ -package checks.security; - -import android.app.Activity; -import android.content.Context; -import android.database.DatabaseErrorHandler; -import android.database.sqlite.SQLiteDatabase; -import android.preference.PreferenceManager; -import io.realm.RealmConfiguration; -import java.io.File; - -public class AndroidUnencryptedDatabaseCheckSample { - - RealmConfiguration.Builder builderAsField; - - void testSharedPreferences(Activity activity, Context context, PreferenceManager preferenceManager) { - activity.getPreferences(1); // Noncompliant {{Make sure using an unencrypted database is safe here.}} -// ^^^^^^^^^^^^^^ - activity().getPreferences(2); // Noncompliant - myActivity().getPreferences(3); // Noncompliant - myActivity().getPreferences(3, 4); // Compliant, unrelated method - - context.getSharedPreferences(new File(""), 1); // Noncompliant {{Make sure using an unencrypted database is safe here.}} -// ^^^^^^^^^^^^^^^^^^^^ - context.getSharedPreferences("file", 1); // Noncompliant - - PreferenceManager.getDefaultSharedPreferences(context); // Noncompliant - } - - void testSQLiteDatabase(Context context, SQLiteDatabase.CursorFactory cursorFactory, DatabaseErrorHandler databaseErrorHandler) { - context.openOrCreateDatabase("name", 1, cursorFactory); // Noncompliant {{Make sure using an unencrypted database is safe here.}} -// ^^^^^^^^^^^^^^^^^^^^ - context.openOrCreateDatabase("name", 1, cursorFactory, databaseErrorHandler); // Noncompliant - } - - void testRealm() { - new RealmConfiguration.Builder() - .build(); // Noncompliant -// ^^^^^ - - new RealmConfiguration.Builder() - .name("") - .build(); // Noncompliant - - new RealmConfiguration.Builder() - .name("") - .encryptionKey(new byte[1]) - .build(); // Compliant - - RealmConfiguration.Builder builder = new RealmConfiguration.Builder(); - builder.name(""); - builder.build(); // Noncompliant - - RealmConfiguration.Builder builder2 = new RealmConfiguration.Builder(); - builder2.encryptionKey(new byte[1]); - builder2.build(); // Compliant - - RealmConfiguration.Builder builder3 = new RealmConfiguration.Builder(); - builder3.name("").encryptionKey(new byte[1]); - builder3.build(); // Compliant - - RealmConfiguration.Builder builder3_2 = new RealmConfiguration.Builder(); - builder3_2.encryptionKey(new byte[1]).name(""); - builder3_2.build(); // Compliant - - RealmConfiguration.Builder builder4 = new RealmConfiguration.Builder().encryptionKey(new byte[1]); - builder4.build(); // Compliant - - RealmConfiguration.Builder builder5 = new RealmConfiguration.Builder().name(""); - builder5.name(""); - builder5.build(); // Noncompliant - - RealmConfiguration.Builder builder6 = new RealmConfiguration.Builder().name(""); - addProperty(builder6); - builder6.build(); // Compliant - - new BuilderProvider() - .getBuilder() - .name("") - .build(); // Compliant - - builderAsField.build(); // Compliant, field can be modified somewhere else - } - - void addProperty(RealmConfiguration.Builder builder) { - builder.encryptionKey(new byte[0]); - } - - Activity activity() { - return new Activity(); - } - - MyActivity myActivity() { - return new MyActivity(); - } - - class MyActivity extends Activity { - void getPreferences(int i, int j) { - - } - } - - class BuilderProvider { - RealmConfiguration.Builder getBuilder() { - return new RealmConfiguration.Builder(); - } - } - -} diff --git a/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedFilesCheckSample.java b/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedFilesCheckSample.java deleted file mode 100644 index d06dcbc0011..00000000000 --- a/java-checks-test-sources/default/src/main/java/checks/security/AndroidUnencryptedFilesCheckSample.java +++ /dev/null @@ -1,31 +0,0 @@ -package checks.security; - -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileOutputStream; -import java.io.FileWriter; -import java.io.IOException; -import java.io.Writer; -import java.nio.file.Files; -import java.nio.file.Path; - -public class AndroidUnencryptedFilesCheckSample { - void fileWrite(Path path) throws IOException { - Files.write(path, "content".getBytes()); // Noncompliant {{Make sure using unencrypted files is safe here.}} -// ^^^^^ - } - - void fileOutputStreamWrite(File file) throws IOException { - FileOutputStream out = new FileOutputStream(file); // Noncompliant {{Make sure using unencrypted files is safe here.}} -// ^^^^^^^^^^^^^^^^ - out.write("content".getBytes()); - } - - void fileOutputStreamWrite(Writer writer) throws IOException { - FileWriter fw = new FileWriter("outfilename", true); // Noncompliant {{Make sure using unencrypted files is safe here.}} -// ^^^^^^^^^^ - BufferedWriter output = new BufferedWriter(fw); // Compliant, reported on - output.write("some test content..."); - } - -} diff --git a/java-checks-test-sources/default/src/main/java/checks/security/LogConfigurationCheckSample.java b/java-checks-test-sources/default/src/main/java/checks/security/LogConfigurationCheckSample.java deleted file mode 100644 index eff591d0895..00000000000 --- a/java-checks-test-sources/default/src/main/java/checks/security/LogConfigurationCheckSample.java +++ /dev/null @@ -1,94 +0,0 @@ -package checks.security; - -import java.io.File; -import java.io.InputStream; -import java.net.URI; -import java.net.URL; -import java.util.Map; -import org.apache.logging.log4j.Level; -import org.apache.logging.log4j.core.Appender; -import org.apache.logging.log4j.core.Filter; -import org.apache.logging.log4j.core.LoggerContext; -import org.apache.logging.log4j.core.config.Configuration; -import org.apache.logging.log4j.core.config.ConfigurationFactory; -import org.apache.logging.log4j.core.config.ConfigurationSource; -import org.apache.logging.log4j.core.config.Configurator; -import org.apache.logging.log4j.core.config.LoggerConfig; -import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory; - -class Log4J2 { - - InputStream stream; - File file; - URL url; - ClassLoader loader; - Map levelMap; - Configuration config; - Appender appender; - URI uri; - LoggerContext context; - Level level; - Filter filter; - - // Questionable: creating a new custom configuration - abstract class CustomConfigFactory extends ConfigurationFactory { } // Noncompliant {{Make sure that this logger's configuration is safe.}} -// ^^^^^^^^^^^^^^^^^^^^ - - void fun() throws Exception { - // Questionable: creating a new custom configuration - ConfigurationBuilderFactory.newConfigurationBuilder(); // Noncompliant {{Make sure that this logger's configuration is safe.}} -// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - // Questionable: setting loggers level can result in writing sensitive information in production - Configurator.setAllLevels("com.example", Level.DEBUG); // Noncompliant - Configurator.setLevel("com.example", Level.DEBUG); // Noncompliant - Configurator.setLevel(levelMap); // Noncompliant - Configurator.setRootLevel(Level.DEBUG); // Noncompliant - - // Questionable: this modifies the configuration - config.addAppender(appender); // Noncompliant - - context.setConfigLocation(uri); // Noncompliant - - // Questionable: Load the configuration from a stream or file - new ConfigurationSource(stream); // Noncompliant - new ConfigurationSource(stream, file); // Noncompliant - new ConfigurationSource(stream, url); // Noncompliant - ConfigurationSource.fromResource("source", loader); // Noncompliant - ConfigurationSource.fromUri(uri); // Noncompliant - - LoggerConfig loggerConfig = config.getRootLogger(); - loggerConfig.addAppender(appender, level, filter); // Noncompliant - loggerConfig.setLevel(level); // Noncompliant - - } -} - -class JavaLogging { - java.util.logging.LogManager logManager; - java.util.logging.Logger logger; - java.util.logging.Handler handler; - - // === java.util.logging === - void fun(java.io.InputStream is) throws Exception { - - logManager.readConfiguration(is); // Noncompliant - logger.setLevel(java.util.logging.Level.FINEST); // Noncompliant - logger.addHandler(handler); // Noncompliant - } -} - -class LogBack { - ch.qos.logback.classic.Logger logger; - ch.qos.logback.core.FileAppender fileAppender; - - void fun() { - // === Logback === - System.setProperty(ch.qos.logback.classic.util.ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Noncompliant - System.setProperty("someotherproperty", "config.xml"); - ch.qos.logback.classic.joran.JoranConfigurator configurator = new ch.qos.logback.classic.joran.JoranConfigurator(); // Noncompliant - - logger.addAppender(fileAppender); // Noncompliant - logger.setLevel(ch.qos.logback.classic.Level.DEBUG); // Noncompliant - } -} diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheck.java deleted file mode 100644 index 6e24fc42734..00000000000 --- a/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheck.java +++ /dev/null @@ -1,141 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import java.util.Collections; -import java.util.List; -import org.sonar.check.Rule; -import org.sonar.java.checks.helpers.MethodTreeUtils; -import org.sonar.java.model.ExpressionUtils; -import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; -import org.sonar.plugins.java.api.semantic.MethodMatchers; -import org.sonar.plugins.java.api.semantic.Symbol; -import org.sonar.plugins.java.api.tree.ExpressionTree; -import org.sonar.plugins.java.api.tree.IdentifierTree; -import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree; -import org.sonar.plugins.java.api.tree.MethodInvocationTree; -import org.sonar.plugins.java.api.tree.NewClassTree; -import org.sonar.plugins.java.api.tree.Tree; -import org.sonar.plugins.java.api.tree.VariableTree; - -@Rule(key = "S6291") -public class AndroidUnencryptedDatabaseCheck extends IssuableSubscriptionVisitor { - - private static final String JAVA_LANG_STRING = "java.lang.String"; - private static final String ANDROID_CONTENT_CONTEXT = "android.content.Context"; - private static final String REALM_CONFIGURATION_BUILDER_TYPE = "io.realm.RealmConfiguration$Builder"; - - private static final MethodMatchers UNSAFE_DATABASE_CALL = MethodMatchers.or( - MethodMatchers.create() - .ofSubTypes("android.app.Activity") - .names("getPreferences") - .addParametersMatcher("int") - .build(), - MethodMatchers.create() - .ofSubTypes("android.preference.PreferenceManager") - .names("getDefaultSharedPreferences") - .addParametersMatcher(ANDROID_CONTENT_CONTEXT) - .build(), - MethodMatchers.create() - .ofSubTypes(ANDROID_CONTENT_CONTEXT) - .names("getSharedPreferences") - .addParametersMatcher(JAVA_LANG_STRING, "int") - .addParametersMatcher("java.io.File", "int") - .build(), - MethodMatchers.create() - .ofSubTypes(ANDROID_CONTENT_CONTEXT) - .names("openOrCreateDatabase") - .addParametersMatcher(JAVA_LANG_STRING, "int", "android.database.sqlite.SQLiteDatabase$CursorFactory") - .addParametersMatcher(JAVA_LANG_STRING, "int", "android.database.sqlite.SQLiteDatabase$CursorFactory", "android.database.DatabaseErrorHandler") - .build() - ); - - private static final MethodMatchers REALM_CONFIGURATION_BUILDER_BUILD = MethodMatchers.create() - .ofSubTypes(REALM_CONFIGURATION_BUILDER_TYPE) - .names("build") - .addWithoutParametersMatcher() - .build(); - - private static final MethodMatchers REALM_CONFIGURATION_BUILDER_ENCRYPTION_KEY = MethodMatchers.create() - .ofSubTypes(REALM_CONFIGURATION_BUILDER_TYPE) - .names("encryptionKey") - .withAnyParameters() - .build(); - - private static final MethodMatchers REALM_CONFIGURATION_BUILDER_BUILDER = MethodMatchers.create() - .ofSubTypes(REALM_CONFIGURATION_BUILDER_TYPE) - .constructor() - .withAnyParameters() - .build(); - - @Override - public List nodesToVisit() { - return Collections.singletonList(Tree.Kind.METHOD_INVOCATION); - } - - @Override - public void visitNode(Tree tree) { - MethodInvocationTree mit = (MethodInvocationTree) tree; - if (UNSAFE_DATABASE_CALL.matches(mit) || (REALM_CONFIGURATION_BUILDER_BUILD.matches(mit) && !isEncrypted(mit.methodSelect()))) { - reportIssue(ExpressionUtils.methodName(mit), "Make sure using an unencrypted database is safe here."); - } - } - - private static boolean isEncrypted(ExpressionTree expression) { - if (expression.is(Tree.Kind.MEMBER_SELECT)) { - expression = ((MemberSelectExpressionTree) expression).expression(); - } - - if (expression.is(Tree.Kind.METHOD_INVOCATION)) { - MethodInvocationTree mit = (MethodInvocationTree) expression; - if (!REALM_CONFIGURATION_BUILDER_ENCRYPTION_KEY.matches(mit)) { - return isEncrypted(mit.methodSelect()); - } - } else if (expression.is(Tree.Kind.IDENTIFIER)) { - Symbol symbol = ((IdentifierTree) expression).symbol(); - if (symbol.usages().stream().anyMatch(AndroidUnencryptedDatabaseCheck::canEncryptToken)) { - return true; - } - return declarationIsEncrypted(symbol); - } else if (expression.is(Tree.Kind.NEW_CLASS)) { - NewClassTree newClassTree = (NewClassTree) expression; - if (REALM_CONFIGURATION_BUILDER_BUILDER.matches(newClassTree)) { - return false; - } - } - return true; - } - - private static boolean canEncryptToken(IdentifierTree tokenIdentifier) { - Tree parent = tokenIdentifier.parent(); - // When given as argument, we consider it as encrypted to avoid FP. - return (parent != null && parent.is(Tree.Kind.ARGUMENTS)) || - MethodTreeUtils.subsequentMethodInvocation(tokenIdentifier, REALM_CONFIGURATION_BUILDER_ENCRYPTION_KEY).isPresent(); - } - - private static boolean declarationIsEncrypted(Symbol symbol) { - if (symbol.isLocalVariable()) { - Tree declaration = symbol.declaration(); - if (declaration instanceof VariableTree variableTree) { - ExpressionTree initializer = variableTree.initializer(); - return initializer instanceof MethodInvocationTree && isEncrypted(initializer); - } - } - // Can be encrypted anywhere (field, other file), we consider it as encrypted - return true; - } -} diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheck.java deleted file mode 100644 index 259ae8a1f8f..00000000000 --- a/java-checks/src/main/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheck.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import java.util.Arrays; -import java.util.List; -import org.sonar.check.Rule; -import org.sonar.java.checks.methods.AbstractMethodDetection; -import org.sonar.java.model.ExpressionUtils; -import org.sonar.plugins.java.api.semantic.MethodMatchers; -import org.sonar.plugins.java.api.tree.MethodInvocationTree; -import org.sonar.plugins.java.api.tree.NewClassTree; -import org.sonar.plugins.java.api.tree.Tree; - -@Rule(key = "S6300") -public class AndroidUnencryptedFilesCheck extends AbstractMethodDetection { - - @Override - public List nodesToVisit() { - return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.NEW_CLASS); - } - - @Override - protected MethodMatchers getMethodInvocationMatchers() { - return MethodMatchers.or( - MethodMatchers.create() - .ofSubTypes("java.nio.file.Files") - .names("write") - .withAnyParameters() - .build(), - MethodMatchers.create() - .ofSubTypes("java.io.FileWriter", - "java.io.FileOutputStream") - .constructor() - .withAnyParameters() - .build() - ); - } - - @Override - protected void onMethodInvocationFound(MethodInvocationTree mit) { - reportIfInAndroidContext(ExpressionUtils.methodName(mit)); - } - - @Override - protected void onConstructorFound(NewClassTree newClassTree) { - reportIfInAndroidContext(newClassTree.identifier()); - } - - private void reportIfInAndroidContext(Tree tree) { - if (context.inAndroidContext()) { - reportIssue(tree, "Make sure using unencrypted files is safe here."); - } - } - -} diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/LogConfigurationCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/LogConfigurationCheck.java deleted file mode 100644 index 50e3dacd9cd..00000000000 --- a/java-checks/src/main/java/org/sonar/java/checks/security/LogConfigurationCheck.java +++ /dev/null @@ -1,113 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import java.util.Arrays; -import java.util.List; -import org.sonar.check.Rule; -import org.sonar.java.checks.helpers.ExpressionsHelper; -import org.sonar.java.checks.methods.AbstractMethodDetection; -import org.sonar.plugins.java.api.semantic.MethodMatchers; -import org.sonar.plugins.java.api.tree.ClassTree; -import org.sonar.plugins.java.api.tree.MethodInvocationTree; -import org.sonar.plugins.java.api.tree.NewClassTree; -import org.sonar.plugins.java.api.tree.Tree; -import org.sonar.plugins.java.api.tree.TypeTree; - -@Rule(key = "S4792") -public class LogConfigurationCheck extends AbstractMethodDetection { - - private static final String LOG4J_CONFIGURATOR = "org.apache.logging.log4j.core.config.Configurator"; - private static final String LOG4J_CONFIGURATION_SOURCE = "org.apache.logging.log4j.core.config.ConfigurationSource"; - private static final String MESSAGE = "Make sure that this logger's configuration is safe."; - private static final String SET_LEVEL = "setLevel"; - private static final String ADD_APPENDER = "addAppender"; - - @Override - public List nodesToVisit() { - return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.NEW_CLASS, Tree.Kind.METHOD_REFERENCE, Tree.Kind.CLASS); - } - - @Override - protected MethodMatchers getMethodInvocationMatchers() { - return MethodMatchers.or( - MethodMatchers.create() - .ofTypes("org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory") - .names("newConfigurationBuilder") - .addWithoutParametersMatcher() - .build(), - MethodMatchers.create() - .ofTypes(LOG4J_CONFIGURATOR) - .names("setAllLevels", SET_LEVEL, "setRootLevel") - .withAnyParameters() - .build(), - MethodMatchers.create() - .ofTypes("org.apache.logging.log4j.core.config.Configuration") - .names(ADD_APPENDER) - .withAnyParameters() - .build(), - MethodMatchers.create() - .ofTypes("org.apache.logging.log4j.core.config.LoggerConfig") - .names(ADD_APPENDER, SET_LEVEL) - .withAnyParameters() - .build(), - MethodMatchers.create() - .ofTypes("org.apache.logging.log4j.core.LoggerContext") - .names("setConfigLocation") - .withAnyParameters() - .build(), - MethodMatchers.create().ofTypes(LOG4J_CONFIGURATION_SOURCE).names("", "fromResource", "fromUri").withAnyParameters().build(), - MethodMatchers.create().ofTypes("java.util.logging.LogManager").names("readConfiguration").withAnyParameters().build(), - MethodMatchers.create().ofTypes("java.util.logging.Logger").names(SET_LEVEL, "addHandler").withAnyParameters().build(), - MethodMatchers.create().ofTypes("ch.qos.logback.classic.Logger").names(ADD_APPENDER, SET_LEVEL).withAnyParameters().build(), - MethodMatchers.create().ofTypes("ch.qos.logback.classic.joran.JoranConfigurator").constructor().withAnyParameters().build(), - MethodMatchers.create().ofTypes("java.lang.System").names("setProperty").addParametersMatcher("java.lang.String", "java.lang.String").build()); - } - - @Override - public void visitNode(Tree tree) { - if (tree.is(Tree.Kind.CLASS)) { - checkConfigurationFactoryExtension(((ClassTree) tree)); - } else { - super.visitNode(tree); - } - } - - private void checkConfigurationFactoryExtension(ClassTree tree) { - TypeTree superClass = tree.superClass(); - if (superClass != null && superClass.symbolType().is("org.apache.logging.log4j.core.config.ConfigurationFactory")) { - reportIssue(superClass, MESSAGE); - } - } - - @Override - protected void onMethodInvocationFound(MethodInvocationTree mit) { - if ("setProperty".equals(mit.methodSymbol().name())) { - String stringConstant = ExpressionsHelper.getConstantValueAsString(mit.arguments().get(0)).value(); - if ("logback.configurationFile".equals(stringConstant)) { - reportIssue(mit, MESSAGE); - } - } else { - reportIssue(mit, MESSAGE); - } - } - - @Override - protected void onConstructorFound(NewClassTree newClassTree) { - reportIssue(newClassTree, MESSAGE); - } -} diff --git a/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheckTest.java deleted file mode 100644 index 76093bb48af..00000000000 --- a/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedDatabaseCheckTest.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import org.junit.jupiter.api.Test; -import org.sonar.java.checks.verifier.CheckVerifier; - -import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath; - -class AndroidUnencryptedDatabaseCheckTest { - - @Test - void test() { - CheckVerifier.newVerifier() - .onFile(mainCodeSourcesPath("checks/security/AndroidUnencryptedDatabaseCheckSample.java")) - .withCheck(new AndroidUnencryptedDatabaseCheck()) - .verifyIssues(); - } - -} diff --git a/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheckTest.java deleted file mode 100644 index 09c4407fff4..00000000000 --- a/java-checks/src/test/java/org/sonar/java/checks/security/AndroidUnencryptedFilesCheckTest.java +++ /dev/null @@ -1,44 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import org.junit.jupiter.api.Test; -import org.sonar.java.checks.verifier.CheckVerifier; - -import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath; - -class AndroidUnencryptedFilesCheckTest { - - @Test - void test() { - CheckVerifier.newVerifier() - .onFile(mainCodeSourcesPath("checks/security/AndroidUnencryptedFilesCheckSample.java")) - .withCheck(new AndroidUnencryptedFilesCheck()) - .withinAndroidContext(true) - .verifyIssues(); - } - - @Test - void test_not_android_context() { - CheckVerifier.newVerifier() - .onFile(mainCodeSourcesPath("checks/security/AndroidUnencryptedFilesCheckSample.java")) - .withCheck(new AndroidUnencryptedFilesCheck()) - .withinAndroidContext(false) - .verifyNoIssues(); - } - -} diff --git a/java-checks/src/test/java/org/sonar/java/checks/security/LogConfigurationCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/security/LogConfigurationCheckTest.java deleted file mode 100644 index a3634509a72..00000000000 --- a/java-checks/src/test/java/org/sonar/java/checks/security/LogConfigurationCheckTest.java +++ /dev/null @@ -1,33 +0,0 @@ -/* - * SonarQube Java - * Copyright (C) SonarSource Sàrl - * mailto:info AT sonarsource DOT com - * - * You can redistribute and/or modify this program under the terms of - * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * See the Sonar Source-Available License for more details. - * - * You should have received a copy of the Sonar Source-Available License - * along with this program; if not, see https://sonarsource.com/license/ssal/ - */ -package org.sonar.java.checks.security; - -import org.junit.jupiter.api.Test; -import org.sonar.java.checks.verifier.CheckVerifier; - -import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath; - -class LogConfigurationCheckTest { - - @Test - void test() { - CheckVerifier.newVerifier() - .onFile(mainCodeSourcesPath("checks/security/LogConfigurationCheckSample.java")) - .withCheck(new LogConfigurationCheck()) - .verifyIssues(); - } -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4792.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4792.json deleted file mode 100644 index 5c45ca6b47b..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4792.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "title": "Configuring loggers is security-sensitive", - "type": "SECURITY_HOTSPOT", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "CONVENTIONAL" - }, - "status": "deprecated", - "tags": [], - "defaultSeverity": "Critical", - "ruleSpecification": "RSPEC-4792", - "sqKey": "S4792", - "scope": "Main", - "securityStandards": { - "CWE": [ - 117, - 532 - ], - "OWASP": [ - "A3", - "A10" - ], - "OWASP Top 10 2021": [ - "A9" - ], - "PCI DSS 3.2": [ - "10.1", - "10.2", - "10.3" - ], - "PCI DSS 4.0": [ - "10.2" - ], - "ASVS 4.0": [ - "7.1.1", - "7.1.2" - ] - }, - "quickfix": "unknown" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6291.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6291.json deleted file mode 100644 index 0953d7d9de1..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6291.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "title": "Using unencrypted databases in mobile applications is security-sensitive", - "type": "SECURITY_HOTSPOT", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "TRUSTWORTHY" - }, - "status": "deprecated", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "10min" - }, - "tags": [], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6291", - "sqKey": "S6291", - "scope": "Main", - "securityStandards": { - "CWE": [ - 311 - ], - "OWASP": [ - "A3", - "A6" - ], - "OWASP Mobile": [ - "M2" - ], - "OWASP Mobile Top 10 2024": [ - "M9" - ], - "MASVS": [ - "MSTG-STORAGE-14" - ], - "OWASP Top 10 2021": [ - "A2", - "A4", - "A5" - ], - "PCI DSS 3.2": [ - "2.2", - "6.5.3" - ], - "PCI DSS 4.0": [ - "2.2", - "6.2.4" - ], - "ASVS 4.0": [ - "6.1.1", - "6.1.2", - "6.1.3" - ] - }, - "quickfix": "unknown" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6300.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6300.json deleted file mode 100644 index 42668961920..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6300.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "title": "Using unencrypted files in mobile applications is security-sensitive", - "type": "SECURITY_HOTSPOT", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "TRUSTWORTHY" - }, - "status": "deprecated", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "10min" - }, - "tags": [], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6300", - "sqKey": "S6300", - "scope": "Main", - "securityStandards": { - "CWE": [ - 311 - ], - "OWASP": [ - "A3", - "A6" - ], - "OWASP Mobile": [ - "M2" - ], - "OWASP Mobile Top 10 2024": [ - "M9" - ], - "MASVS": [ - "MSTG-STORAGE-14" - ], - "OWASP Top 10 2021": [ - "A4" - ], - "PCI DSS 3.2": [ - "6.5.3" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "6.1.1", - "6.1.2", - "6.1.3" - ] - }, - "quickfix": "unknown" -}