Merge branch 'main' into dependabot/maven/main/sonar.python.version-4…

….23.0.17664
IBM · Nov 20, 2024 · 123c892 · 123c892
2 parents 8492dd1 + 7139475
commit 123c892
Show file tree

Hide file tree

Showing 220 changed files with 1,346 additions and 424 deletions.
diff --git a/engine/src/main/java/com/ibm/engine/detection/Finding.java b/engine/src/main/java/com/ibm/engine/detection/Finding.java
@@ -19,6 +19,7 @@
  */
 package com.ibm.engine.detection;
 
+import com.ibm.engine.model.IValue;
 import com.ibm.engine.rule.IBundle;
 import java.util.List;
 import javax.annotation.Nonnull;
@@ -35,6 +36,14 @@ public IBundle bundle() {
         return detectionStore.getDetectionRule().bundle();
     }
 
+    @Nonnull
+    public T getMarkerTree() {
+        return detectionStore.getDetectionValues().stream()
+                .map(IValue::getLocation)
+                .findFirst()
+                .orElseThrow();
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

diff --git a/enricher/src/main/java/com/ibm/enricher/algorithm/KEMEnricher.java b/enricher/src/main/java/com/ibm/enricher/algorithm/KEMEnricher.java
@@ -51,10 +51,8 @@ private MLKEM enrichMLKEM(@Nonnull MLKEM mlkem) {
                 case "512" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.1", detectionLocation));
                 case "768" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.2", detectionLocation));
                 case "1024" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.3", detectionLocation));
-                default -> {
-                    // the base OID for NIST KEM
-                    mlkem.put(new Oid("2.16.840.1.101.3.4.4", detectionLocation));
-                }
+                default -> // the base OID for NIST KEM
+                        mlkem.put(new Oid("2.16.840.1.101.3.4.4", detectionLocation));
             }
         }
         return mlkem;

diff --git a/java/pom.xml b/java/pom.xml
@@ -44,13 +44,19 @@
             <!-- This dependency is not explicitely needed, but having it enables IDE linting in BouncyCastle test files -->
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk18on</artifactId>
-            <version>1.78.1</version>
+            <version>1.79</version>
         </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
             <version>33.3.1-jre</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.ibm</groupId>
+            <artifactId>rules</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 </project>
diff --git a/java/src/main/java/com/ibm/plugin/JavaCheckRegistrar.java b/java/src/main/java/com/ibm/plugin/JavaCheckRegistrar.java
@@ -20,6 +20,8 @@
 package com.ibm.plugin;
 
 import java.util.List;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Unmodifiable;
 import org.sonar.plugins.java.api.CheckRegistrar;
 import org.sonar.plugins.java.api.JavaCheck;
 import org.sonarsource.api.sonarlint.SonarLintSide;
@@ -35,12 +37,12 @@ public void register(RegistrarContext registrarContext) {
     }
 
     /** Lists all the main checks provided by the java-translation */
-    public static List<Class<? extends JavaCheck>> checkClasses() {
+    public static @NotNull @Unmodifiable List<Class<? extends JavaCheck>> checkClasses() {
         return JavaRuleList.getJavaChecks();
     }
 
     /** Lists all the test checks provided by the java-translation */
-    public static List<Class<? extends JavaCheck>> testCheckClasses() {
+    public static @NotNull @Unmodifiable List<Class<? extends JavaCheck>> testCheckClasses() {
         return JavaRuleList.getJavaTestChecks();
     }
 }
diff --git a/java/src/main/java/com/ibm/plugin/JavaRuleList.java b/java/src/main/java/com/ibm/plugin/JavaRuleList.java
@@ -20,29 +20,33 @@
 package com.ibm.plugin;
 
 import com.ibm.plugin.rules.JavaInventoryRule;
+import com.ibm.plugin.rules.JavaNoMD5UseRule;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Unmodifiable;
+import org.jetbrains.annotations.UnmodifiableView;
 import org.sonar.plugins.java.api.JavaCheck;
 
 public final class JavaRuleList {
 
     private JavaRuleList() {}
 
-    public static List<Class<?>> getChecks() {
+    public static @NotNull @UnmodifiableView List<Class<?>> getChecks() {
         List<Class<? extends JavaCheck>> checks = new ArrayList<>();
         checks.addAll(getJavaChecks());
         checks.addAll(getJavaTestChecks());
         return Collections.unmodifiableList(checks);
     }
 
     /** These rules are going to target MAIN code only */
-    public static List<Class<? extends JavaCheck>> getJavaChecks() {
-        return List.of(JavaInventoryRule.class);
+    public static @NotNull @Unmodifiable List<Class<? extends JavaCheck>> getJavaChecks() {
+        return List.of(JavaInventoryRule.class, JavaNoMD5UseRule.class);
     }
 
     /** These rules are going to target TEST code only */
-    public static List<Class<? extends JavaCheck>> getJavaTestChecks() {
+    public static @NotNull @Unmodifiable List<Class<? extends JavaCheck>> getJavaTestChecks() {
         return List.of();
     }
 }
diff --git a/java/src/main/java/com/ibm/plugin/rules/JavaInventoryRule.java b/java/src/main/java/com/ibm/plugin/rules/JavaInventoryRule.java
@@ -19,45 +19,37 @@
  */
 package com.ibm.plugin.rules;
 
-import com.ibm.engine.detection.DetectionStore;
 import com.ibm.engine.rule.IDetectionRule;
+import com.ibm.mapper.model.INode;
 import com.ibm.plugin.rules.detection.JavaBaseDetectionRule;
 import com.ibm.plugin.rules.detection.JavaDetectionRules;
 import com.ibm.plugin.translation.reorganizer.JavaReorganizerRules;
+import com.ibm.rules.InventoryRule;
+import com.ibm.rules.issue.Issue;
 import java.util.List;
 import javax.annotation.Nonnull;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Unmodifiable;
 import org.jetbrains.annotations.VisibleForTesting;
 import org.sonar.check.Rule;
-import org.sonar.plugins.java.api.JavaCheck;
-import org.sonar.plugins.java.api.JavaFileScannerContext;
-import org.sonar.plugins.java.api.semantic.Symbol;
 import org.sonar.plugins.java.api.tree.Tree;
 
 @Rule(key = "Inventory")
 public class JavaInventoryRule extends JavaBaseDetectionRule {
+
     public JavaInventoryRule() {
-        super(JavaDetectionRules.rules(), JavaReorganizerRules.rules());
+        super(true, JavaDetectionRules.rules(), JavaReorganizerRules.rules());
     }
 
     @VisibleForTesting
     protected JavaInventoryRule(@Nonnull List<IDetectionRule<Tree>> detectionRules) {
-        super(detectionRules, JavaReorganizerRules.rules());
+        super(true, detectionRules, JavaReorganizerRules.rules());
     }
 
     @Override
-    public void report(
-            @NotNull @Unmodifiable
-                    DetectionStore<JavaCheck, Tree, Symbol, JavaFileScannerContext> detectionStore,
-            @NotNull JavaCheck rule) {
-        detectionStore
-                .getDetectionValues()
-                .forEach(
-                        iValue ->
-                                detectionStore
-                                        .getScanContext()
-                                        .reportIssue(
-                                                rule, iValue.getLocation(), iValue.asString()));
+    @Nonnull
+    public List<Issue<Tree>> report(
+            @Nonnull Tree markerTree, @NotNull @Unmodifiable List<INode> translatedNodes) {
+        return new InventoryRule<Tree>().report(markerTree, translatedNodes);
     }
 }
diff --git a/java/src/main/java/com/ibm/plugin/rules/JavaNoMD5UseRule.java b/java/src/main/java/com/ibm/plugin/rules/JavaNoMD5UseRule.java
@@ -0,0 +1,42 @@
+/*
+ * SonarQube Cryptography Plugin
+ * Copyright (C) 2024 IBM
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin.rules;
+
+import com.ibm.mapper.model.INode;
+import com.ibm.plugin.rules.detection.JavaBaseDetectionRule;
+import com.ibm.rules.NoMD5UseForMessageDigestRule;
+import com.ibm.rules.issue.Issue;
+import java.util.List;
+import javax.annotation.Nonnull;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Unmodifiable;
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.tree.Tree;
+
+@Rule(key = "JavaNoMD5use")
+public class JavaNoMD5UseRule extends JavaBaseDetectionRule {
+
+    @Override
+    @Nonnull
+    public List<Issue<Tree>> report(
+            @Nonnull Tree markerTree, @NotNull @Unmodifiable List<INode> translatedNodes) {
+        return new NoMD5UseForMessageDigestRule<Tree>().report(markerTree, translatedNodes);
+    }
+}
diff --git a/java/src/main/java/com/ibm/plugin/rules/detection/JavaBaseDetectionRule.java b/java/src/main/java/com/ibm/plugin/rules/detection/JavaBaseDetectionRule.java
@@ -19,16 +19,19 @@
  */
 package com.ibm.plugin.rules.detection;
 
-import com.ibm.engine.detection.DetectionStore;
+import com.ibm.common.IObserver;
 import com.ibm.engine.detection.Finding;
 import com.ibm.engine.executive.DetectionExecutive;
 import com.ibm.engine.language.java.JavaScanContext;
-import com.ibm.engine.rule.IBaseDetectionRule;
 import com.ibm.engine.rule.IDetectionRule;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.reorganizer.IReorganizerRule;
 import com.ibm.plugin.JavaAggregator;
 import com.ibm.plugin.translation.JavaTranslationProcess;
+import com.ibm.plugin.translation.reorganizer.JavaReorganizerRules;
+import com.ibm.rules.IReportableDetectionRule;
+import com.ibm.rules.issue.Issue;
+import java.util.Collections;
 import java.util.List;
 import javax.annotation.Nonnull;
 import org.jetbrains.annotations.NotNull;
@@ -40,14 +43,24 @@
 import org.sonar.plugins.java.api.tree.Tree;
 
 public abstract class JavaBaseDetectionRule extends IssuableSubscriptionVisitor
-        implements IBaseDetectionRule<JavaCheck, Tree, Symbol, JavaFileScannerContext> {
+        implements IObserver<Finding<JavaCheck, Tree, Symbol, JavaFileScannerContext>>,
+                IReportableDetectionRule<Tree> {
 
+    private final boolean isInventory;
     @Nonnull protected final JavaTranslationProcess javaTranslationProcess;
     @Nonnull protected final List<IDetectionRule<Tree>> detectionRules;
 
+    protected JavaBaseDetectionRule() {
+        this.isInventory = false;
+        this.detectionRules = JavaDetectionRules.rules();
+        this.javaTranslationProcess = new JavaTranslationProcess(JavaReorganizerRules.rules());
+    }
+
     protected JavaBaseDetectionRule(
+            final boolean isInventory,
             @Nonnull List<IDetectionRule<Tree>> detectionRules,
             @Nonnull List<IReorganizerRule> reorganizerRules) {
+        this.isInventory = isInventory;
         this.detectionRules = detectionRules;
         this.javaTranslationProcess = new JavaTranslationProcess(reorganizerRules);
     }
@@ -88,16 +101,24 @@ public void visitNode(@Nonnull Tree tree) {
      */
     @Override
     public void update(@Nonnull Finding<JavaCheck, Tree, Symbol, JavaFileScannerContext> finding) {
-        List<INode> nodes = javaTranslationProcess.initiate(finding.detectionStore());
-        JavaAggregator.addNodes(nodes);
-        this.report(finding.detectionStore(), this);
+        final List<INode> nodes = javaTranslationProcess.initiate(finding.detectionStore());
+        if (isInventory) {
+            JavaAggregator.addNodes(nodes);
+        }
+        // report
+        this.report(finding.getMarkerTree(), nodes)
+                .forEach(
+                        issue ->
+                                finding.detectionStore()
+                                        .getScanContext()
+                                        .reportIssue(this, issue.tree(), issue.message()));
     }
 
     @Override
-    public void report(
-            @NotNull @Unmodifiable
-                    DetectionStore<JavaCheck, Tree, Symbol, JavaFileScannerContext> detectionStore,
-            @NotNull JavaCheck rule) {
+    @Nonnull
+    public @NotNull List<Issue<Tree>> report(
+            @Nonnull Tree markerTree, @NotNull @Unmodifiable List<INode> translatedNodes) {
         // override by higher level rule, to report an issue
+        return Collections.emptyList();
     }
 }
diff --git a/java/src/main/java/com/ibm/plugin/translation/reorganizer/JavaReorganizerRules.java b/java/src/main/java/com/ibm/plugin/translation/reorganizer/JavaReorganizerRules.java
@@ -24,6 +24,7 @@
 import com.ibm.mapper.reorganizer.rules.AsymmetricBlockCipherReorganizer;
 import com.ibm.mapper.reorganizer.rules.BlockCipherReorganizer;
 import com.ibm.mapper.reorganizer.rules.CipherParameterReorganizer;
+import com.ibm.mapper.reorganizer.rules.CipherSuiteReorganizer;
 import com.ibm.mapper.reorganizer.rules.MacReorganizer;
 import com.ibm.mapper.reorganizer.rules.SignatureReorganizer;
 import java.util.List;
@@ -45,6 +46,7 @@ public static List<IReorganizerRule> rules() {
                 CipherParameterReorganizer.MOVE_KEY_LENGTH_UNDER_TAG_LENGTH_UP,
                 CipherParameterReorganizer.MOVE_NODES_UNDER_DECRYPT_UP,
                 CipherParameterReorganizer.MOVE_NODES_UNDER_ENCRYPT_UP,
+                CipherSuiteReorganizer.ADD_TLS_PROTOCOL_AS_PARENT_NODE,
                 MacReorganizer.MERGE_UNKNOWN_MAC_PARENT_AND_CIPHER_CHILD,
                 MacReorganizer.MOVE_SOME_MAC_CHILDREN_UNDER_BLOCKCIPHER,
                 MacReorganizer.MOVE_TAG_LENGTH_UNDER_MAC,

diff --git a/java/src/main/resources/org/sonar/l10n/java/rules/java/JavaNoMD5use.html b/java/src/main/resources/org/sonar/l10n/java/rules/java/JavaNoMD5use.html
@@ -0,0 +1,3 @@
+<h2>Cryptography Usage: Be careful</h2>
+
+<p>While MD5 is still used in some applications, it is no longer considered secure for cryptographic purposes like password hashing.</p>
diff --git a/java/src/main/resources/org/sonar/l10n/java/rules/java/JavaNoMD5use.json b/java/src/main/resources/org/sonar/l10n/java/rules/java/JavaNoMD5use.json
@@ -0,0 +1,12 @@
+{
+  "title": "Do not use MD5 for cryptographic purposes like hashing",
+  "type": "Bug",
+  "status": "ready",
+  "tags": [
+    "cryptography",
+    "cbom",
+    "cwe"
+  ],
+  "defaultSeverity": "Critical",
+  "scope": "Main"
+}
diff --git a/java/src/test/files/rules/detection/bc/aeadcipher/BcAEADCipherEngineTestFile.java b/java/src/test/files/rules/detection/bc/aeadcipher/BcAEADCipherEngineTestFile.java
@@ -17,7 +17,7 @@ public static void test1() {
 
         // Initialize the AsconEngine
         AsconEngine asconEngine =
-                new AsconEngine(AsconEngine.AsconParameters.ascon128); // Noncompliant {{AsconEngine}}
+                new AsconEngine(AsconEngine.AsconParameters.ascon128); // Noncompliant {{(AuthenticatedEncryption) Ascon-128}}
 
         // Initialize the key parameter with the provided key
         CipherParameters keyParam = new KeyParameter(key);
@@ -39,7 +39,7 @@ public static void test2() {
 
         // Initialize the Grain128AEADEngine
         Grain128AEADEngine engine =
-                new Grain128AEADEngine(); // Noncompliant {{Grain128AEADEngine}}
+                new Grain128AEADEngine(); // Noncompliant {{(AuthenticatedEncryption) Grain-128AEAD}}
 
         // Initialize the key parameter with the provided key
         CipherParameters keyParam = new KeyParameter(key);

diff --git a/java/src/test/files/rules/detection/bc/aeadcipher/BcCCMBlockCipherTestFile.java b/java/src/test/files/rules/detection/bc/aeadcipher/BcCCMBlockCipherTestFile.java
@@ -14,11 +14,11 @@ public static void test1() {
         secureRandom.nextBytes(keyBytes);
 
         // Create a block cipher engine
-        BlockCipher aesEngine = new AESEngine(); // Noncompliant {{AESEngine}}
+        BlockCipher aesEngine = new AESEngine(); // Noncompliant {{(BlockCipher) AES}}
 
         // Instantiate CCMBlockCipher with constructor
         CCMBlockCipher constructor =
-                new CCMBlockCipher(aesEngine); // Noncompliant {{CCMBlockCipher}}
+                new CCMBlockCipher(aesEngine); // Noncompliant {{(AuthenticatedEncryption) AES-CCM}}
 
         // Initialize cipher with key and parameters
         KeyParameter keyParameter = new KeyParameter(keyBytes);
@@ -33,12 +33,12 @@ public static void test2() {
         secureRandom.nextBytes(keyBytes);
 
         // Create a block cipher engine
-        BlockCipher aesEngine = AESEngine.newInstance(); // Noncompliant {{AESEngine}}
+        BlockCipher aesEngine = AESEngine.newInstance(); // Noncompliant {{(BlockCipher) AES}}
 
         // Instantiate CCMBlockCipher with newInstance() method
         CCMBlockCipher newInstance =
                 (CCMBlockCipher)
-                        CCMBlockCipher.newInstance(aesEngine); // Noncompliant {{CCMBlockCipher}}
+                        CCMBlockCipher.newInstance(aesEngine); // Noncompliant {{(AuthenticatedEncryption) AES-CCM}}
 
         // Initialize cipher with key and parameters
         KeyParameter keyParameter = new KeyParameter(keyBytes);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		<h2>Cryptography Usage: Be careful</h2>

		<p>While MD5 is still used in some applications, it is no longer considered secure for cryptographic purposes like password hashing.</p>