SDL--代码审计[findbugs插件介绍]

插件文件：sonar-findbugs-plugin-3.7.0.jar

findbugs.xml  主配置文件：代码规则分析

<Detector class="com.h3xstream.findsecbugs.crypto.DesUsageDetector" reports="DES_USAGE"/>
# class="com.h3xstream.findsecbugs.crypto.DesUsageDetector"  引用的数据包
# reports="DES_USAGE" 对应规则定义的key

org.sonar.plugins.findbugs.rules.FindSecurityBugsRulesDefinition 规则对应说明配置文件

package org.sonar.plugins.findbugs.rules;

import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.api.server.rule.RulesDefinition.Context;
import org.sonar.api.server.rule.RulesDefinition.NewRepository;
import org.sonar.api.server.rule.RulesDefinitionXmlLoader;

public final class FindSecurityBugsRulesDefinition
  implements RulesDefinition
{
  public static final String REPOSITORY_KEY = "findsecbugs";            #资源库key
  public static final String REPOSITORY_NAME = "Find Security Bugs";    #资源库名称
  public static final int RULE_COUNT = 104;
  
  public void define(RulesDefinition.Context context)
  {
    RulesDefinition.NewRepository repository = context.createRepository("findsecbugs", "java").setName("Find Security Bugs");
    
    RulesDefinitionXmlLoader ruleLoader = new RulesDefinitionXmlLoader();
    ruleLoader.load(repository, FindSecurityBugsRulesDefinition.class.getResourceAsStream("/org/sonar/plugins/findbugs/rules-findsecbugs.xml"), "UTF-8");
    repository.done();
  }
}

org.sonar.plugins.findbugs.rules-findsebus.xml  # 规则对应说明配置文件

<rule key='DES_USAGE' priority='MAJOR'>      
    <name>Security - DES/DESede is insecure</name>
    <configKey>DES_USAGE</configKey>
    <description><p>
DES and DESede (3DES) are not considered strong ciphers for modern applications. Currently, NIST recommends the 
usage of AES block ciphers instead of DES/3DES.
</p>
<p>
    <b>Example weak code:</b>
<pre>Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);</pre>
</p>
<p>
    <b>Example solution:</b>
    <pre>Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/>
<a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a>
</p></description>
    <tag>owasp-a6</tag>
    <tag>cryptography</tag>
    <tag>cwe</tag>
    <tag>security</tag>
 </rule>