From dafa3fa22dc51bd9d07af693d1015de49ccf3680 Mon Sep 17 00:00:00 2001 From: Matteo Mara Date: Mon, 9 May 2022 11:28:06 +0200 Subject: [PATCH] SONAR-16370 identify taint issues by repository --- .../org/sonar/server/issue/TaintChecker.java | 68 ++++++++++++ .../sonar/server/issue/TaintCheckerTest.java | 105 ++++++++++++++++++ 2 files changed, 173 insertions(+) create mode 100644 server/sonar-server-common/src/main/java/org/sonar/server/issue/TaintChecker.java create mode 100644 server/sonar-server-common/src/test/java/org/sonar/server/issue/TaintCheckerTest.java diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/TaintChecker.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/TaintChecker.java new file mode 100644 index 00000000000..0abd66b3756 --- /dev/null +++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/TaintChecker.java @@ -0,0 +1,68 @@ +/* + * SonarQube + * Copyright (C) 2009-2022 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.server.issue; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.function.Predicate; +import java.util.stream.Collectors; +import org.jetbrains.annotations.NotNull; +import org.sonar.db.issue.IssueDto; + +public class TaintChecker { + + private static final Set TAINT_REPOSITORIES = Set.of("roslyn.sonaranalyzer.security.cs", "javasecurity", "jssecurity", "tssecurity", "phpsecurity", "pythonsecurity"); + + private TaintChecker() { + throw new IllegalStateException("Utility class, cannot be instantiated."); + } + + public static List getTaintIssuesOnly(List issues) { + return filterTaintIssues(issues, true); + } + + public static List getStandardIssuesOnly(List issues) { + return filterTaintIssues(issues, false); + } + + public static Map> mapIssuesByTaintStatus(List issues) { + Map> issuesMap = new HashMap<>(); + issuesMap.put(true, getTaintIssuesOnly(issues)); + issuesMap.put(false, getStandardIssuesOnly(issues)); + return issuesMap; + } + + private static List filterTaintIssues(List issues, boolean returnTaint) { + return issues.stream() + .filter(getTaintIssueFilter(returnTaint)) + .collect(Collectors.toList()); + } + + @NotNull + private static Predicate getTaintIssueFilter(boolean returnTaint) { + if (returnTaint) { + return issueDto -> TAINT_REPOSITORIES.contains(issueDto.getRuleRepo()); + } + return issueDto -> !TAINT_REPOSITORIES.contains(issueDto.getRuleRepo()); + } + +} diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/issue/TaintCheckerTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/issue/TaintCheckerTest.java new file mode 100644 index 00000000000..e98b2ba45ba --- /dev/null +++ b/server/sonar-server-common/src/test/java/org/sonar/server/issue/TaintCheckerTest.java @@ -0,0 +1,105 @@ +/* + * SonarQube + * Copyright (C) 2009-2022 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.server.issue; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import org.junit.Test; +import org.sonar.db.issue.IssueDto; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.sonar.server.issue.TaintChecker.getStandardIssuesOnly; +import static org.sonar.server.issue.TaintChecker.getTaintIssuesOnly; +import static org.sonar.server.issue.TaintChecker.mapIssuesByTaintStatus; + +public class TaintCheckerTest { + + @Test + public void test_getTaintIssuesOnly() { + + List taintIssues = getTaintIssuesOnly(getIssues()); + + assertThat(taintIssues).hasSize(6); + assertThat(taintIssues.get(0).getKey()).isEqualTo("taintIssue1"); + assertThat(taintIssues.get(1).getKey()).isEqualTo("taintIssue2"); + assertThat(taintIssues.get(2).getKey()).isEqualTo("taintIssue3"); + assertThat(taintIssues.get(3).getKey()).isEqualTo("taintIssue4"); + assertThat(taintIssues.get(4).getKey()).isEqualTo("taintIssue5"); + assertThat(taintIssues.get(5).getKey()).isEqualTo("taintIssue6"); + + } + + @Test + public void test_getStandardIssuesOnly() { + + List standardIssues = getStandardIssuesOnly(getIssues()); + + assertThat(standardIssues).hasSize(3); + assertThat(standardIssues.get(0).getKey()).isEqualTo("standardIssue1"); + assertThat(standardIssues.get(1).getKey()).isEqualTo("standardIssue2"); + assertThat(standardIssues.get(2).getKey()).isEqualTo("standardIssue3"); + } + + @Test + public void test_mapIssuesByTaintStatus() { + Map> issuesByTaintStatus = mapIssuesByTaintStatus(getIssues()); + + assertThat(issuesByTaintStatus.keySet()).hasSize(2); + assertThat(issuesByTaintStatus.get(true)).hasSize(6); + assertThat(issuesByTaintStatus.get(false)).hasSize(3); + + assertThat(issuesByTaintStatus.get(true).get(0).getKey()).isEqualTo("taintIssue1"); + assertThat(issuesByTaintStatus.get(true).get(1).getKey()).isEqualTo("taintIssue2"); + assertThat(issuesByTaintStatus.get(true).get(2).getKey()).isEqualTo("taintIssue3"); + assertThat(issuesByTaintStatus.get(true).get(3).getKey()).isEqualTo("taintIssue4"); + assertThat(issuesByTaintStatus.get(true).get(4).getKey()).isEqualTo("taintIssue5"); + assertThat(issuesByTaintStatus.get(true).get(5).getKey()).isEqualTo("taintIssue6"); + + assertThat(issuesByTaintStatus.get(false).get(0).getKey()).isEqualTo("standardIssue1"); + assertThat(issuesByTaintStatus.get(false).get(1).getKey()).isEqualTo("standardIssue2"); + assertThat(issuesByTaintStatus.get(false).get(2).getKey()).isEqualTo("standardIssue3"); + } + + private List getIssues() { + List issues = new ArrayList<>(); + + issues.add(createIssueWithRepository("taintIssue1", "roslyn.sonaranalyzer.security.cs")); + issues.add(createIssueWithRepository("taintIssue2", "javasecurity")); + issues.add(createIssueWithRepository("taintIssue3", "jssecurity")); + issues.add(createIssueWithRepository("taintIssue4", "tssecurity")); + issues.add(createIssueWithRepository("taintIssue5", "phpsecurity")); + issues.add(createIssueWithRepository("taintIssue6", "pythonsecurity")); + + issues.add(createIssueWithRepository("standardIssue1", "java")); + issues.add(createIssueWithRepository("standardIssue2", "python")); + issues.add(createIssueWithRepository("standardIssue3", "js")); + + return issues; + } + + private IssueDto createIssueWithRepository(String issueKey, String repository) { + IssueDto issueDto = new IssueDto(); + issueDto.setKee(issueKey); + issueDto.setRuleKey(repository, "S1"); + return issueDto; + } + +} -- 2.39.5