From 528022bc8aa28d2fcef2e1e54370d874ff9965ab Mon Sep 17 00:00:00 2001 From: Antoine Vigneau Date: Wed, 7 Jun 2023 15:44:35 +0200 Subject: [PATCH] SQSCANNER-115 Fix SSF-392 --- it/pom.xml | 2 +- pom.xml | 6 ++--- .../sonarsource/scanner/cli/SystemInfo.java | 25 ++++++++++++++++++- .../scanner/cli/SystemInfoTest.java | 12 +++++++++ 4 files changed, 40 insertions(+), 5 deletions(-) diff --git a/it/pom.xml b/it/pom.xml index 85323f8..6719a2c 100644 --- a/it/pom.xml +++ b/it/pom.xml @@ -25,7 +25,7 @@ 7.9.1 - 8 + 11 diff --git a/pom.xml b/pom.xml index 9fad6ad..83a11bd 100644 --- a/pom.xml +++ b/pom.xml @@ -59,7 +59,7 @@ ${project.groupId}:${project.artifactId}:zip,${project.groupId}:${project.artifactId}:zip:linux,${project.groupId}:${project.artifactId}:zip:windows,${project.groupId}:${project.artifactId}:zip:macosx,${project.groupId}:${project.artifactId}:json:cyclonedx - 8 + 11 @@ -179,7 +179,7 @@ 560000 - 590000 + 600000 ${project.build.directory}/sonar-scanner-${project.version}.zip @@ -193,7 +193,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 8 + 11 diff --git a/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java b/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java index 5dfd6bd..84696fb 100644 --- a/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java +++ b/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java @@ -19,7 +19,16 @@ */ package org.sonarsource.scanner.cli; +import java.util.Set; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + class SystemInfo { + private static final Set SENSITIVE_JVM_ARGUMENTS = Set.of( + "-Dsonar.login", + "-Dsonar.password", + "-Dsonar.token"); + private static final Pattern PATTERN_ARGUMENT_SEPARATOR = Pattern.compile("\\s+"); private static System2 system = new System2(); private SystemInfo() { @@ -35,8 +44,22 @@ class SystemInfo { logger.info(os()); String scannerOpts = system.getenv("SONAR_SCANNER_OPTS"); if (scannerOpts != null) { - logger.info("SONAR_SCANNER_OPTS=" + scannerOpts); + logger.info("SONAR_SCANNER_OPTS=" + redactSensitiveArguments(scannerOpts)); + } + } + + private static String redactSensitiveArguments(String scannerOpts) { + return PATTERN_ARGUMENT_SEPARATOR.splitAsStream(scannerOpts) + .map(SystemInfo::redactArgumentIfSensistive) + .collect(Collectors.joining(" ")); + } + + private static String redactArgumentIfSensistive(String argument) { + String[] elems = argument.split("="); + if (elems.length > 0 && SENSITIVE_JVM_ARGUMENTS.contains(elems[0])) { + return elems[0] + "=*"; } + return argument; } static String java() { diff --git a/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java b/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java index c6c0585..3e11c44 100644 --- a/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java +++ b/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java @@ -89,4 +89,16 @@ public class SystemInfoTest { verify(logs).info("SONAR_SCANNER_OPTS=arg"); verifyNoMoreInteractions(logs); } + + @Test + public void should_not_print_sensitive_data() { + mockOs(); + mockJava(); + when(mockSystem.getenv("SONAR_SCANNER_OPTS")) + .thenReturn("-Dsonar.login=login -Dsonar.whatever=whatever -Dsonar.password=password -Dsonar.whatever2=whatever2 -Dsonar.token=token"); + + SystemInfo.print(logs); + + verify(logs).info("SONAR_SCANNER_OPTS=-Dsonar.login=* -Dsonar.whatever=whatever -Dsonar.password=* -Dsonar.whatever2=whatever2 -Dsonar.token=*"); + } } -- 2.39.5