aboutsummaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
authorAlain Kermis <alain.kermis@sonarsource.com>2024-06-06 09:55:04 +0200
committersonartech <sonartech@sonarsource.com>2024-06-18 20:02:41 +0000
commit33e576b4c7727b9665f42f267d09f129ddfdca6b (patch)
tree5dc94efd9869d8bb46d393042363920029a65026 /server
parent1c1a7deb19d018893bb7c228f4fe4e3755b4e2a2 (diff)
downloadsonarqube-33e576b4c7727b9665f42f267d09f129ddfdca6b.tar.gz
sonarqube-33e576b4c7727b9665f42f267d09f129ddfdca6b.zip
SONAR-22359 Make hashing of user UUID in telemetry FIPS-compliant
Diffstat (limited to 'server')
-rw-r--r--server/sonar-alm-client/build.gradle2
-rw-r--r--server/sonar-server-common/build.gradle10
-rw-r--r--server/sonar-server-common/src/main/java/org/sonar/server/telemetry/TelemetryDataJsonWriter.java4
-rw-r--r--server/sonar-server-common/src/main/java/org/sonar/server/util/DigestUtil.java38
-rw-r--r--server/sonar-server-common/src/test/java/org/sonar/server/telemetry/TelemetryDataJsonWriterTest.java4
-rw-r--r--server/sonar-server-common/src/test/java/org/sonar/server/util/DigestUtilTest.java38
6 files changed, 86 insertions, 10 deletions
diff --git a/server/sonar-alm-client/build.gradle b/server/sonar-alm-client/build.gradle
index f2a636125b8..fedca969e02 100644
--- a/server/sonar-alm-client/build.gradle
+++ b/server/sonar-alm-client/build.gradle
@@ -10,7 +10,7 @@ dependencies {
api 'commons-codec:commons-codec'
api 'org.kohsuke:github-api'
api 'com.auth0:java-jwt'
- api 'org.bouncycastle:bcpkix-jdk18on:1.78.1'
+ api 'org.bouncycastle:bcpkix-jdk18on'
api 'org.sonarsource.api.plugin:sonar-plugin-api'
api project(':server:sonar-auth-github')
api project(':server:sonar-auth-gitlab')
diff --git a/server/sonar-server-common/build.gradle b/server/sonar-server-common/build.gradle
index f3abdbeecc0..d019caad292 100644
--- a/server/sonar-server-common/build.gradle
+++ b/server/sonar-server-common/build.gradle
@@ -9,13 +9,14 @@ sonar {
dependencies {
// please keep the list grouped by configuration and ordered by name
- api 'org.apache.commons:commons-email'
api 'commons-io:commons-io'
- api 'org.apache.commons:commons-lang3'
api 'com.google.guava:guava'
- api 'org.slf4j:slf4j-api'
api 'com.squareup.okhttp3:okhttp'
+ api 'org.apache.commons:commons-email'
+ api 'org.apache.commons:commons-lang3'
+ api 'org.bouncycastle:bcprov-jdk18on'
api 'org.elasticsearch.client:elasticsearch-rest-high-level-client'
+ api 'org.slf4j:slf4j-api'
api 'org.sonarsource.api.plugin:sonar-plugin-api'
api project(':server:sonar-db-dao')
api project(':server:sonar-db-migration')
@@ -25,7 +26,6 @@ dependencies {
api project(':sonar-ws')
compileOnlyApi 'com.google.code.findbugs:jsr305'
-
testImplementation 'org.elasticsearch.plugin:transport-netty4-client'
testImplementation 'ch.qos.logback:logback-core'
testImplementation 'com.google.code.findbugs:jsr305'
@@ -47,7 +47,7 @@ dependencies {
testImplementation testFixtures(project(':server:sonar-webserver-es'))
testImplementation project(':sonar-plugin-api-impl')
testImplementation project(':sonar-testing-harness')
-
+
testFixturesApi 'junit:junit'
testFixturesApi testFixtures(project(':server:sonar-db-dao'))
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/telemetry/TelemetryDataJsonWriter.java b/server/sonar-server-common/src/main/java/org/sonar/server/telemetry/TelemetryDataJsonWriter.java
index 005c200b76f..393d0e87857 100644
--- a/server/sonar-server-common/src/main/java/org/sonar/server/telemetry/TelemetryDataJsonWriter.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/telemetry/TelemetryDataJsonWriter.java
@@ -25,11 +25,11 @@ import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.util.List;
import java.util.Locale;
-import org.apache.commons.codec.digest.DigestUtils;
import org.jetbrains.annotations.NotNull;
import org.sonar.api.utils.System2;
import org.sonar.api.utils.text.JsonWriter;
import org.sonar.core.telemetry.TelemetryExtension;
+import org.sonar.server.util.DigestUtil;
import static org.sonar.api.utils.DateUtils.DATETIME_FORMAT;
@@ -117,7 +117,7 @@ public class TelemetryDataJsonWriter {
json.beginArray();
telemetryData.getUserTelemetries().forEach(user -> {
json.beginObject();
- json.prop("userUuid", DigestUtils.sha3_224Hex(user.getUuid()));
+ json.prop("userUuid", DigestUtil.sha3_224Hex(user.getUuid()));
json.prop("status", user.isActive() ? "active" : "inactive");
json.prop("identityProvider", user.getExternalIdentityProvider());
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/util/DigestUtil.java b/server/sonar-server-common/src/main/java/org/sonar/server/util/DigestUtil.java
new file mode 100644
index 00000000000..f97bffae24b
--- /dev/null
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/util/DigestUtil.java
@@ -0,0 +1,38 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.util;
+
+import java.nio.charset.StandardCharsets;
+import org.bouncycastle.jcajce.provider.digest.SHA3;
+import org.bouncycastle.util.encoders.Hex;
+
+public class DigestUtil {
+
+ private DigestUtil() {
+ // utility class
+ }
+
+ public static String sha3_224Hex(String input) {
+ SHA3.DigestSHA3 sha3Digest = new SHA3.Digest224();
+ byte[] hashBytes = sha3Digest.digest(input.getBytes(StandardCharsets.UTF_8));
+ return Hex.toHexString(hashBytes);
+ }
+
+}
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/telemetry/TelemetryDataJsonWriterTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/telemetry/TelemetryDataJsonWriterTest.java
index f6582601ef0..72987c21c93 100644
--- a/server/sonar-server-common/src/test/java/org/sonar/server/telemetry/TelemetryDataJsonWriterTest.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/telemetry/TelemetryDataJsonWriterTest.java
@@ -32,7 +32,6 @@ import java.util.Random;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
-import org.apache.commons.codec.digest.DigestUtils;
import org.jetbrains.annotations.NotNull;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -43,6 +42,7 @@ import org.sonar.core.telemetry.TelemetryExtension;
import org.sonar.db.project.CreationMethod;
import org.sonar.db.user.UserTelemetryDto;
import org.sonar.server.qualitygate.Condition;
+import org.sonar.server.util.DigestUtil;
import static java.util.stream.Collectors.joining;
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
@@ -397,7 +397,7 @@ public class TelemetryDataJsonWriterTest {
]
}
"""
- .formatted(DigestUtils.sha3_224Hex("uuid-0"), DigestUtils.sha3_224Hex("uuid-1"), DigestUtils.sha3_224Hex("uuid-2")));
+ .formatted(DigestUtil.sha3_224Hex("uuid-0"), DigestUtil.sha3_224Hex("uuid-1"), DigestUtil.sha3_224Hex("uuid-2")));
}
@Test
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/util/DigestUtilTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/util/DigestUtilTest.java
new file mode 100644
index 00000000000..e7f4b99252a
--- /dev/null
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/util/DigestUtilTest.java
@@ -0,0 +1,38 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.util;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class DigestUtilTest {
+
+ @Test
+ void whenCalledOnTheSameInput_sha3_224Hex_returnsTheSameValueAsDigestUtils() {
+ String input = "String to be hashed";
+
+ //Apache Commons DigestUtils digest for the string "String to be hashed"
+ String apacheCommonsDigest = "57ead8c5fc5c15ed7bde0550648d06a6aed3cba443ed100a6f5e64f3";
+
+ assertEquals(apacheCommonsDigest, DigestUtil.sha3_224Hex(input));
+ }
+
+} \ No newline at end of file