From 034e0cee04a7b081cc156ce79778969e96193984 Mon Sep 17 00:00:00 2001 From: Dorian Burihabwa Date: Tue, 17 Sep 2024 12:09:00 +0200 Subject: [PATCH] [DONOTMERGE] SONARAJAVA-5010 --- .../checks/helpers/HardcodedStringExpressionChecker.java | 7 +++++++ .../HardCodedCredentialsShouldNotBeUsedCheckSample.java | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/java-checks-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java b/java-checks-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java index 2a70326d290..d62f68d72e9 100644 --- a/java-checks-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java +++ b/java-checks-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java @@ -27,6 +27,7 @@ import org.sonar.plugins.java.api.JavaFileScannerContext; import org.sonar.plugins.java.api.semantic.MethodMatchers; import org.sonar.plugins.java.api.semantic.Symbol; +import org.sonar.plugins.java.api.tree.ArrayAccessExpressionTree; import org.sonar.plugins.java.api.tree.BinaryExpressionTree; import org.sonar.plugins.java.api.tree.ConditionalExpressionTree; import org.sonar.plugins.java.api.tree.ExpressionTree; @@ -108,6 +109,12 @@ public static boolean isExpressionDerivedFromPlainText(ExpressionTree expression Set visited) { ExpressionTree arg = ExpressionUtils.skipParentheses(expression); switch (arg.kind()) { + case ARRAY_ACCESS_EXPRESSION: + var access = (ArrayAccessExpressionTree) arg; + IdentifierTree arrayIdentifier = (IdentifierTree) access.expression(); + VariableTree variable = (VariableTree) arrayIdentifier.symbol().declaration(); + NewArrayTree initializer = (NewArrayTree) variable.initializer(); + return isDerivedFromPlainText(initializer, secondaryLocations, visited); case IDENTIFIER: IdentifierTree identifier = (IdentifierTree) arg; return isDerivedFromPlainText(identifier, secondaryLocations, visited); diff --git a/java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java b/java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java index 193ab48cbfb..8d4e2e96dae 100644 --- a/java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java +++ b/java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java @@ -40,6 +40,15 @@ public class HardCodedCredentialsShouldNotBeUsedCheckSample { private static char[] secretCharArrayField = new char[]{0xC, 0xA, 0xF, 0xE}; private static CharSequence secretCharSequenceField = "Hello, World!".subSequence(0, 12); + public static final String[] SECRETS = {"secret_key"}; + public static final String JWT_SECRET = SECRETS[0]; + + public String getSecretToken() { + return Jwts.builder() + .signWith(SignatureAlgorithm.HS256, JWT_SECRET) + .compact(); + } + public static void nonCompliant(byte[] message, boolean condition, Charset encoding, SignatureAlgorithm paremSignatureAlgorithm) throws ServletException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, UnsupportedEncodingException, jakarta.servlet.ServletException { // byte array based SHA256.getHMAC(FINAL_SECRET_BYTE_ARRAY, message); // Noncompliant {{Revoke and change this password, as it is compromised.}}