From 2758feed5fe238ac232803b72f7045fb43f6275f Mon Sep 17 00:00:00 2001
From: Dorian Burihabwa
<75226315+dorian-burihabwa-sonarsource@users.noreply.github.com>
Date: Tue, 10 Dec 2024 14:58:41 +0100
Subject: [PATCH] SONARJAVA-5134 S2245 considers
RandomStringUtils.secure|secureStrong as safe (#4952)
---
.../java/org/sonar/java/it/AutoScanTest.java | 2 +-
.../resources/autoscan/diffs/diff_S1874.json | 4 ++--
.../resources/autoscan/diffs/diff_S2245.json | 4 ++--
.../resources/autoscan/diffs/diff_S2440.json | 4 ++--
java-checks-test-sources/default/pom.xml | 2 +-
.../java/checks/PseudoRandomCheckSample.java | 9 +++++++++
.../org/sonar/java/checks/PseudoRandomCheck.java | 16 ++++++++++++----
7 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java b/its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java
index 3e5bbacc95b..b9c115888cd 100644
--- a/its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java
+++ b/its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java
@@ -195,7 +195,7 @@ public void javaCheckTestSources() throws Exception {
SoftAssertions softly = new SoftAssertions();
softly.assertThat(newDiffs).containsExactlyInAnyOrderElementsOf(knownDiffs.values());
softly.assertThat(newTotal).isEqualTo(knownTotal);
- softly.assertThat(rulesCausingFPs).hasSize(11);
+ softly.assertThat(rulesCausingFPs).hasSize(10);
softly.assertThat(rulesNotReporting).hasSize(10);
/**
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1874.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1874.json
index 3f8c8ab4714..e59c21a4602 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1874.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1874.json
@@ -1,6 +1,6 @@
{
"ruleKey": "S1874",
"hasTruePositives": true,
- "falseNegatives": 246,
- "falsePositives": 1
+ "falseNegatives": 257,
+ "falsePositives": 0
}
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S2245.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S2245.json
index 0cd9168e877..a79ef8558b1 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S2245.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S2245.json
@@ -1,6 +1,6 @@
{
"ruleKey": "S2245",
"hasTruePositives": true,
- "falseNegatives": 24,
+ "falseNegatives": 25,
"falsePositives": 0
-}
\ No newline at end of file
+}
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S2440.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S2440.json
index d43a7de0aec..0d60d9f0390 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S2440.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S2440.json
@@ -1,6 +1,6 @@
{
"ruleKey": "S2440",
"hasTruePositives": true,
- "falseNegatives": 4,
+ "falseNegatives": 2,
"falsePositives": 0
-}
\ No newline at end of file
+}
diff --git a/java-checks-test-sources/default/pom.xml b/java-checks-test-sources/default/pom.xml
index 0b48cbb6ea7..04ee2ae32e5 100644
--- a/java-checks-test-sources/default/pom.xml
+++ b/java-checks-test-sources/default/pom.xml
@@ -502,7 +502,7 @@
org.apache.commons
commons-lang3
- 3.12.0
+ 3.17.0
jar
provided
diff --git a/java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckSample.java b/java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckSample.java
index 86a8946395b..5068a480955 100644
--- a/java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckSample.java
+++ b/java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckSample.java
@@ -74,6 +74,15 @@ void fun() {
// ^^^^^^
}
+ static String randomStringUtilsInstances(int value) {
+ return switch (value) {
+ case 0 -> org.apache.commons.lang3.RandomStringUtils.secureStrong().next(42); // Compliant
+ case 42 -> org.apache.commons.lang3.RandomStringUtils.secure().next(42); // Compliant
+ default -> org.apache.commons.lang3.RandomStringUtils.insecure().next(42); // Noncompliant
+ // ^^^^^^^^
+ };
+ }
+
int nextInt() {
return 42;
}
diff --git a/java-checks/src/main/java/org/sonar/java/checks/PseudoRandomCheck.java b/java-checks/src/main/java/org/sonar/java/checks/PseudoRandomCheck.java
index e877edebb5a..a9387501b7d 100644
--- a/java-checks/src/main/java/org/sonar/java/checks/PseudoRandomCheck.java
+++ b/java-checks/src/main/java/org/sonar/java/checks/PseudoRandomCheck.java
@@ -34,6 +34,8 @@ public class PseudoRandomCheck extends IssuableSubscriptionVisitor {
private static final String MESSAGE = "Make sure that using this pseudorandom number generator is safe here.";
+ private static final String LANG3_RANDOM_STRING_UTILS = "org.apache.commons.lang3.RandomStringUtils";
+
private static final MethodMatchers STATIC_RANDOM_METHODS = MethodMatchers.or(
MethodMatchers.create().ofTypes("java.lang.Math").names("random").addWithoutParametersMatcher().build(),
MethodMatchers.create()
@@ -41,14 +43,20 @@ public class PseudoRandomCheck extends IssuableSubscriptionVisitor {
"org.apache.commons.lang.math.RandomUtils",
"org.apache.commons.lang3.RandomUtils",
"org.apache.commons.lang.RandomStringUtils",
- "org.apache.commons.lang3.RandomStringUtils")
+ LANG3_RANDOM_STRING_UTILS)
.anyName()
.withAnyParameters()
.build()
);
+ private static final MethodMatchers RANDOM_STRING_UTILS_SECURE_INSTANCES = MethodMatchers.create()
+ .ofSubTypes(LANG3_RANDOM_STRING_UTILS)
+ .names("secure", "secureStrong")
+ .withAnyParameters()
+ .build();
+
private static final MethodMatchers RANDOM_STRING_UTILS_RANDOM_WITH_RANDOM_SOURCE = MethodMatchers.create()
- .ofSubTypes("org.apache.commons.lang.RandomStringUtils", "org.apache.commons.lang3.RandomStringUtils")
+ .ofSubTypes("org.apache.commons.lang.RandomStringUtils", LANG3_RANDOM_STRING_UTILS)
.names("random")
.addParametersMatcher("int", "int", "int", "boolean", "boolean", "char[]", "java.util.Random")
.build();
@@ -65,8 +73,7 @@ public List nodesToVisit() {
@Override
public void visitNode(Tree tree) {
- if (tree.is(Tree.Kind.METHOD_INVOCATION)) {
- MethodInvocationTree mit = (MethodInvocationTree) tree;
+ if (tree instanceof MethodInvocationTree mit) {
IdentifierTree reportLocation = ExpressionUtils.methodName(mit);
if (isStaticCallToInsecureRandomMethod(mit)) {
@@ -83,6 +90,7 @@ public void visitNode(Tree tree) {
private static boolean isStaticCallToInsecureRandomMethod(MethodInvocationTree mit) {
return STATIC_RANDOM_METHODS.matches(mit)
&& !RANDOM_STRING_UTILS_RANDOM_WITH_RANDOM_SOURCE.matches(mit)
+ && !RANDOM_STRING_UTILS_SECURE_INSTANCES.matches(mit)
&& mit.methodSymbol().isStatic();
}