SONARJAVA-4882 S5876: Support detection of Session Fixation for Spring (

#4748)

its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -590,7 +590,7 @@
   {
     "ruleKey": "S1612",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 1,
     "falsePositives": 0
   },
   {
@@ -2474,7 +2474,7 @@
   {
     "ruleKey": "S5876",
     "hasTruePositives": false,
-    "falseNegatives": 1,
+    "falseNegatives": 3,
     "falsePositives": 0
   },
   {

its/autoscan/src/test/resources/autoscan/diffs/diff_S1612.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S1612",
   "hasTruePositives": true,
-  "falseNegatives": 0,
+  "falseNegatives": 1,
   "falsePositives": 0
-}
+}

its/autoscan/src/test/resources/autoscan/diffs/diff_S5876.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S5876",
   "hasTruePositives": false,
-  "falseNegatives": 1,
+  "falseNegatives": 3,
   "falsePositives": 0
-}
+}

java-checks-test-sources/default/src/main/java/checks/spring/SpringSessionFixationCheck.java

@@ -4,6 +4,8 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
 
 public class SpringSessionFixationCheck {
   @Configuration
@@ -21,5 +23,14 @@ protected void configure(HttpSecurity http) throws Exception {
           .newSession(); // Compliant
 
     }
+
+    public SecurityFilterChain filterChainSessionFixation(HttpSecurity http) throws Exception {
+      // Noncompliant@+1 [[sc=126;ec=130]] {{Create a new session during user authentication to prevent session fixation attacks.}}
+      http.sessionManagement(sessionConfigurer -> sessionConfigurer.sessionFixation(fixationConfigurer -> fixationConfigurer.none()));
+      // Noncompliant@+1 [[sc=140;ec=144]] {{Create a new session during user authentication to prevent session fixation attacks.}}
+      http.sessionManagement(sessionConfigurer -> sessionConfigurer.sessionFixation(SessionManagementConfigurer.SessionFixationConfigurer::none));
+      return http.build();
+    }
+
   }
 }

java-checks/src/main/java/org/sonar/java/checks/spring/SpringSessionFixationCheck.java

@@ -20,22 +20,17 @@
 package org.sonar.java.checks.spring;
 
 
-import java.util.Collections;
-import java.util.List;
 import org.sonar.check.Rule;
 import org.sonar.java.checks.methods.AbstractMethodDetection;
 import org.sonar.java.model.ExpressionUtils;
 import org.sonar.plugins.java.api.semantic.MethodMatchers;
 import org.sonar.plugins.java.api.tree.MethodInvocationTree;
-import org.sonar.plugins.java.api.tree.Tree;
+import org.sonar.plugins.java.api.tree.MethodReferenceTree;
 
 @Rule(key = "S5876")
 public class SpringSessionFixationCheck extends AbstractMethodDetection {
 
-  @Override
-  public List<Tree.Kind> nodesToVisit() {
-    return Collections.singletonList(Tree.Kind.METHOD_INVOCATION);
-  }
+  private static final String ISSUE_MSG = "Create a new session during user authentication to prevent session fixation attacks.";
 
   @Override
   protected MethodMatchers getMethodInvocationMatchers() {
@@ -48,7 +43,12 @@ protected MethodMatchers getMethodInvocationMatchers() {
 
   @Override
   protected void onMethodInvocationFound(MethodInvocationTree methodInvocation) {
-    reportIssue(ExpressionUtils.methodName(methodInvocation), "Create a new session during user authentication to prevent session fixation attacks.");
+    reportIssue(ExpressionUtils.methodName(methodInvocation), ISSUE_MSG);
+  }
+
+  @Override
+  protected void onMethodReferenceFound(MethodReferenceTree methodReferenceTree) {
+    reportIssue(methodReferenceTree.method(), ISSUE_MSG);
   }
 
 }