Skip to content

MMF-3162-org2/sonar-text

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

311 Commits
.github
.github
 
 
build-logic
build-logic
 
 
gradle
gradle
 
 
sonar-text-dotnet
sonar-text-dotnet
 
 
sonar-text-plugin
sonar-text-plugin
 
 
sonarpedia-secrets
sonarpedia-secrets
 
 
sonarpedia-text
sonarpedia-text
 
 
.cirrus-public.yml
.cirrus-public.yml
 
 
.cirrus.star
.cirrus.star
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
LICENSE_HEADER
LICENSE_HEADER
 
 
README.md
README.md
 
 
build.gradle.kts
build.gradle.kts
 
 
export_ws_variables.sh
export_ws_variables.sh
 
 
gradle.properties
gradle.properties
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
secretSpecificationInclusionGenerator.sh
secretSpecificationInclusionGenerator.sh
 
 
settings.gradle.kts
settings.gradle.kts
 
 
sonar-project.properites
sonar-project.properites
 
 
wss-unified-agent.config
wss-unified-agent.config
 
 

Repository files navigation

SonarText: detect BIDI Characters Vulnerabilities and Leaking Secrets

Build Status Quality Gate Status Coverage

This SonarSource project is a static code analyzer made to detect:

  • BIDI Characters Vulnerabilities
  • Leaking Secrets/Tokens

It is a component of the Sonar Solution. It is embedded in SonarLint, SonarQube, and SonarCloud. This component helps you prevent the leakage of secrets even before you push them into your repository thanks to SonarLint.

Features

  • 110+ secret patterns supported and detected by 60+ rules
  • detection of BIDI characters that could lead to attacks
  • detection of secrets in all files indexed by Sonar products

Build

Prerequisite

  • Java 11

Simple build skipping integration tests.

./gradlew build

Apply code formatting.

./gradlew spotlessApply

Update rule description

Update all rule descriptions.

./gradlew ruleApiUpdate

There are also tasks: ruleApiUpdateSecrets and ruleApiUpdateText for updating Secrets and Text rule descriptions.

Generate new rule description

To fetch static files for a rule SXXXX from RSPEC, execute the one of following command:

./gradlew ruleApiUpdateRuleSecrets -Prule=SXXXX
./gradlew ruleApiUpdateRuleText -Prule=SXXXX

Generate files to include new secrets

After the change, addition or removal of secret specifications, this script can be run to generate the Java classes that are needed for the inclusion or deletion of these secrets and to update static RSPEC files.

As we use the enforcer plugin to define a file size of the build, this can lead to test failures after adding new secret specifications. The <minsize> and <maxsize> can be changed in sonar-text-plugin/build.gradle.kts (search for enforceJarSize).

./secretSpecificationInclusionGenerator.sh

Verify Regexes

The Regular Expressions provided in secrets specification should be verified to avoid catastrophic backtracking and other issues. Currently, the Sonar products doesn't scan YAML files for Regex problems. To avoid potential problems the SecretsRegexTest was prepared for validating regexes. There is a simple way to validate all specification files and a single one. Currently, tests are disabled, as the issues need to be reviewed first.

There is also a way of running this check from command line.

./gradlew --rerun-tasks :sonar-text-plugin:test --console plain --tests SecretsRegexTest.shouldValidateSingleFile -Dfilename=google-oauth2.yaml

License

Copyright 2012-2023 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

About

sonar-text

Resources

Readme

License

LGPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Java 56.6%
  • HTML 27.6%
  • C# 14.5%
  • PowerShell 1.0%
  • Shell 0.2%
  • PHP 0.1%