This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

View | Details | Raw Unified | Return to bug 253019
Collapse All | Expand All

(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/error/CodeAssistanceHintProvider.java (-1 / +1 lines)
Lines 184-190 Link Here
184
    public synchronized Collection<CodeAudit> getAudits() {
184
    public synchronized Collection<CodeAudit> getAudits() {
185
        if (audits == null) {
185
        if (audits == null) {
186
            List<CodeAudit> res = new ArrayList<>();
186
            List<CodeAudit> res = new ArrayList<>();
187
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+NAME).lookupAll(CodeAuditFactory.class)) {
187
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+CodeAssistanceHintProvider.NAME).lookupAll(CodeAuditFactory.class)) {
188
                res.add(factory.create(myPreferences));
188
                res.add(factory.create(myPreferences));
189
            }
189
            }
190
            Collections.sort(res, new Comparator<CodeAudit>(){
190
            Collections.sort(res, new Comparator<CodeAudit>(){
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/hints/CsmHintProvider.java (-1 / +2 lines)
Lines 57-62 Link Here
57
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditFactory;
57
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditFactory;
58
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditProvider;
58
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditProvider;
59
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
59
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
60
import org.netbeans.modules.cnd.highlight.security.SecurityCheckProvider;
60
import org.netbeans.modules.cnd.utils.CndUtils;
61
import org.netbeans.modules.cnd.utils.CndUtils;
61
import org.netbeans.modules.cnd.utils.MIMENames;
62
import org.netbeans.modules.cnd.utils.MIMENames;
62
import org.openide.util.Lookup;
63
import org.openide.util.Lookup;
Lines 185-191 Link Here
185
    public synchronized Collection<CodeAudit> getAudits() {
186
    public synchronized Collection<CodeAudit> getAudits() {
186
        if (audits == null) {
187
        if (audits == null) {
187
            List<CodeAudit> res = new ArrayList<>();
188
            List<CodeAudit> res = new ArrayList<>();
188
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+NAME).lookupAll(CodeAuditFactory.class)) {
189
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+CsmHintProvider.NAME).lookupAll(CodeAuditFactory.class)) {
189
                res.add(factory.create(myPreferences));
190
                res.add(factory.create(myPreferences));
190
            }
191
            }
191
            Collections.sort(res, new Comparator<CodeAudit>(){
192
            Collections.sort(res, new Comparator<CodeAudit>(){
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/hints/HintAnalyzerImpl.java (+1 lines)
Lines 56-61 Link Here
56
import org.netbeans.modules.cnd.api.model.CsmFile;
56
import org.netbeans.modules.cnd.api.model.CsmFile;
57
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorInfo;
57
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorInfo;
58
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
58
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
59
import org.netbeans.modules.cnd.highlight.security.SecurityCheckProvider;
59
import org.netbeans.modules.cnd.modelutil.CsmUtilities;
60
import org.netbeans.modules.cnd.modelutil.CsmUtilities;
60
import org.netbeans.spi.editor.hints.ErrorDescription;
61
import org.netbeans.spi.editor.hints.ErrorDescription;
61
import org.netbeans.spi.editor.hints.ErrorDescriptionFactory;
62
import org.netbeans.spi.editor.hints.ErrorDescriptionFactory;
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/security/Bundle.properties (+49 lines)
Line 0 Link Here
1
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
2
#
3
# Copyright 2015 Oracle and/or its affiliates. All rights reserved.
4
#
5
# Oracle and Java are registered trademarks of Oracle and/or its affiliates.
6
# Other names may be trademarks of their respective owners.
7
#
8
# The contents of this file are subject to the terms of either the GNU
9
# General Public License Version 2 only ("GPL") or the Common
10
# Development and Distribution License("CDDL") (collectively, the
11
# "License"). You may not use this file except in compliance with the
12
# License. You can obtain a copy of the License at
13
# http://www.netbeans.org/cddl-gplv2.html
14
# or nbbuild/licenses/CDDL-GPL-2-CP. See the License for the
15
# specific language governing permissions and limitations under the
16
# License.  When distributing the software, include this License Header
17
# Notice in each file and include the License file at
18
# nbbuild/licenses/CDDL-GPL-2-CP.  Oracle designates this
19
# particular file as subject to the "Classpath" exception as provided
20
# by Oracle in the GPL Version 2 section of the License file that
21
# accompanied this code. If applicable, add the following below the
22
# License Header, with the fields enclosed by brackets [] replaced by
23
# your own identifying information:
24
# "Portions Copyrighted [year] [name of copyright owner]"
25
#
26
# If you wish your version of this file to be governed by only the CDDL
27
# or only the GPL Version 2, indicate your decision by adding
28
# "[Contributor] elects to include this software in this distribution
29
# under the [CDDL or GPL Version 2] license." If you do not indicate a
30
# single choice of license, a recipient has the option to distribute
31
# your version of this file under either the CDDL, the GPL Version 2 or
32
# to extend the choice of license to its licensees as provided above.
33
# However, if you add GPL Version 2 code and therefore, elected the GPL
34
# Version 2 license, then the option applies only if the new code is
35
# made subject to such option by the copyright holder.
36
#
37
# Contributor(s):
38
#
39
# Portions Copyrighted 2015 Sun Microsystems, Inc.
40
41
SecurityCheck_NAME=Security issues
42
SecurityCheck_DESCRIPTION=Possible security flaws
43
DisableHint=Configure Hints
44
45
#AvoidFunctionUsage
46
UsingUnsafeFunctions.Unsafe.name=C library functions: highly unsafe
47
UsingUnsafeFunctions.Unsafe.description=These function cannot be used securely so it should not to be used under any circumstances
48
UsingUnsafeFunctions.Avoid.name=C library functions: difficult to use securely
49
UsingUnsafeFunctions.Avoid.description=Use should be avoided as this function is difficult to use securely
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/security/Checks.java (+138 lines)
Line 0 Link Here
1
/*
2
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3
 *
4
 * Copyright 2015 Oracle and/or its affiliates. All rights reserved.
5
 *
6
 * Oracle and Java are registered trademarks of Oracle and/or its affiliates.
7
 * Other names may be trademarks of their respective owners.
8
 *
9
 * The contents of this file are subject to the terms of either the GNU
10
 * General Public License Version 2 only ("GPL") or the Common
11
 * Development and Distribution License("CDDL") (collectively, the
12
 * "License"). You may not use this file except in compliance with the
13
 * License. You can obtain a copy of the License at
14
 * http://www.netbeans.org/cddl-gplv2.html
15
 * or nbbuild/licenses/CDDL-GPL-2-CP. See the License for the
16
 * specific language governing permissions and limitations under the
17
 * License.  When distributing the software, include this License Header
18
 * Notice in each file and include the License file at
19
 * nbbuild/licenses/CDDL-GPL-2-CP.  Oracle designates this
20
 * particular file as subject to the "Classpath" exception as provided
21
 * by Oracle in the GPL Version 2 section of the License file that
22
 * accompanied this code. If applicable, add the following below the
23
 * License Header, with the fields enclosed by brackets [] replaced by
24
 * your own identifying information:
25
 * "Portions Copyrighted [year] [name of copyright owner]"
26
 *
27
 * If you wish your version of this file to be governed by only the CDDL
28
 * or only the GPL Version 2, indicate your decision by adding
29
 * "[Contributor] elects to include this software in this distribution
30
 * under the [CDDL or GPL Version 2] license." If you do not indicate a
31
 * single choice of license, a recipient has the option to distribute
32
 * your version of this file under either the CDDL, the GPL Version 2 or
33
 * to extend the choice of license to its licensees as provided above.
34
 * However, if you add GPL Version 2 code and therefore, elected the GPL
35
 * Version 2 license, then the option applies only if the new code is
36
 * made subject to such option by the copyright holder.
37
 *
38
 * Contributor(s):
39
 *
40
 * Portions Copyrighted 2015 Sun Microsystems, Inc.
41
 */
42
package org.netbeans.modules.cnd.highlight.security;
43
44
import java.io.IOException;
45
import java.util.HashMap;
46
import java.util.Map;
47
import javax.xml.parsers.DocumentBuilderFactory;
48
import javax.xml.parsers.ParserConfigurationException;
49
import org.netbeans.modules.cnd.api.model.CsmFile;
50
import org.netbeans.modules.cnd.api.model.CsmFunction;
51
import org.netbeans.modules.cnd.api.model.CsmInclude;
52
import org.netbeans.modules.cnd.api.model.services.CsmFileInfoQuery;
53
import org.openide.util.Exceptions;
54
import org.w3c.dom.Document;
55
import org.w3c.dom.Node;
56
import org.w3c.dom.NodeList;
57
import org.w3c.dom.Element;
58
import org.xml.sax.SAXException;
59
60
/**
61
 *
62
 * @author Danila Sergeyev
63
 */
64
public class Checks {
65
    private static final String levelTagName = "level"; // NOI18N
66
    private static final String[] levelTagAttributes = {"value"}; // NOI18N
67
    private static final String functionTagName = "function"; // NOI18N
68
    private static final String[] functionTagAttributes = {"name", "header"}; // NOI18N
69
    
70
    public enum Level {
71
        AVOID,
72
        UNSAFE
73
    }
74
    
75
    private final Map<String, String> unsecureFunctions;
76
    private final String level;
77
    
78
    private Checks(Level level) {
79
        if (level == Level.AVOID) {
80
            this.level = "avoid"; // NOI18N
81
        } else {
82
            this.level = "unsafe"; // NOI18N
83
        }
84
        unsecureFunctions = new HashMap<>();
85
        processXml();
86
    }
87
    
88
    private void processXml() {
89
        try {
90
            Document doc = DocumentBuilderFactory.newInstance()
91
                          .newDocumentBuilder()
92
                          .parse(Checks.class.getResourceAsStream("Checks.xml")); // NOI18N
93
            
94
            NodeList levelNodes = doc.getElementsByTagName(levelTagName);
95
            for (int i = 0, ilimit = levelNodes.getLength(); i < ilimit; i++) {
96
                Node levelNode = levelNodes.item(i);
97
                if (levelNode.getNodeType() == Node.ELEMENT_NODE) {
98
                    Element levelElement = (Element) levelNode;
99
                    String value = levelElement.getAttribute(levelTagAttributes[0]);
100
                    if (value != null && value.equals(level)) {
101
                        NodeList nodes = levelNode.getChildNodes();
102
                        for (int j = 0, jlimit = nodes.getLength(); j < jlimit; j++) {
103
                            Node node = nodes.item(j);
104
                            if (node.getNodeName().equals(functionTagName) && node.getNodeType() == Node.ELEMENT_NODE) {
105
                                Element element = (Element) node;
106
                                String name = element.getAttribute(functionTagAttributes[0]);
107
                                String header = element.getAttribute(functionTagAttributes[1]);
108
                                unsecureFunctions.put(name, header);
109
                            }
110
                        }
111
                    }
112
                }
113
            }
114
            
115
        } catch (ParserConfigurationException | SAXException | IOException ex) {
116
            Exceptions.printStackTrace(ex);
117
        }
118
    }
119
    
120
    public static Checks getInstance(Level level) {
121
        return new Checks(level);
122
    }
123
    
124
    public boolean isUnsecuredFunction(CsmFunction function) {
125
        String fname = function.getName().toString();
126
        String header = unsecureFunctions.get(fname);
127
        if (header != null) {
128
            CsmFile file = function.getContainingFile();
129
            for (CsmInclude include : CsmFileInfoQuery.getDefault().getIncludeStack(file)) {
130
                if (include.getIncludeName().toString().equals(header)) {
131
                    return true;
132
                }
133
            }
134
        }
135
        return false;
136
    }
137
    
138
}
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/security/Checks.xml (+56 lines)
Line 0 Link Here
1
<?xml version="1.0" encoding="UTF-8"?>
2
<!--
3
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4
5
Copyright 2015 Oracle and/or its affiliates. All rights reserved.
6
7
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
8
Other names may be trademarks of their respective owners.
9
10
The contents of this file are subject to the terms of either the GNU
11
General Public License Version 2 only ("GPL") or the Common
12
Development and Distribution License("CDDL") (collectively, the
13
"License"). You may not use this file except in compliance with the
14
License. You can obtain a copy of the License at
15
http://www.netbeans.org/cddl-gplv2.html
16
or nbbuild/licenses/CDDL-GPL-2-CP. See the License for the
17
specific language governing permissions and limitations under the
18
License.  When distributing the software, include this License Header
19
Notice in each file and include the License file at
20
nbbuild/licenses/CDDL-GPL-2-CP.  Oracle designates this
21
particular file as subject to the "Classpath" exception as provided
22
by Oracle in the GPL Version 2 section of the License file that
23
accompanied this code. If applicable, add the following below the
24
License Header, with the fields enclosed by brackets [] replaced by
25
your own identifying information:
26
"Portions Copyrighted [year] [name of copyright owner]"
27
28
If you wish your version of this file to be governed by only the CDDL
29
or only the GPL Version 2, indicate your decision by adding
30
"[Contributor] elects to include this software in this distribution
31
under the [CDDL or GPL Version 2] license." If you do not indicate a
32
single choice of license, a recipient has the option to distribute
33
your version of this file under either the CDDL, the GPL Version 2 or
34
to extend the choice of license to its licensees as provided above.
35
However, if you add GPL Version 2 code and therefore, elected the GPL
36
Version 2 license, then the option applies only if the new code is
37
made subject to such option by the copyright holder.
38
39
Contributor(s):
40
41
Portions Copyrighted 2015 Sun Microsystems, Inc.
42
-->
43
44
<checks>
45
    <level value="unsafe">
46
        <function name="gets" header="stdio.h" />
47
        <function name="cftime" header="time.h" />
48
        <function name="ascftime" header="time.h" />
49
    </level>
50
    <level value="avoid">
51
        <function name="strcat" header="string.h" />
52
        <function name="strcpy" header="string.h" />
53
        <function name="chown" header="unistd.h" />
54
        <function name="lchown" header="unistd.h" />
55
    </level>    
56
</checks>
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/hints/HintAnalyzerImpl.java (-12 / +12 lines)
Lines 40-46 Link Here
40
 * Portions Copyrighted 2014 Sun Microsystems, Inc.
40
 * Portions Copyrighted 2014 Sun Microsystems, Inc.
41
 */
41
 */
42
42
43
package org.netbeans.modules.cnd.highlight.hints;
43
package org.netbeans.modules.cnd.highlight.security;
44
44
45
import java.util.ArrayList;
45
import java.util.ArrayList;
46
import java.util.Collection;
46
import java.util.Collection;
Lines 70-88 Link Here
70
 *
70
 *
71
 * @author Alexander Simon
71
 * @author Alexander Simon
72
 */
72
 */
73
public class HintAnalyzerImpl extends AbstractAnalyzer {
73
public class SecurityAnalyzerImpl extends AbstractAnalyzer {
74
    private static final String PREFIX = "cnd-"; //NOI18N
74
    private static final String PREFIX = "cnd-"; //NOI18N
75
75
76
    private HintAnalyzerImpl(Context ctx) {
76
    private SecurityAnalyzerImpl(Context ctx) {
77
        super(ctx);
77
        super(ctx);
78
    }
78
    }
79
79
80
    @Override
80
    @Override
81
    protected CsmErrorProvider getErrorProvider(Preferences preferences) {
81
    protected CsmErrorProvider getErrorProvider(Preferences preferences) {
82
        if (preferences != null) {
82
        if (preferences != null) {
83
            return new CsmHintProvider(preferences);
83
            return new SecurityCheckProvider(preferences);
84
        } else {
84
        } else {
85
            return CsmHintProvider.getInstance();
85
            return (CsmErrorProvider) SecurityCheckProvider.getInstance();
86
        }
86
        }
87
    }
87
    }
88
88
Lines 139-155 Link Here
139
    public static final class AnalyzerFactoryImpl extends AnalyzerFactory {
139
    public static final class AnalyzerFactoryImpl extends AnalyzerFactory {
140
        
140
        
141
        public AnalyzerFactoryImpl() {
141
        public AnalyzerFactoryImpl() {
142
            super(CsmHintProvider.NAME,
142
            super(SecurityCheckProvider.NAME,
143
                   NbBundle.getMessage(CsmHintProvider.class, "General_DESCRIPTION"), //NOI18N
143
                   NbBundle.getMessage(SecurityCheckProvider.class, "SecurityCheck_DESCRIPTION"), //NOI18N
144
                   ImageUtilities.loadImage("org/netbeans/modules/cnd/highlight/resources/bugs.png")); //NOI18N
144
                   ImageUtilities.loadImage("org/netbeans/modules/cnd/highlight/resources/bugs.png")); //NOI18N
145
        }
145
        }
146
146
147
        @Override
147
        @Override
148
        public Iterable<? extends WarningDescription> getWarnings() {
148
        public Iterable<? extends WarningDescription> getWarnings() {
149
            List<WarningDescription> result = new ArrayList<>();
149
            List<WarningDescription> result = new ArrayList<>();
150
            final CsmHintProvider provider = (CsmHintProvider)CsmHintProvider.getInstance();
150
            final SecurityCheckProvider provider = (SecurityCheckProvider)SecurityCheckProvider.getInstance();
151
            for(CodeAudit audit : provider.getAudits()) {
151
            for(CodeAudit audit : provider.getAudits()) {
152
                result.add(WarningDescription.create(PREFIX+audit.getID(), audit.getName(), CsmHintProvider.NAME, provider.getDisplayName()));
152
                result.add(WarningDescription.create(PREFIX+audit.getID(), audit.getName(), SecurityCheckProvider.NAME, provider.getDisplayName()));
153
            }
153
            }
154
            return result;
154
            return result;
155
        }
155
        }
Lines 185-199 Link Here
185
185
186
        private CodeAuditProvider getErrorProvider(Preferences preferences) {
186
        private CodeAuditProvider getErrorProvider(Preferences preferences) {
187
            if (preferences != null) {
187
            if (preferences != null) {
188
                return new CsmHintProvider(preferences);
188
                return new SecurityCheckProvider(preferences);
189
            } else {
189
            } else {
190
                return (CodeAuditProvider)CsmHintProvider.getInstance();
190
                return (CodeAuditProvider)SecurityCheckProvider.getInstance();
191
            }
191
            }
192
        }
192
        }
193
        
193
        
194
        @Override
194
        @Override
195
        public Analyzer createAnalyzer(Context context) {
195
        public Analyzer createAnalyzer(Context context) {
196
            return new HintAnalyzerImpl(context);
196
            return new SecurityAnalyzerImpl(context);
197
        }
197
        }
198
    }
198
    }
199
}
199
}
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/security/SecurityCheckProvider.java (+185 lines)
Line 0 Link Here
1
/*
2
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3
 *
4
 * Copyright 2015 Oracle and/or its affiliates. All rights reserved.
5
 *
6
 * Oracle and Java are registered trademarks of Oracle and/or its affiliates.
7
 * Other names may be trademarks of their respective owners.
8
 *
9
 * The contents of this file are subject to the terms of either the GNU
10
 * General Public License Version 2 only ("GPL") or the Common
11
 * Development and Distribution License("CDDL") (collectively, the
12
 * "License"). You may not use this file except in compliance with the
13
 * License. You can obtain a copy of the License at
14
 * http://www.netbeans.org/cddl-gplv2.html
15
 * or nbbuild/licenses/CDDL-GPL-2-CP. See the License for the
16
 * specific language governing permissions and limitations under the
17
 * License.  When distributing the software, include this License Header
18
 * Notice in each file and include the License file at
19
 * nbbuild/licenses/CDDL-GPL-2-CP.  Oracle designates this
20
 * particular file as subject to the "Classpath" exception as provided
21
 * by Oracle in the GPL Version 2 section of the License file that
22
 * accompanied this code. If applicable, add the following below the
23
 * License Header, with the fields enclosed by brackets [] replaced by
24
 * your own identifying information:
25
 * "Portions Copyrighted [year] [name of copyright owner]"
26
 *
27
 * If you wish your version of this file to be governed by only the CDDL
28
 * or only the GPL Version 2, indicate your decision by adding
29
 * "[Contributor] elects to include this software in this distribution
30
 * under the [CDDL or GPL Version 2] license." If you do not indicate a
31
 * single choice of license, a recipient has the option to distribute
32
 * your version of this file under either the CDDL, the GPL Version 2 or
33
 * to extend the choice of license to its licensees as provided above.
34
 * However, if you add GPL Version 2 code and therefore, elected the GPL
35
 * Version 2 license, then the option applies only if the new code is
36
 * made subject to such option by the copyright holder.
37
 *
38
 * Contributor(s):
39
 *
40
 * Portions Copyrighted 2015 Sun Microsystems, Inc.
41
 */
42
package org.netbeans.modules.cnd.highlight.security;
43
44
import java.util.ArrayList;
45
import java.util.Collection;
46
import java.util.Collections;
47
import java.util.Comparator;
48
import java.util.List;
49
import java.util.prefs.BackingStoreException;
50
import java.util.prefs.Preferences;
51
import org.netbeans.modules.cnd.api.model.CsmFile;
52
import org.netbeans.modules.cnd.api.model.services.CsmCacheManager;
53
import org.netbeans.modules.cnd.api.model.syntaxerr.AbstractCodeAudit;
54
import org.netbeans.modules.cnd.api.model.syntaxerr.AuditPreferences;
55
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAudit;
56
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditFactory;
57
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditProvider;
58
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
59
import org.netbeans.modules.cnd.utils.MIMENames;
60
import org.openide.util.Lookup;
61
import org.openide.util.NbBundle;
62
import org.openide.util.lookup.Lookups;
63
import org.openide.util.lookup.ServiceProvider;
64
import org.openide.util.lookup.ServiceProviders;
65
66
/**
67
 *
68
 * @author Danila Sergeyev
69
 */
70
@ServiceProviders({
71
    @ServiceProvider(service = CsmErrorProvider.class, position = 1200),
72
    @ServiceProvider(service = CodeAuditProvider.class, position = 1300)
73
})
74
public class SecurityCheckProvider extends CsmErrorProvider implements CodeAuditProvider {
75
    public static final String NAME = "SecurityCheck"; //NOI18N
76
    private Collection<CodeAudit> audits;
77
    private final AuditPreferences myPreferences;
78
    
79
    public static CodeAuditProvider getInstance() {
80
        for(CodeAuditProvider provider : Lookup.getDefault().lookupAll(CodeAuditProvider.class)) {
81
            if (NAME.equals(provider.getName())) {
82
                return provider;
83
            }
84
        }
85
        return null;
86
    }
87
    
88
    public SecurityCheckProvider() {
89
         myPreferences = new AuditPreferences(AuditPreferences.AUDIT_PREFERENCES_ROOT.node(NAME));
90
    }
91
    
92
    SecurityCheckProvider(Preferences preferences) {        
93
        try {
94
            if (preferences.nodeExists(NAME)) {
95
                preferences = preferences.node(NAME);
96
            }
97
        } catch (BackingStoreException ex) {
98
        }   
99
        if (preferences.absolutePath().endsWith("/"+NAME)) { //NOI18N
100
            myPreferences = new AuditPreferences(preferences);
101
        } else {
102
            myPreferences = new AuditPreferences(preferences.node(NAME));
103
        }
104
    }
105
    
106
    @Override
107
    public String getName() {
108
        return NAME;
109
    }
110
    
111
    @Override
112
    public String getDisplayName() {
113
        return NbBundle.getMessage(SecurityCheckProvider.class, "SecurityCheck_NAME"); //NOI18N
114
    }
115
    
116
    @Override
117
    public String getDescription() {
118
        return NbBundle.getMessage(SecurityCheckProvider.class, "SecurityCheck_DESCRIPTION"); //NOI18N
119
    }
120
    
121
    @Override
122
    protected void doGetErrors(CsmErrorProvider.Request request, CsmErrorProvider.Response response) {
123
        CsmFile file = request.getFile();
124
        if (file != null) {
125
            if (request.isCancelled()) {
126
                return;
127
            }
128
            CsmCacheManager.enter();
129
            try {
130
                for(CodeAudit audit : getAudits()) {
131
                    if (request.isCancelled()) {
132
                        return;
133
                    }
134
                    AbstractCodeAudit engine = (AbstractCodeAudit)audit;
135
                    if (engine.isEnabled() && engine.isSupportedEvent(request.getEvent())) {
136
                        engine.doGetErrors(request, response);
137
                    }
138
                }
139
            } finally {
140
                CsmCacheManager.leave();
141
            }
142
        }
143
    }
144
    
145
    @Override
146
    public synchronized Collection<CodeAudit> getAudits() {
147
        if (audits == null) {
148
            List<CodeAudit> res = new ArrayList<>();
149
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+SecurityCheckProvider.NAME).lookupAll(CodeAuditFactory.class)) {
150
                res.add(factory.create(myPreferences));
151
            }
152
            Collections.sort(res, new Comparator<CodeAudit>(){
153
154
                @Override
155
                public int compare(CodeAudit o1, CodeAudit o2) {
156
                    return o1.getName().compareTo(o2.getName());
157
                }
158
            });
159
            audits = res;
160
        }
161
        return audits;
162
    }
163
    
164
    @Override
165
    public AuditPreferences getPreferences() {
166
        return myPreferences;
167
    }
168
169
    @Override
170
    public String getMimeType() {
171
        return MIMENames.SOURCES_MIME_TYPE;
172
    }
173
    
174
    @Override
175
    public boolean isSupportedEvent(CsmErrorProvider.EditorEvent kind) {
176
        for(CodeAudit audit : getAudits()) {
177
            AbstractCodeAudit engine = (AbstractCodeAudit)audit;
178
            if (engine.isSupportedEvent(kind)) {
179
                return true;
180
            }
181
        }
182
        return false;
183
    }
184
    
185
}
(-)a/cnd.highlight/src/org/netbeans/modules/cnd/highlight/security/UsingUnsafeFunctions.java (+127 lines)
Line 0 Link Here
1
/*
2
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3
 *
4
 * Copyright 2015 Oracle and/or its affiliates. All rights reserved.
5
 *
6
 * Oracle and Java are registered trademarks of Oracle and/or its affiliates.
7
 * Other names may be trademarks of their respective owners.
8
 *
9
 * The contents of this file are subject to the terms of either the GNU
10
 * General Public License Version 2 only ("GPL") or the Common
11
 * Development and Distribution License("CDDL") (collectively, the
12
 * "License"). You may not use this file except in compliance with the
13
 * License. You can obtain a copy of the License at
14
 * http://www.netbeans.org/cddl-gplv2.html
15
 * or nbbuild/licenses/CDDL-GPL-2-CP. See the License for the
16
 * specific language governing permissions and limitations under the
17
 * License.  When distributing the software, include this License Header
18
 * Notice in each file and include the License file at
19
 * nbbuild/licenses/CDDL-GPL-2-CP.  Oracle designates this
20
 * particular file as subject to the "Classpath" exception as provided
21
 * by Oracle in the GPL Version 2 section of the License file that
22
 * accompanied this code. If applicable, add the following below the
23
 * License Header, with the fields enclosed by brackets [] replaced by
24
 * your own identifying information:
25
 * "Portions Copyrighted [year] [name of copyright owner]"
26
 *
27
 * If you wish your version of this file to be governed by only the CDDL
28
 * or only the GPL Version 2, indicate your decision by adding
29
 * "[Contributor] elects to include this software in this distribution
30
 * under the [CDDL or GPL Version 2] license." If you do not indicate a
31
 * single choice of license, a recipient has the option to distribute
32
 * your version of this file under either the CDDL, the GPL Version 2 or
33
 * to extend the choice of license to its licensees as provided above.
34
 * However, if you add GPL Version 2 code and therefore, elected the GPL
35
 * Version 2 license, then the option applies only if the new code is
36
 * made subject to such option by the copyright holder.
37
 *
38
 * Contributor(s):
39
 *
40
 * Portions Copyrighted 2015 Sun Microsystems, Inc.
41
 */
42
package org.netbeans.modules.cnd.highlight.security;
43
44
import org.netbeans.modules.cnd.analysis.api.AnalyzerResponse;
45
import org.netbeans.modules.cnd.api.model.CsmFile;
46
import org.netbeans.modules.cnd.api.model.CsmFunction;
47
import org.netbeans.modules.cnd.api.model.syntaxerr.AbstractCodeAudit;
48
import org.netbeans.modules.cnd.api.model.syntaxerr.AuditPreferences;
49
import org.netbeans.modules.cnd.api.model.syntaxerr.CodeAuditFactory;
50
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorInfo;
51
import org.netbeans.modules.cnd.api.model.syntaxerr.CsmErrorProvider;
52
import org.netbeans.modules.cnd.api.model.util.CsmKindUtilities;
53
import org.netbeans.modules.cnd.api.model.xref.CsmReference;
54
import org.netbeans.modules.cnd.api.model.xref.CsmReferenceResolver;
55
import org.netbeans.modules.cnd.highlight.hints.ErrorInfoImpl;
56
import org.openide.util.NbBundle;
57
import org.openide.util.lookup.ServiceProvider;
58
59
/**
60
 *
61
 * @author Danila Sergeyev
62
 */
63
public class UsingUnsafeFunctions extends AbstractCodeAudit {
64
    private final Checks.Level level;
65
    private static final String avoidName = "UsingUnsafeFunctions.Avoid.name"; // NOI18N
66
    private static final String avoidDescription = "UsingUnsafeFunctions.Avoid.description"; // NOI18N
67
    private static final String unsafeName = "UsingUnsafeFunctions.Unsafe.name"; // NOI18N
68
    private static final String unsafeDescription = "UsingUnsafeFunctions.Unsafe.description"; // NOI18N
69
    
70
    private UsingUnsafeFunctions(Checks.Level level, String id, String name, String description, String defaultSeverity, boolean defaultEnabled, AuditPreferences myPreferences) {
71
        super(id, name, description, defaultSeverity, defaultEnabled, myPreferences);
72
        this.level = level;
73
    }
74
    
75
    @Override
76
    public boolean isSupportedEvent(CsmErrorProvider.EditorEvent kind) {
77
        return kind == CsmErrorProvider.EditorEvent.FileBased;
78
    }
79
    
80
    @Override
81
    public void doGetErrors(CsmErrorProvider.Request request, CsmErrorProvider.Response response) {
82
        CsmFile file = request.getFile();
83
        if (file != null) {
84
            if (request.isCancelled()) {
85
                return;
86
            }
87
            
88
            for (CsmReference ref : CsmReferenceResolver.getDefault().getReferences(file)) {
89
                if (CsmKindUtilities.isFunction(ref.getReferencedObject())) {
90
                    CsmFunction function = (CsmFunction) ref.getReferencedObject();
91
                    if (Checks.getInstance(level).isUnsecuredFunction(function)) {
92
                        String message = NbBundle.getMessage(UsingUnsafeFunctions.class
93
                                                            ,(level == Checks.Level.AVOID)?avoidDescription:avoidName);
94
                        CsmErrorInfo.Severity severity = toSeverity(minimalSeverity());
95
                        if (response instanceof AnalyzerResponse) {
96
                            ((AnalyzerResponse) response).addError(AnalyzerResponse.AnalyzerSeverity.DetectedError, null, file.getFileObject(),
97
                                new ErrorInfoImpl(SecurityCheckProvider.NAME, getID(), getName()+"\n"+message, severity, ref.getStartOffset(), ref.getEndOffset()));  // NOI18N
98
                        } else {
99
                            response.addError(new ErrorInfoImpl(SecurityCheckProvider.NAME, getID(), message, severity, ref.getStartOffset(), ref.getEndOffset()));
100
                        }
101
                    }
102
                }
103
            }
104
        }
105
    }
106
       
107
    @ServiceProvider(path = CodeAuditFactory.REGISTRATION_PATH+SecurityCheckProvider.NAME, service = CodeAuditFactory.class, position = 1300)
108
    public static final class UnsafeFunctionsAuditFactory implements CodeAuditFactory {
109
        @Override
110
        public AbstractCodeAudit create(AuditPreferences preferences) {
111
            String id = NbBundle.getMessage(UsingUnsafeFunctions.class, unsafeName);
112
            String description = NbBundle.getMessage(UsingUnsafeFunctions.class, unsafeDescription);
113
            return new UsingUnsafeFunctions(Checks.Level.UNSAFE, id, id, description, "error", true, preferences);  // NOI18N
114
        }
115
    }
116
    
117
    @ServiceProvider(path = CodeAuditFactory.REGISTRATION_PATH+SecurityCheckProvider.NAME, service = CodeAuditFactory.class, position = 1300)
118
    public static final class AvoidFunctionsAuditFactory implements CodeAuditFactory {
119
        @Override
120
        public AbstractCodeAudit create(AuditPreferences preferences) {
121
            String id = NbBundle.getMessage(UsingUnsafeFunctions.class, avoidName);
122
            String description = NbBundle.getMessage(UsingUnsafeFunctions.class, avoidDescription);
123
            return new UsingUnsafeFunctions(Checks.Level.AVOID, id, id, description, "error", true, preferences);  // NOI18N
124
        }
125
    }
126
    
127
}
(-)a/cnd.refactoring/src/org/netbeans/modules/cnd/refactoring/hints/SuggestionProvider.java (-1 / +1 lines)
Lines 119-125 Link Here
119
    public synchronized Collection<CodeAudit> getAudits() {
119
    public synchronized Collection<CodeAudit> getAudits() {
120
        if (audits == null) {
120
        if (audits == null) {
121
            List<CodeAudit> res = new ArrayList<>();
121
            List<CodeAudit> res = new ArrayList<>();
122
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+NAME).lookupAll(CodeAuditFactory.class)) {
122
            for(CodeAuditFactory factory : Lookups.forPath(CodeAuditFactory.REGISTRATION_PATH+SuggestionProvider.NAME).lookupAll(CodeAuditFactory.class)) {
123
                res.add(factory.create(myPreferences));
123
                res.add(factory.create(myPreferences));
124
            }
124
            }
125
            Collections.sort(res, new Comparator<CodeAudit>(){
125
            Collections.sort(res, new Comparator<CodeAudit>(){

Return to bug 253019