Writing custom rules for the Kiuwan code analyzer
We continue our series of notes on the Kiuwan static code analyzer.
This class of tools examines the text of programs in order to identify any known patterns of vulnerabilities, errors, inaccuracies, ineffective actions and much more. Where did these templates come from, we wrote last time . For each programming language, these templates will be their own due to clear differences in syntax, but there will be general rules for quality code, such as avoiding the use of duplicate blocks of code.
However, these patterns and rules are not always enough to assess certain qualities of a written program. In each case, you may need your own defining parameter. For example, it is important for us to make sure that the written banking program does not contain hidden transactions for any of its money. Or check that no invalid external libraries are used. In this case, we just need to be able to force the analyzer to check not only the regular templates, but also our additional rules.
')
In this article I would like to tell you how to create your own "custom" rules for analyzing the source code for Kiuwan.
Step 1. Kiuwan Rule Developer
Kiuwan proposes a tool for writing custom rules, called Kiuwan Rule Developer. Let's skip the installation process, as it does not represent anything interesting. And the appearance of the utility looks like this:
Consider the interface in more detail. It consists of 3 main areas:
1. A window containing the source code on which the rule will be tested.
2. AST (abstract syntax tree) - a tree describing parsed source code
3. Execution panel - a panel in which we can create, open and edit rules, write XPath expressions and Groovy scripts, as well as watch the results of the rule execution
All rules are described using the Java programming language. Therefore, we need to befriend our development environment (in our case it will be Eclipse) with the utility. This process is simple - you just need to register the directories of the newly created rule project in Eclipse in the utility.
Step 2. Create a new rule
And now we will get down to the most interesting - the creation of the rule itself. To do this, click the “New” button on the “Rule” tab. A new window will open in which we need to register all the details of the rule being created. An asterisk indicates a required field.
In our simplest example, the rule will look for using the System.out.print and System.out.println methods in the code. Why?! Because it is more correct to use a standardized library for logging, for example, log4j.
Having filled in all the fields on the “Definition” tab, we will go to the “Code examples” tab. Here we show examples of the "wrong" code and the code of the corrected one. Actually, in the future, the “wrong” code may be useful to us for testing our rule.
After saving, 2 files will be created:
• Rule Source Code Template
• XML rule description file
Step 3. Compile Java code rules in Eclipse
Let's go to Eclipse. Update the project files and see the added files CheckSystemOut.java and COM.MYCOMPANY.JAVA.CHECKSYSTEMOUT.rule.xml
Having opened the first file, we will see the basic code template created by the utility.
For our simple example, add some simple code. For more information on writing rules, see the articles on the Kiuwan website.
We compile the rule (I have selected automatic compilation while saving in Eclipse), and everything is almost ready.
Step 4. We are testing the rule.
We return to the utility Kiuwan Rule Developer. In it we can test what we have written. To do this, we need to take a few simple steps:
1. Insert the source code on which our rule will be tested (I will take it from the rule description)
2. Click on the “Generate AST” button. In this case, the source code will be parsed, and the structure of the AST (Abstract Syntax Tree) code will be created.
3. Click the “Execute” button and see the results of the rule execution.
Everything, the rule is ready! It remains to perform the installation and configuration of the rule on the system’s web portal and upload the exported jar file to the local analyzer folder. I will not dwell on these details, since it is no longer so interesting.
Step 5. We look at the results of the analysis
Well, now it's worth seeing how it all works. Launch Kiuwan Local Analyzer, set it on the code of the project we want to analyze, click on the “Analyze” button, wait a while and see the results :)
Going to the defects tab, we can see the result of our rule.
It is worth noting that this method of expanding your quality model is universal for any programming language supported by Kiuwan (currently more than 20).
This class of tools examines the text of programs in order to identify any known patterns of vulnerabilities, errors, inaccuracies, ineffective actions and much more. Where did these templates come from, we wrote last time . For each programming language, these templates will be their own due to clear differences in syntax, but there will be general rules for quality code, such as avoiding the use of duplicate blocks of code.
However, these patterns and rules are not always enough to assess certain qualities of a written program. In each case, you may need your own defining parameter. For example, it is important for us to make sure that the written banking program does not contain hidden transactions for any of its money. Or check that no invalid external libraries are used. In this case, we just need to be able to force the analyzer to check not only the regular templates, but also our additional rules.
')
In this article I would like to tell you how to create your own "custom" rules for analyzing the source code for Kiuwan.
Step 1. Kiuwan Rule Developer
Kiuwan proposes a tool for writing custom rules, called Kiuwan Rule Developer. Let's skip the installation process, as it does not represent anything interesting. And the appearance of the utility looks like this:
Consider the interface in more detail. It consists of 3 main areas:
1. A window containing the source code on which the rule will be tested.
2. AST (abstract syntax tree) - a tree describing parsed source code
3. Execution panel - a panel in which we can create, open and edit rules, write XPath expressions and Groovy scripts, as well as watch the results of the rule execution
All rules are described using the Java programming language. Therefore, we need to befriend our development environment (in our case it will be Eclipse) with the utility. This process is simple - you just need to register the directories of the newly created rule project in Eclipse in the utility.
Step 2. Create a new rule
And now we will get down to the most interesting - the creation of the rule itself. To do this, click the “New” button on the “Rule” tab. A new window will open in which we need to register all the details of the rule being created. An asterisk indicates a required field.
In our simplest example, the rule will look for using the System.out.print and System.out.println methods in the code. Why?! Because it is more correct to use a standardized library for logging, for example, log4j.
Having filled in all the fields on the “Definition” tab, we will go to the “Code examples” tab. Here we show examples of the "wrong" code and the code of the corrected one. Actually, in the future, the “wrong” code may be useful to us for testing our rule.
After saving, 2 files will be created:
• Rule Source Code Template
• XML rule description file
Step 3. Compile Java code rules in Eclipse
Let's go to Eclipse. Update the project files and see the added files CheckSystemOut.java and COM.MYCOMPANY.JAVA.CHECKSYSTEMOUT.rule.xml
Having opened the first file, we will see the basic code template created by the utility.
For our simple example, add some simple code. For more information on writing rules, see the articles on the Kiuwan website.
We compile the rule (I have selected automatic compilation while saving in Eclipse), and everything is almost ready.
Step 4. We are testing the rule.
We return to the utility Kiuwan Rule Developer. In it we can test what we have written. To do this, we need to take a few simple steps:
1. Insert the source code on which our rule will be tested (I will take it from the rule description)
2. Click on the “Generate AST” button. In this case, the source code will be parsed, and the structure of the AST (Abstract Syntax Tree) code will be created.
3. Click the “Execute” button and see the results of the rule execution.
Everything, the rule is ready! It remains to perform the installation and configuration of the rule on the system’s web portal and upload the exported jar file to the local analyzer folder. I will not dwell on these details, since it is no longer so interesting.
Step 5. We look at the results of the analysis
Well, now it's worth seeing how it all works. Launch Kiuwan Local Analyzer, set it on the code of the project we want to analyze, click on the “Analyze” button, wait a while and see the results :)
Going to the defects tab, we can see the result of our rule.
It is worth noting that this method of expanding your quality model is universal for any programming language supported by Kiuwan (currently more than 20).
Source: https://habr.com/ru/post/277291/
All Articles