自定义强化规则与android

时间:2012-10-16 07:38:29

标签: android rules fortify

我想写一个强化规则,在android代码库中查找“addJavascriptInterface”的实例。

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
    <RulePackID>80B927D2-5408-41B4-B47C-B4958DAAECBD</RulePackID>
    <SKU>SKU-80B927D2-5408-41B4-B47C-B4958DAAECBD</SKU>
    <Name><![CDATA[android.xml]]></Name>
    <Version>1.0</Version>
    <Description><![CDATA[Description for android.xml]]></Description>
    <Rules version="3.13">
        <RuleDefinitions>
            <SemanticRule formatVersion="3.13" language="java">
                <MetaInfo>
                    <Group name="Accuracy">5.0</Group>
                    <Group name="Impact">5.0</Group>
                    <Group name="RemediationEffort">15.0</Group>
                    <Group name="Probability">5.0</Group>
                </MetaInfo>
                <RuleID>CC4B8F82-0824-4DF1-8A5F-513DC6820B99</RuleID>
                <VulnCategory>Testjsinterface</VulnCategory>
                <DefaultSeverity>5.0</DefaultSeverity>
                <Description/>
                <Type>default</Type>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Pattern>\w*</Pattern>
                    </NamespaceName>
                    <ClassName>
                        <Pattern>WebView</Pattern>
                    </ClassName>
                    <FunctionName>
                        <Pattern>addJavascriptInterface</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
            </SemanticRule>
        </RuleDefinitions>
    </Rules>
</RulePack>

当我尝试对代码库运行fortify时,我得到以下内容: - 

[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
    Override
    android.app.Activity
    android.content.res.AssetManager
    android.os.Bundle
    android.util.Log
    android.view.KeyEvent
    android.webkit.WebSettings
    android.webkit.WebView
    android.webkit.WebViewClient

所以我尝试运行fortify如下: - 

bin/sourceanalyzer ~/repos/android-rule-tests/WebViewTest -cp ~/android-sdks/platforms/android-16/android.jar

警告消失了,但规则似乎仍未解决 - 可能出现什么问题?

EDIT 为清楚起见,WebViewTest是一个使用addJavascriptInterface的示例项目。

EDIT2 为清晰起见添加了一些代码

package org.infil00p.phoneTest;

import java.io.IOException;

import com.infil00p.phoneTest.R;

import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.view.KeyEvent;
import android.webkit.WebSettings;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.content.res.AssetManager;

public class TestActivity extends Activity {

    WebView appView;
    TestWebViewClient testClient;
    String TAG="FAILTAG";
    Bolt data = new Bolt();
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);

        testClient = new TestWebViewClient();

        appView = (WebView) findViewById(R.id.appView);
        appView.getSettings().setDatabaseEnabled(true);
        appView.getSettings().setJavaScriptEnabled(true);
        appView.addJavascriptInterface(data, "test");

        appView.setWebViewClient(testClient);

        appView.loadUrl("file:///android_asset/index.html");

    }
    ....

EDIT3 我玩了一下这一点,并最终得出结论,在我的特定情况下,语义规则不会触发,直到它看到在同一文件中的类中定义的函数。获取Android源代码并复制WebView.java源会导致规则触发(这是一件可怕的事情,但我只是玩游戏)。

2 个答案:

答案 0 :(得分:0)

首先,我建议命名空间的模式为.*。其次,您将自定义规则文件保存到哪里?如果不在<SCA install>/Core/config/customrules中,则需要使用-rules选项指定。 此外,您缺少构建ID,您的命令应该是:

sourceanalyzer -b test -clean
sourceanalyzer -b test -source 1.6 ~/repos/android-rule-tests/WebViewTest -cp ~/android-sdks/platforms/android-16/android.jar -rules /path/to/rules/file.xml
sourceanalyzer -b test -scan -f myResults.fpr

我认为在Android上还有一个在运行时创建的R类文件。因为SCA不这样做,所以应首先构建项目,以便可以在类路径中指定。

答案 1 :(得分:0)

  1. CLEAN CACHE:〜/ sourceanalyzer -b test -clean

  2. TRANSLATE(代码翻译时无需提及-filter,-rules,-project-template):〜/ sourceanalyzer -b test -source 1.6~ / repos / android-rule-tests / WebViewTest -cp~ /android-sdks/platforms/android-16/android.jar

  3. SCAN(指定规则/过滤器/模板):〜/ sourceanalyzer -b test -filter'nolute_path_file.txt'-rules'nolute_path_rulename.xml'-scan -f myResults.fpr

    < / LI>

    如果将custom_rule.xml放入FORTIFY_HOME / Core / config / rules /目录(以及HP规则包),则可以在扫描期间省略-rules参数。

相关问题
最新问题