Support for C/C++ Language and OpenSSL library#377
Support for C/C++ Language and OpenSSL library#377chmodshubham wants to merge 3 commits intocbomkit:mainfrom
Conversation
Adds a new `cpp` Maven module enabling SonarQube analysis of C/C++ source code via the sonar-cxx community plugin (v2.2.2). - engine: add CxxDetectionEngine, CxxLanguageSupport, CxxSemantic, CxxLanguageTranslation, and CxxScanContext for AST-based detection - cpp module: add CxxCheckRegistrar, CxxScannerRuleDefinition, CxxAggregator, CxxRuleList, and CxxInventoryRule for SonarQube integration - translation: add context translators for cipher, digest, key, MAC, KDF, signature, key agreement, PRNG, and protocol - detection base: add CxxBaseDetectionRule and CxxDetectionRules aggregator - test infra: add CxxVerifier and TestBase - build: register cpp module in root pom.xml, add sonar-cxx dependency, extend plugin with C/C++ file extensions (cxx, cpp, c, h, hpp) - ci: update workflow action versions and add C/C++ to README Signed-off-by: Shubham Kumar <chmodshubham@gmail.com>
Adds full OpenSSL detection rules for the C/C++ module and new mapper models for post-quantum and hybrid key exchange algorithms introduced in OpenSSL 3.x. OpenSSL detection rules (cpp module): - EVP API: ciphers (EvpCipher, EvpCipherFetch), message digests, MACs, KDFs, key agreement, key generation, and signatures - Legacy API: RSA, DSA, EC, DH, cipher, digest, and MAC functions - SSL/TLS: version detection via OpenSSLLibssl and OpenSSLVersionValue - PRNG: RAND_bytes and related functions New mapper algorithm models: - SLH-DSA (FIPS 205): stateless hash-based digital signature algorithm - X25519MLKEM768, X448MLKEM1024: X25519/X448 + ML-KEM hybrid key exchange - SecP256r1MLKEM768, SecP384r1MLKEM1024: ECDH + ML-KEM hybrid key exchange Mapper fixes: - SSLVersionMapper: anchor TLS version regex with ^ to prevent DTLS strings from matching as TLS versions - BcMessageSignerMapper: replace legacy Dilithium/SPHINCSPlus references with standardized MLDSA/SLHDSA names Signed-off-by: Shubham Kumar <chmodshubham@gmail.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Shubham Kumar <chmodshubham@gmail.com>
|
Hi @n1ckl0sk0rtge, I have a questtion regarding adding sonar-cxx plugin in parent pom.xml file. Unlike other sonar language plugins, sonar-cxx is not hosted on central maven repository. And currently, I am referencing the plugin from my local maven cache. So, can you suggest what should be the right way to reference here? Should I/cbomkit host the artifacts on github packages and then reference it in pom.xml or add instructions in readme to download the sonar-cxx plugin locally? |
|
Hi @chmodshubham, thanks for the question! I looked a bit around and think JitPack could be a good solution. JitPack builds and serves Maven artifacts directly from GitHub repositories on demand. Something like that should work: Add the JitPack repository to the parent <repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository> Reference the sonar-cxx dependency using the GitHub coordinates: <dependency>
<groupId>com.github.SonarOpenCommunity</groupId>
<artifactId>sonar-cxx</artifactId>
<version>{commit-hash-or-tag}</version>
</dependency>The first time someone builds, JitPack fetches the source from GitHub, builds it, and caches the artifact. After that it's served like any normal Maven dependency. This avoids both the manual local install step for every contributor and the maintenance burden of hosting/re-publishing artifacts ourselves. What do you think? |
|
Hi @n1ckl0sk0rtge, Ohh, nice, this tool is good. It will definitely solve this hosting problem. Btw, I have also raised the same issue in sonar-cxx, SonarOpenCommunity/sonar-cxx#3037, in the hope that they may host it like other sonar language plugins. Will look how it will resolve, and if it goes well, will not have to put effort on this; otherwise, will do it. Though this doesn’t look like much work. Good finding. Thanks |
Signed-off-by: Shubham Kumar <chmodshubham@gmail.com>
|
Hi @n1ckl0sk0rtge, I have added the jitpack-based artifact build support, and it's working too. And I guess it will take a while to come to a resolution for sonar-cxx on whether to have a gh-pkg hosting or not, so it’s better to keep it this way. We can modify it once it is hosted; until then, we can use this approach. |
2 participants
For detailed reference, follow Issue: #374.
Signed-off-by: Shubham Kumar chmodshubham@gmail.com