{"id":13841679,"url":"https://github.com/momosecurity/momo-code-sec-inspector-java","last_synced_at":"2025-04-13T00:47:44.816Z","repository":{"id":53699871,"uuid":"302571472","full_name":"momosecurity/momo-code-sec-inspector-java","owner":"momosecurity","description":"IDEA静态代码安全审计及漏洞一键修复插件","archived":false,"fork":false,"pushed_at":"2022-03-10T09:01:03.000Z","size":12211,"stargazers_count":1022,"open_issues_count":1,"forks_count":150,"subscribers_count":24,"default_branch":"2018.3","last_synced_at":"2025-04-13T00:47:31.933Z","etag":null,"topics":["idea","java","sast"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/momosecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-09T07:51:38.000Z","updated_at":"2025-04-02T03:32:17.000Z","dependencies_parsed_at":"2022-08-13T02:50:22.314Z","dependency_job_id":null,"html_url":"https://github.com/momosecurity/momo-code-sec-inspector-java","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momosecurity%2Fmomo-code-sec-inspector-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momosecurity%2Fmomo-code-sec-inspector-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momosecurity%2Fmomo-code-sec-inspector-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momosecurity%2Fmomo-code-sec-inspector-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/momosecurity","download_url":"https://codeload.github.com/momosecurity/momo-code-sec-inspector-java/tar.gz/refs/heads/2018.3","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248650435,"owners_count":21139672,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["idea","java","sast"],"created_at":"2024-08-04T17:01:18.208Z","updated_at":"2025-04-13T00:47:44.797Z","avatar_url":"https://github.com/momosecurity.png","language":"Java","readme":"## MOMO CODE SEC INSPECTOR\n\n![Downloads](https://img.shields.io/jetbrains/plugin/d/15120-momo-code-sec-inspector-java-)\n![Rating](https://img.shields.io/jetbrains/plugin/r/stars/15120-momo-code-sec-inspector-java-)\n[![JetBrains IntelliJ Platform SDK Docs](https://jb.gg/badges/docs.svg)](http://www.jetbrains.org/intellij/sdk/docs)\n\n本插件作为Java项目静态代码安全审计工具,侧重于在编码过程中发现项目潜在的安全风险,并提供一键修复能力。\n\n本插件利用IDEA原生Inspection机制检查项目,自动检查当前活跃窗口的活跃文件,检查速度快,占用资源少。\n\n插件提供的规则名称均以\"\u003cb\u003eMomo\u003c/b\u003e\"开头。\n\n### 目录\n\n1. [版本支持](#版本支持)\n2. [安装使用](#安装使用)\n3. [效果展示](#效果展示)\n4. [插件规则](#插件规则)\n5. [贡献代码](#贡献代码)\n6. [注意事项](#注意事项)\n7. [关于我们](#关于我们)\n\n\n\n### 版本支持\n\nIntellij IDEA ( Community / Ultimate ) \\\u003e= 2018.3\n\n**已停止对2017.\\*的支持**\n\n\n### 安装使用\n\n#### IDEA插件市场安装\n\nIDEA插件市场搜索\"**immomo**\"安装。\n\n\u003cimg src=\"static/install.jpg\" height=\"400\"\u003e\n\n#### 使用:方法一\n\n该插件会在您编码过程中自动扫描当前编辑的代码,并实时提醒安全风险。\n\n#### 使用:方法二\n\nIDEA 提供`Inspect Code`功能支持对整个项目/指定范围文件进行自定义规则的扫描。\n\n\u003cimg src=\"static/inspect-code.jpg\" height=\"400\"\u003e\n\n### 效果展示\n\n**演示一: XXE漏洞发现与一键修复**\n\n\u003cimg src=\"static/show1.gif\" height=\"400\"\u003e\n\n**演示二: Mybatis XML Mapper SQL注入漏洞发现与一键修复**\n\n\u003cimg src=\"static/show2.gif\" height=\"400\"\u003e\n\n\n\n### 插件规则\n\n|编号|规则名称|修复建议|一键修复|\n|-|-|-|-|\n|1001|多项式拼接型SQL注入漏洞|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1002|占位符拼接型SQL注入漏洞|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1003|Mybatis注解SQL注入漏洞|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1004|Mybatis XML SQL注入漏洞|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1005|RegexDos风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1006|Jackson反序列化风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1007|Fastjson反序列化风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1008|Netty响应拆分攻击|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1009|固定的随机数种子风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1010|XXE漏洞|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1011|XStream反序列化风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1014|脆弱的消息摘要算法|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1015|过时的加密标准|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1016|XMLDecoder反序列化风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1017|LDAP反序列化风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1018|宽泛的CORS Allowed Origin设置|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1019|SpringSecurity关闭Debug模式|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1020|硬编码凭证风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n|1021|\"@RequestMapping\" 方法应当为 \"public\"|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1022|Spring 会话固定攻击风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1023|不安全的伪随机数生成器|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1024|OpenSAML2 认证绕过风险|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e|\n|1025|IP地址硬编码|\u003cfont color=\"#6abe83\"\u003eT\u003c/font\u003e||\n\n\n### 贡献代码\n\n#### 项目结构\n\n```\nsrc\n├── main\n│ ├── java\n│ │ └── com\n│ │ └── immomo\n│ │ └── momosec\n│ │ ├── aspect\n│ │ ├── entity\n│ │ ├── fix\n│ │ ├── lang\n│ │ │ ├── java\n│ │ │ │ ├── rule\n│ │ │ │ │ └── momosecurity\n│ │ │ │ │ └── {InspectionName}.java\n│ │ │ │ └── utils\n│ │ │ └── xml\n│ │ │ └── rule\n│ │ │ └── momosecurity\n│ │ │ └── {InspectionName}.java\n│ │ └── utils\n│ └── resources\n│ ├── META-INF\n│ │ ├── description.html\n│ │ ├── pluginIcon.svg\n│ │ └── plugin.xml\n│ └── inspectionDescriptions\n│ └── {InspectionName}.html\n└── test\n ├── java\n │ └── com\n │ └── immomo\n │ └── momosec\n │ └── lang\n │ ├── java\n │ │ ├── fix\n │ │ └── rule\n │ │ └── momosecurity\n │ │ └── {InspectionName}Test.java\n │ └── xml\n │ └── rule\n │ └── momosecurity\n │ └── {InspectionName}Test.java\n ├── resources\n └── testData\n └── lang\n ├── java\n │ └── rule\n │ └── momosecurity\n │ └── {InspectionName}\n │ └──...\n └── xml\n └── rule\n └── momosecurity\n └── {InspectionName}\n └──...\n```\n\n#### 脚手架\n\n```shell script\n# 新增检查规则\n\u003e python script/addInspection.py\n\n# 删除检查规则\n\u003e python script/deleteInspection.py\n```\n\n#### 单元测试\n\n```shell script\n\u003e ./gradlew :test\n```\n\n#### 预发布打包\n\n1. ./gradlew --no-daemon clean build -PMOMO_CODE_SEC_INSPECTOR_ENV=pre\n2. build/distributions/*.zip 为待发布插件\n\n#### 发布打包\n\n1. ./gradlew --no-daemon clean build -PMOMO_CODE_SEC_INSPECTOR_ENV=prod\n2. build/distributions/*.zip 为待发布插件\n\n\n\n### 注意事项\n\n- 分支命名规则:\n\n以版本号命名的分支,原则上代表支持的idea版本下限。\n\n如branch为2018.3代表当前分支支持版本范围是\u003e=2018.3 (或说from 183.* to *)。\n\n插件具体支持idea版本范围见`gradle.properties`中`idea_since_build`与`idea_until_build`部分。\n\n- 插件版本号命名规则:\n\n原则上,插件版本号以支持的idea版本下限为大版本编号。\n\n如插件当前版本为`x.1`,`x`为开发时所用IDEA版本编号,`.1`为插件发布版本。\n\n需要注意的是,因IDEA更新机制问题,插件新版本号只能**向上增长**。\n\n具体见`gradle.properties`的`plugin_version`字段。\n\n- 版本号对应关系\n\n|分支名|插件版本|IDEA版本|\n|---|---|---|\n|2018.3|193|2018.3.* \u003c= x|\n|2017.3|173|2017.3.* \u003c= x \u003c= 2018.2.*|\n\n\n\n### 关于我们\n\n\n\u003e 陌陌安全致力于以务实的工作保障陌陌旗下所有产品及亿万用户的信息安全,以开放的心态拥抱信息安全机构、团队与个人之间的共赢协作,以自由的氛围和丰富的资源支撑优秀同学的个人发展与职业成长。\n\n\nWebsite:https://security.immomo.com\n\nWeChat:\n\n\u003cimg src=\"https://momo-mmsrc.oss-cn-hangzhou.aliyuncs.com/img-1c96a083-7392-3b72-8aec-bad201a6abab.jpeg\" width=\"200\" hegiht=\"200\" align=\"center\" /\u003e\u003cbr\u003e\n","funding_links":[],"categories":["MoMoSec-CodeInspector","Java (504)","Java"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmomosecurity%2Fmomo-code-sec-inspector-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmomosecurity%2Fmomo-code-sec-inspector-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmomosecurity%2Fmomo-code-sec-inspector-java/lists"}