SONARKT-600 Rule S6474: Using remote artifacts without authenticity and integrity checks is security-sensitive

antonioaversa · web-flow · commit 8446cff5ce1f · 2025-03-18T15:53:37.000+01:00
diff --git a/its/ruling/src/test/resources/expected/kotlin/kotlin-language-server/kotlin-S6474.json b/its/ruling/src/test/resources/expected/kotlin/kotlin-language-server/kotlin-S6474.json
@@ -0,0 +1,6 @@
+{
+"kotlin-kotlin-language-server-project": [
+0,
+0
+]
+}
diff --git a/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleCheckList.kt b/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleCheckList.kt
@@ -22,6 +22,7 @@ import org.sonarsource.kotlin.gradle.checks.RootProjectNamePresentCheck
 import org.sonarsource.kotlin.gradle.checks.DependencyGroupedCheck
 import org.sonarsource.kotlin.gradle.checks.DependencyVersionHardcodedCheck
 import org.sonarsource.kotlin.gradle.checks.MissingSettingsCheck
+import org.sonarsource.kotlin.gradle.checks.MissingVerificationMetadataCheck
 import org.sonarsource.kotlin.gradle.checks.TaskDefinitionsCheck
 import org.sonarsource.kotlin.gradle.checks.TaskRegisterVsCreateCheck
 
@@ -32,6 +33,7 @@ val KOTLIN_GRADLE_CHECKS: List<Class<out KotlinCheck>> = listOf(
     DependencyGroupedCheck::class.java,
     DependencyVersionHardcodedCheck::class.java,
     MissingSettingsCheck::class.java,
+    MissingVerificationMetadataCheck::class.java,
     TaskDefinitionsCheck::class.java,
     TaskRegisterVsCreateCheck::class.java,
 )
diff --git a/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleSensor.kt b/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleSensor.kt
@@ -33,6 +33,7 @@ import java.io.File
 
 const val GRADLE_PROJECT_ROOT_PROPERTY = "sonar.kotlin.gradleProjectRoot"
 const val MISSING_SETTINGS_RULE_KEY = "S6631"
+const val MISSING_VERIFICATION_METADATA_RULE_KEY = "S6474"
 
 private val LOG = LoggerFactory.getLogger(KotlinGradleSensor::class.java)
 
@@ -72,6 +73,7 @@ class KotlinGradleSensor(
 
         sensorContext.config()[GRADLE_PROJECT_ROOT_PROPERTY].ifPresent {
             checkForMissingGradleSettings(File(it), sensorContext)
+            checkForMissingVerificationMetadata(File(it), sensorContext)
         }
 
         return fileSystem.inputFiles(mainFilePredicate)
@@ -82,19 +84,37 @@ class KotlinGradleSensor(
         if (sensorContext.activeRules().find(missingSettingsRuleKey) == null) return
 
         if (!rootDirFile.resolve("settings.gradle").exists() && !rootDirFile.resolve("settings.gradle.kts").exists()) {
-            val project = sensorContext.project()
+            raiseProjectLevelIssue(
+                sensorContext,
+                missingSettingsRuleKey,
+                """Add a missing "settings.gradle" or "settings.gradle.kts" file.""",
+            )
+        }
+    }
+
+    private fun checkForMissingVerificationMetadata(rootDirFile: File, sensorContext: SensorContext) {
+        val missingVerificationMetadataRuleKey = RuleKey.of(KOTLIN_REPOSITORY_KEY, MISSING_VERIFICATION_METADATA_RULE_KEY)
+        if (sensorContext.activeRules().find(missingVerificationMetadataRuleKey) == null) return
 
-            with(sensorContext) {
-                newIssue()
-                    .forRule(missingSettingsRuleKey)
-                    .at(
-                        newIssue()
-                            .newLocation()
-                            .on(project)
-                            .message("""Add a missing "settings.gradle" or "settings.gradle.kts" file.""")
-                    )
-                    .save()
-            }
+        if (!rootDirFile.resolve("gradle/verification-metadata.xml").exists()) {
+            raiseProjectLevelIssue(
+                sensorContext,
+                missingVerificationMetadataRuleKey,
+                """Dependencies are not verified because the "verification-metadata.xml" file is missing. Make sure it is safe here.""",
+            )
         }
     }
+
+    private fun raiseProjectLevelIssue(sensorContext: SensorContext, ruleKey: RuleKey, message: String) =
+        with(sensorContext) {
+            newIssue()
+                .forRule(ruleKey)
+                .at(
+                    newIssue()
+                        .newLocation()
+                        .on(project())
+                        .message(message)
+                )
+                .save()
+        }
 }
diff --git a/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/MissingVerificationMetadataCheck.kt b/sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/MissingVerificationMetadataCheck.kt
@@ -0,0 +1,36 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import org.jetbrains.kotlin.psi.KtCallExpression
+import org.sonar.check.Rule
+import org.sonarsource.kotlin.api.checks.AbstractCheck
+import org.sonarsource.kotlin.api.frontend.KotlinFileContext
+
+private const val disableVerificationMetadata = "disableDependencyVerification"
+private const val message = """This call disables dependencies verification. Make sure it is safe here."""
+
+// The part of the rule looking for missing verification-metadata.xml is implemented in the KotlinGradleSensor
+@Rule(key = "S6474")
+class MissingVerificationMetadataCheck : AbstractCheck() {
+    override fun visitCallExpression(expression: KtCallExpression, kotlinFileContext: KotlinFileContext) {
+        if (getFunctionName(expression) == disableVerificationMetadata) {
+            kotlinFileContext.reportIssue(expression, message)
+        }
+    }
+}
+
diff --git a/sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/KotlinGradleSensorTest.kt b/sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/KotlinGradleSensorTest.kt
@@ -30,6 +30,7 @@ import org.sonar.check.Rule
 import org.sonarsource.kotlin.api.checks.AbstractCheck
 import org.sonarsource.kotlin.api.frontend.KotlinFileContext
 import org.sonarsource.kotlin.gradle.checks.MissingSettingsCheck
+import org.sonarsource.kotlin.gradle.checks.MissingVerificationMetadataCheck
 import org.sonarsource.kotlin.testapi.AbstractSensorTest
 import kotlin.io.path.createFile
 
@@ -80,7 +81,7 @@ internal class KotlinGraldeSensorTest : AbstractSensorTest() {
 
         addBuildFile()
 
-        val checkFactory = checkFactory("S6631")
+        val checkFactory = checkFactory(MISSING_SETTINGS_RULE_KEY)
         sensor(checkFactory).execute(context)
         val issues = context.allIssues()
 
@@ -103,7 +104,7 @@ internal class KotlinGraldeSensorTest : AbstractSensorTest() {
         addSettingsFile()
         addBuildFile()
 
-        val checkFactory = checkFactory("S6631")
+        val checkFactory = checkFactory(MISSING_SETTINGS_RULE_KEY)
         sensor(checkFactory).execute(context)
         val issues = context.allIssues()
 
@@ -122,7 +123,7 @@ internal class KotlinGraldeSensorTest : AbstractSensorTest() {
         addSettingsKtsFile()
         addBuildFile()
 
-        val checkFactory = checkFactory("S6631")
+        val checkFactory = checkFactory(MISSING_SETTINGS_RULE_KEY)
         sensor(checkFactory).execute(context)
         val issues = context.allIssues()
 
@@ -147,6 +148,75 @@ internal class KotlinGraldeSensorTest : AbstractSensorTest() {
         assertThat(issues).isEmpty()
     }
 
+    @Test
+    fun test_missing_verification_metadata_rule_is_triggered_when_verification_metadata_is_not_present() {
+        mockkStatic("org.sonarsource.kotlin.gradle.KotlinGradleCheckListKt")
+        every { KOTLIN_GRADLE_CHECKS } returns listOf(MissingVerificationMetadataCheck::class.java)
+
+        val settings = MapSettings()
+        settings.setProperty(GRADLE_PROJECT_ROOT_PROPERTY, baseDir.toRealPath().toString())
+        context.setSettings(settings)
+
+        val checkFactory = checkFactory(MISSING_VERIFICATION_METADATA_RULE_KEY)
+        sensor(checkFactory).execute(context)
+        val issues = context.allIssues()
+
+        assertThat(issues).hasSize(1)
+        val issue = issues.iterator().next()
+        assertThat(issue.primaryLocation().inputComponent().key()).isEqualTo("projectKey")
+        val expectedMessage = """Dependencies are not verified because the "verification-metadata.xml" file is missing. Make sure it is safe here."""
+        assertThat(issue.primaryLocation().message()).isEqualTo(expectedMessage)
+    }
+
+    @Test
+    fun test_missing_verification_metadata_rule_is_not_triggered_when_verification_metadata_is_present() {
+        mockkStatic("org.sonarsource.kotlin.gradle.KotlinGradleCheckListKt")
+        every { KOTLIN_GRADLE_CHECKS } returns listOf(MissingVerificationMetadataCheck::class.java)
+
+        val settings = MapSettings()
+        settings.setProperty(GRADLE_PROJECT_ROOT_PROPERTY, baseDir.toRealPath().toString())
+        context.setSettings(settings)
+
+        addVerificationMetadataFile()
+
+        val checkFactory = checkFactory(MISSING_VERIFICATION_METADATA_RULE_KEY)
+        sensor(checkFactory).execute(context)
+
+        assertThat(context.allIssues()).isEmpty()
+    }
+
+    @Test
+    fun test_missing_verification_metadata_rule_is_not_triggered_when_rule_is_not_active() {
+        mockkStatic("org.sonarsource.kotlin.gradle.KotlinGradleCheckListKt")
+        every { KOTLIN_GRADLE_CHECKS } returns listOf(MissingVerificationMetadataCheck::class.java)
+
+        val settings = MapSettings()
+        settings.setProperty(GRADLE_PROJECT_ROOT_PROPERTY, baseDir.toRealPath().toString())
+        context.setSettings(settings)
+
+        addSettingsKtsFile()
+        addBuildFile()
+
+        val checkFactory = checkFactory() // No rule key
+        sensor(checkFactory).execute(context)
+
+        assertThat(context.allIssues()).isEmpty()
+    }
+
+    @Test
+    fun test_missing_verification_metadata_rule_is_not_triggereD_when_gradle_project_root_property_is_not_set() {
+        mockkStatic("org.sonarsource.kotlin.gradle.KotlinGradleCheckListKt")
+        every { KOTLIN_GRADLE_CHECKS } returns listOf(MissingVerificationMetadataCheck::class.java)
+
+        val settings = MapSettings()
+        context.setSettings(settings)
+
+        val checkFactory = checkFactory(MISSING_VERIFICATION_METADATA_RULE_KEY)
+        sensor(checkFactory).execute(context)
+
+        assertThat(context.allIssues()).isEmpty()
+    }
+
     private fun addBuildFile() {
         val buildFile = createInputFile(
             "build.gradle.kts", """
@@ -195,6 +265,29 @@ internal class KotlinGraldeSensorTest : AbstractSensorTest() {
         context.fileSystem().add(settingsFile)
     }
 
+    private fun addVerificationMetadataFile() {
+        val verificationMetadataFile = createInputFile(
+            "verification-metadata.xml", """
+                <?xml version="1.0" encoding="UTF-8"?>
+                <verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.3.xsd">
+                   <configuration>
+                      <verify-metadata>false</verify-metadata>
+                      <verify-signatures>false</verify-signatures>
+                   </configuration>
+                   <components>
+                      <component group="ch.qos.logback" name="logback-classic" version="1.2.9">
+                         <artifact name="logback-classic-1.2.9.jar">
+                            <sha256 value="ad745cc243805800d1ebbf5b7deba03b37c95885e6bce71335a73f7d6d0f14ee" origin="Verified"/>
+                         </artifact>
+                      </component>
+                   </components>
+                </verification-metadata>
+                """.trimIndent())
+        baseDir.resolve("gradle").toFile().mkdir()
+        baseDir.resolve("gradle/verification-metadata.xml").createFile()
+        context.fileSystem().add(verificationMetadataFile)
+    }
+
     private fun sensor(checkFactory: CheckFactory): KotlinGradleSensor {
         return KotlinGradleSensor(checkFactory, language())
     }
diff --git a/sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/checks/MissingVerificationMetadataCheckTest.kt b/sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/checks/MissingVerificationMetadataCheckTest.kt
@@ -0,0 +1,19 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+internal class MissingVerificationMetadataCheckTest : CheckTest(MissingVerificationMetadataCheck())
diff --git a/sonar-kotlin-gradle/src/test/samples/non-compiling/MissingVerificationMetadataCheckSample.kts b/sonar-kotlin-gradle/src/test/samples/non-compiling/MissingVerificationMetadataCheckSample.kts
@@ -0,0 +1,41 @@
+plugins {
+    id("com.android.application")
+}
+
+configurations {
+    named("jetbrainsRuntimeLocalInstance") {
+        resolutionStrategy.disableDependencyVerification() // Noncompliant {{This call disables dependencies verification. Make sure it is safe here.}}
+        //                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+    }
+    named("jetbrainsRuntimeDependency") {
+        resolutionStrategy {
+            disableDependencyVerification() // Noncompliant
+        //  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        }
+    }
+    named("jetbrainsRuntime") {
+        resolutionStrategy {
+            this.disableDependencyVerification() // Noncompliant
+        }
+    }
+}
+
+detachedConfig.resolutionStrategy.disableDependencyVerification() // Noncompliant
+
+if (name.contains("detached")) {
+    disableDependencyVerification() // Noncompliant
+}
+
+someGroup {
+    tasks.register("checkDetachedDependencies") {
+        val detachedConf: FileCollection = configurations.detachedConfiguration(dependencies.create("org.apache.commons:commons-lang3:3.3.1")).apply {
+            resolutionStrategy.disableDependencyVerification() // Noncompliant
+        }
+        doLast {
+            println(detachedConf.files)
+        }
+    }
+
+    disableDependencyVerification { // Noncompliant
+    }
+}
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.html
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.json
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/Sonar_way_profile.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/Sonar_way_profile.json

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +{
 +"kotlin-kotlin-language-server-project": [
 +0,
 +0
 +]
 +}