Merge pull request #17 from hangga/custom-scanner

Custom scanner

Author: hangga

README.md

@@ -25,6 +25,7 @@ alt="Delvelin Scan Demo" width="260">
         + [Usage on Android](#usage-on-android)
         + [Alternative Examples](#alternative-examples)
         + [Configuration Options](#configuration-options)
+        + [Usage with Custom Detector](#usage-with-custom-detector)
 - 4.[License](#4-license)
 - 5.[Contributing](#5-contributing)
 ---
@@ -80,14 +81,14 @@ Add the plugin to your Gradle project.
 ### KTS
 ```kotlin
 plugins {
-    id("io.github.hangga.delvelin") version "0.1.2-beta"
+    id("io.github.hangga.delvelin") version "0.2.0-beta"
 }
 ```
 
 ### Groovy
 ```groovy
 plugins {
-    id 'io.github.hangga.delvelin' version '0.1.2-beta'
+    id 'io.github.hangga.delvelin' version '0.2.0-beta'
 }
 ```
 
@@ -153,7 +154,7 @@ repositories {
 }
 
 dependencies {
-    testImplementation('io.github.hangga:delvelin-plugin:0.1.2-beta')
+    testImplementation('io.github.hangga:delvelin-plugin:0.2.0-beta')
 }
 ```
 
@@ -169,7 +170,7 @@ dependencies {
 <dependency>
     <groupId>io.github.hangga</groupId>
     <artifactId>delvelin-plugin</artifactId>
-    <version>0.1.2-beta</version>
+    <version>0.2.0-beta</version>
     <scope>test</scope>
 </dependency>
 ```
@@ -236,21 +237,83 @@ fun `vulnerability test with save dialog`() {
 
 ### Configuration Options
 
-| Configuration Option                     | Description                                                                                  | Default Value |
-|------------------------------------------|----------------------------------------------------------------------------------------------|---------------|
-| `setOutputFormat(OutputFileFormat format)` | Set the output format of the analysis (e.g., `HTML`, `JSON`, or `LOG`).                  | `LOG`     |
-| `setAllowedExtensions(String... values)` | Specify file extensions to include in the analysis. By default, allows `.java`, `.kt`, `.gradle`, `.kts`, and `.xml`. | `[".java", ".kt", ".gradle", ".kts", ".xml"]` |
-| `setAutoLaunchBrowser(boolean value)`    | Automatically open the generated HTML report in the browser. Set to `false` to disable.      | `false`       |
-| `setShowSaveDialog(boolean value)`       | Display a save dialog for HTML and JSON reports. Set to `false` to disable.                  | `false`       |
-| `setLogListener(LogListener listener)`   | Set a custom listener for capturing logs during analysis (useful for Android integration).   | `null`        |
-
+| Configuration Option                         | Description                                                                                  | Default Value |
+|----------------------------------------------|----------------------------------------------------------------------------------------------|---------------|
+| `setOutputFormat(OutputFileFormat format)`   | Set the output format of the analysis (e.g., `HTML`, `JSON`, or `LOG`).                      | `LOG`         |
+| `setAllowedExtensions(String... values)`     | Specify file extensions to include in the analysis. By default, allows `.java`, `.kt`, `.gradle`, `.kts`, and `.xml`. | `[".java", ".kt", ".gradle", ".kts", ".xml"]` |
+| `setAutoLaunchBrowser(boolean value)`        | Automatically open the generated HTML report in the browser. Set to `false` to disable.      | `false`       |
+| `setShowSaveDialog(boolean value)`           | Display a save dialog for HTML and JSON reports. Set to `false` to disable.                  | `false`       |
+| `setLogListener(LogListener listener)`       | Set a custom listener for capturing logs during analysis (useful for Android integration).   | `null`        |
+| `addCustomDetector(BaseDetector detector)`   | Add your own custom detector to identify specific patterns or vulnerabilities in the code.   | `null`        |
 
 > **Important Notes**
 > If you choose the JSON or HTML output format, you **must** use either `setAutoLaunchBrowser` or
 > `setShowSaveDialog`. These methods ensure that the output is handled properly.
 
 ### <a href="https://github.com/delvelin/example-kotlin">See Example Project >></a>
 
+Sure! Here is the additional README documentation for using `Delvelin` with a custom detector `ExampleCustomDetector`:
+
+### Usage with Custom Detector
+
+Below is an example of how to use Delvelin with a custom detector `ExampleCustomDetector`.
+
+#### Step-by-step
+
+1. Create a custom detector class like `ExampleCustomDetector`.
+2. Add detection implementation in the `detect(line: String, lineNumber: Int)` and `detect(content: String)` methods.
+3. Create a test function that sets the output format, adds the custom detector, and runs the scan.
+
+#### Example Custom Detector
+
+The following custom detector detects a specific pattern in the code. It checks each line of code and the entire content to find the pattern called `examplePattern`.
+
+```kotlin
+class ExampleCustomDetector : BaseDetector() {
+
+    init {
+        this.vulnerabilities = Vulnerabilities.UNSAFE_REFLECTION
+    }
+
+    override fun detect(line: String, lineNumber: Int) {
+        // Implementation of line-based detection
+        if (line.contains("examplePattern")) {
+            val specificLocation = specificLocation(lineNumber)
+            setValidVulnerability(
+                specificLocation,
+                "Example finding",
+                "Detected example pattern in the code"
+            )
+        }
+    }
+
+    override fun detect(content: String) {
+        // Implementation of full content-based detection
+        if (content.contains("examplePattern")) {
+            val specificLocation = specificLocation(-1) // -1 to denote whole content
+            setValidVulnerability(
+                specificLocation,
+                "Example finding",
+                "Detected example pattern in the full content"
+            )
+        }
+    }
+}
+```
+
+#### Using Custom Detector in Tests
+
+Here is an example test that uses `ExampleCustomDetector` with Delvelin. This test sets the output format to HTML and adds the custom detector before running the scan.
+
+```kotlin
+@Test
+fun `test using your own custom detector`() {
+    Delvelin().setOutputFormat(OutputFileFormat.HTML)
+        .addCustomDetector(ExampleCustomDetector())
+        .scan()
+}
+```
+
 # 4. License
 This project is licensed under [MIT License](LICENSE).
 

src/main/java/io/github/hangga/delvelin/Delvelin.java

@@ -8,6 +8,7 @@
 import java.util.Objects;
 import java.util.stream.Stream;
 
+import io.github.hangga.delvelin.cwedetectors.BaseDetector;
 import io.github.hangga.delvelin.cwedetectors.GeneralScanner;
 import io.github.hangga.delvelin.properties.Config;
 import io.github.hangga.delvelin.properties.OutputFileFormat;
@@ -32,6 +33,11 @@ public Delvelin setOutputFormat(OutputFileFormat format) {
         return this;
     }
 
+    public Delvelin addCustomDetector(BaseDetector detector){
+        generalScanner.addDetector(detector);
+        return this;
+    }
+
     public Delvelin() {
     }
 

src/main/java/io/github/hangga/delvelin/cwedetectors/BaseDetector.java

@@ -49,5 +49,4 @@ public void setValidVulnerability(String specificLocation, String finding, Strin
         Reports.addToReport(vulnerabilities.getCweCode(), finding, vulnerabilities.getDescription(), specificLocation,
             message, vulnerabilities.getPriority(), className, extName);
     }
-
 }

src/main/java/io/github/hangga/delvelin/cwedetectors/GeneralScanner.java

@@ -62,6 +62,10 @@ public void scan(Path path) {
         }
     }
 
+    public void addDetector(BaseDetector detector) {
+        detectors.add(detector);
+    }
+
     private void detectByLine(String line, int lineNumber) {
         detectors.forEach(detector -> detector.detect(line, lineNumber));
     }

src/main/java/io/github/hangga/delvelin/properties/Config.java

@@ -9,5 +9,5 @@ public class Config {
 
     public static OutputFileFormat outputFileFormat = OutputFileFormat.LOG;
 
-    public static String VERSION = "0.1.2-beta";
+    public static String VERSION = "0.2.0-beta";
 }

src/main/java/io/github/hangga/delvelin/properties/Vulnerabilities.java

@@ -1,13 +1,13 @@
 package io.github.hangga.delvelin.properties;
 
 public enum Vulnerabilities {
-    SQL_INJECTION("SQL Injection", "CWE-89", "Critical".toUpperCase().toUpperCase()),
+    SQL_INJECTION("SQL Injection", "CWE-89", "Critical".toUpperCase()),
     COMMAND_INJECTION("Command Injection", "CWE-77", "Critical".toUpperCase()),
     XSS("Cross-Site Scripting (XSS)", "CWE-79", "MODERATE"),
     INSECURE_DESERIALIZATION("Insecure Deserialization", "CWE-502", "High".toUpperCase()),
     UNSAFE_STRINGBUILDER("Unsafe StringBuilder Usage in Multithread", "CWE-362", "MODERATE"),
     HARDCODED_SECRETS("Hardcoded Secrets and Credentials", "CWE-798", "High".toUpperCase()),
-    HTTP_NO_SSL("HTTP Connection without SSL/TLS", "CWE-319", "High".toUpperCase()),
+    HTTP_NO_SSL("HTTP Connection without SSL/TTLS", "CWE-319", "High".toUpperCase()),
     WEAK_CRYPTO("Weak Cryptographic Algorithms", "CWE-327", "MODERATE"),
     UNSAFE_OBJECT_CLONE("Unsafe Object.clone() Usage", "CWE-374", "MODERATE"),
     WEAK_SESSION_MANAGEMENT("Weak Session Management", "CWE-384", "MODERATE"),
@@ -18,7 +18,18 @@ public enum Vulnerabilities {
     UNSAFE_REFLECTION("Unsafe Use of Reflection", "CWE-470", "MODERATE"),
     NON_ATOMIC("Assignment to Variable without Proper Synchronization", "CWE-563", "MODERATE"),
     CONSIDER_COROUTINES("Non-Adherence to Coding Standards (Consider using coroutines instead of threads in Kotlin)", "CWE-710", "Low".toUpperCase()),
-    NON_THREAD_SAFE_DATA_STRUCTURE("Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)", "CWE-362", "MODERATE");
+    NON_THREAD_SAFE_DATA_STRUCTURE("Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)", "CWE-362", "MODERATE"),
+    BUFFER_OVERFLOW("Buffer Overflow", "CWE-120", "Critical".toUpperCase()),
+    INTEGER_OVERFLOW("Integer Overflow", "CWE-190", "High".toUpperCase()),
+    UNRESTRICTED_UPLOAD("Unrestricted File Upload", "CWE-434", "High".toUpperCase()),
+    UNVALIDATED_REDIRECT("Unvalidated Redirects and Forwards", "CWE-601", "Moderate".toUpperCase()),
+    INSUFFICIENT_LOGGING("Insufficient Logging and Monitoring", "CWE-778", "Low".toUpperCase()),
+    OPEN_REDIRECT("Open Redirect", "CWE-601", "High".toUpperCase()),
+    INSECURE_COOKIE("Insecure Cookie Storage", "CWE-614", "High".toUpperCase()),
+    MISSING_FUNCTION_LEVEL_ACCESS_CONTROL("Missing Function Level Access Control", "CWE-862", "Moderate".toUpperCase()),
+    INSUFFICIENT_TRANSPORT_LAYER_PROTECTION("Insufficient Transport Layer Protection", "CWE-311", "High".toUpperCase()),
+    SECURE_RANDOM("Use of a Broken or Risky Cryptographic Algorithm", "CWE-327", "High".toUpperCase()),
+    UNSAFE_API_USAGE("Unsafe API Usage", "CWE-1234", "High".toUpperCase()); // Custom CWE example
 
     private final String description;
     private final String cweCode;

src/test/kotlin/DelvelinUnitTest.kt

@@ -1,5 +1,7 @@
 import io.github.hangga.delvelin.Delvelin
+import io.github.hangga.delvelin.cwedetectors.BaseDetector
 import io.github.hangga.delvelin.properties.OutputFileFormat
+import io.github.hangga.delvelin.properties.Vulnerabilities
 import org.junit.jupiter.api.Test
 import java.io.BufferedReader
 import java.io.InputStreamReader
@@ -12,6 +14,44 @@ import javax.net.ssl.TrustManagerFactory
 
 class DelvelinUnitTest {
 
+    class ExampleCustomDetector : BaseDetector() {
+
+        init {
+            this.vulnerabilities = Vulnerabilities.UNSAFE_REFLECTION
+        }
+
+        override fun detect(line: String, lineNumber: Int) {
+            // Implementation of line based detection
+            if (line.contains("examplePattern")) {
+                val specificLocation = specificLocation(lineNumber)
+                setValidVulnerability(
+                    specificLocation,
+                    "Example finding",
+                    "Detected example pattern in the code"
+                )
+            }
+        }
+
+        override fun detect(content: String) {
+            // Implementation of full content based detection
+            if (content.contains("examplePattern")) {
+                val specificLocation = specificLocation(-1) // -1 to denote whole content
+                setValidVulnerability(
+                    specificLocation,
+                    "Example finding",
+                    "Detected example pattern in the full content"
+                )
+            }
+        }
+    }
+
+    @Test
+    fun `test using your own custom detector`() {
+        Delvelin().setOutputFormat(OutputFileFormat.HTML)
+            .addCustomDetector(ExampleCustomDetector())
+            .scan()
+    }
+
     @Test
     fun `vulnerability test`() {
         Delvelin().setOutputFormat(OutputFileFormat.HTML)