Merge pull request #15 from hangga/devel-deeper-scanning

Devel deeper scanning

Author: hangga

README.md

@@ -80,14 +80,14 @@ Add the plugin to your Gradle project.
 ### KTS
 ```kotlin
 plugins {
-    id("io.github.hangga.delvelin") version "0.1.1-beta"
+    id("io.github.hangga.delvelin") version "0.1.2-beta"
 }
 ```
 
 ### Groovy
 ```groovy
 plugins {
-    id 'io.github.hangga.delvelin' version '0.1.1-beta'
+    id 'io.github.hangga.delvelin' version '0.1.2-beta'
 }
 ```
 
@@ -153,7 +153,7 @@ repositories {
 }
 
 dependencies {
-    testImplementation('io.github.hangga:delvelin-plugin:0.1.1-beta')
+    testImplementation('io.github.hangga:delvelin-plugin:0.1.2-beta')
 }
 ```
 
@@ -169,7 +169,7 @@ dependencies {
 <dependency>
     <groupId>io.github.hangga</groupId>
     <artifactId>delvelin-plugin</artifactId>
-    <version>0.1.1-beta</version>
+    <version>0.1.2-beta</version>
     <scope>test</scope>
 </dependency>
 ```

src/main/java/io/github/hangga/delvelin/cwedetectors/GeneralScanner.java

@@ -20,6 +20,7 @@ public class GeneralScanner {
         new SQLInjectionDetector(),
         new CmdInjectionDetector(),
         new WeakCryptographicDetector(),
+        new InsecureHttpDetector(),
         new OsvDetector()
         // add new detector here
     );

src/main/java/io/github/hangga/delvelin/cwedetectors/HardCodedSecretDetector.java

@@ -9,7 +9,7 @@
 
 public class HardCodedSecretDetector extends BaseDetector {
 
-    String msg = "Warning: Potential hardcoded secrets or credentials found in the source code. Hardcoding sensitive information such as passwords, tokens, " +
+    String msg = "Warning: Hardcoded secrets or credentials found in the source code. Hardcoding sensitive information such as passwords, tokens, " +
         "and API keys can expose secrets and increase the risk of data leaks.";
 
     private static final Pattern KEYWORD_PATTERN = Pattern.compile(

src/main/java/io/github/hangga/delvelin/cwedetectors/InsecureHttpDetector.java

@@ -19,11 +19,11 @@ public void detect(String line, int lineNumber) {
         if (!this.extName.equals(".kt") && !this.extName.equals(".java")) {
             return;
         }
-        if (line.contains("HttpURLConnection")) {
-            if (line.contains("http://") || containsHttpUrl(line) || HTTP_URL_PATTERN.matcher(line)
-                .find()) {
-                setValidVulnerability(specificLocation(lineNumber), line, "Insecure HTTP detected");
-            }
+
+        if (line.contains("HttpURLConnection") ||
+            HTTP_URL_PATTERN.matcher(line).find() ||
+            containsHttpUrl(line)) {
+            setValidVulnerability(specificLocation(lineNumber), line, "Weak SSL Context configuration. Ensure SSLContext is configured securely.");
         }
     }
 

src/main/java/io/github/hangga/delvelin/properties/Config.java

@@ -9,5 +9,5 @@ public class Config {
 
     public static OutputFileFormat outputFileFormat = OutputFileFormat.LOG;
 
-    public static String VERSION = "0.1.1-beta";
+    public static String VERSION = "0.1.2-beta";
 }

src/main/java/io/github/hangga/delvelin/properties/Vulnerabilities.java

@@ -37,7 +37,7 @@ public String getCweCode() {
     }
 
     Vulnerabilities(String description, String cweCode, String priority) {
-        this.description = "Potential " + description;
+        this.description = description;
         this.cweCode = cweCode;
         this.priority = priority;
     }

src/test/kotlin/DelvelinUnitTest.kt

@@ -1,14 +1,108 @@
 import io.github.hangga.delvelin.Delvelin
 import io.github.hangga.delvelin.properties.OutputFileFormat
 import org.junit.jupiter.api.Test
+import java.io.BufferedReader
+import java.io.InputStreamReader
+import java.net.HttpURLConnection
+import java.net.URL
+import java.security.KeyStore
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
 
 class DelvelinUnitTest {
+
     @Test
     fun `vulnerability test`() {
-        Delvelin()
-            .setOutputFormat(OutputFileFormat.HTML)
-            .setAllowedExtensions(".gradle",".kts",".java",".kt")
-            .setAutoLaunchBrowser(true)
+        Delvelin().setOutputFormat(OutputFileFormat.HTML)
+            .setAllowedExtensions(".gradle", ".kts", ".java", ".kt").setAutoLaunchBrowser(true)
             .scan()
     }
+
+    @Test
+    fun `example of insecure Http connection`() {
+        val urlString = "http://example.com" // Menggunakan HTTP tanpa enkripsi
+        val url = URL(urlString)
+        val connection = url.openConnection() as HttpURLConnection
+
+        try {
+            connection.requestMethod = "GET"
+            connection.connectTimeout = 5000
+            connection.readTimeout = 5000
+            connection.doInput = true
+
+            val responseCode = connection.responseCode
+            println("Response Code: $responseCode")
+
+            if (responseCode == HttpURLConnection.HTTP_OK) {
+                val reader = BufferedReader(InputStreamReader(connection.inputStream))
+                val response = StringBuilder()
+                var line: String?
+
+                while (reader.readLine().also { line = it } != null) {
+                    response.append(line)
+                }
+
+                reader.close()
+                println("Response: $response")
+            } else {
+                println("Failed to connect: $responseCode")
+            }
+        } catch (e: Exception) {
+            e.printStackTrace()
+        } finally {
+            connection.disconnect()
+        }
+    }
+
+    @Test
+    fun `example of secure Https connection`() {
+        val urlString = "https://example.com" // URL menggunakan HTTPS
+        val url = URL(urlString)
+
+        // Membuka koneksi HTTPS
+        val connection = url.openConnection() as HttpsURLConnection
+
+        try {
+            // Menentukan properti koneksi
+            connection.requestMethod = "GET"
+            connection.connectTimeout = 5000
+            connection.readTimeout = 5000
+            connection.doInput = true
+
+            // Validasi sertifikat (gunakan TrustManager untuk pengaturan lebih lanjut jika perlu)
+            val trustManagerFactory =
+                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+            val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
+            keyStore.load(null, null)
+            trustManagerFactory.init(keyStore)
+
+            val sslContext = SSLContext.getInstance("TLS")
+            sslContext.init(null, trustManagerFactory.trustManagers, null)
+            connection.sslSocketFactory = sslContext.socketFactory
+
+            // Mendapatkan response code dan membaca data
+            val responseCode = connection.responseCode
+            println("Response Code: $responseCode")
+
+            if (responseCode == HttpsURLConnection.HTTP_OK) {
+                val reader = BufferedReader(InputStreamReader(connection.inputStream))
+                val response = StringBuilder()
+                var line: String?
+
+                while (reader.readLine().also { line = it } != null) {
+                    response.append(line)
+                }
+
+                reader.close()
+                println("Response: $response")
+            } else {
+                println("Failed to connect: $responseCode")
+            }
+        } catch (e: Exception) {
+            e.printStackTrace()
+        } finally {
+            connection.disconnect()
+        }
+    }
 }