Support for C/C++ Language and OpenSSL library

.github/workflows/maven-publish.yml

@@ -20,7 +20,7 @@ jobs:
     - name: Set up JDK
       uses: actions/setup-java@v5
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
     - name: Deploy to GitHub Packages
       run: mvn --batch-mode deploy

.github/workflows/maven.yml

@@ -10,39 +10,43 @@ name: Java CI with Maven
 
 permissions:
   contents: write
-  packages: write
 
 on:
   push:
-    branches: [ "main", "dev/*" ]
+    branches: ["main", "dev/*"]
   pull_request:
-    branches: [ "main", "dev/*" ]
+    branches: ["main", "dev/*"]
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - name: Set up JDK 17
-      uses: actions/setup-java@v5
-      with:
-        java-version: '17'
-        distribution: 'temurin'
-        cache: maven
-    - name: Build with Maven
-      run: mvn -B clean package
-    - name: Create CBOM
-      uses: cbomkit/cbomkit-action@v2.2.0
-      id: cbom
-      # Persist CBOM after a job has completed and share
-      # that CBOM with another job in the same workflow.
-    - name: Commit changes to new branch
-      uses: actions/upload-artifact@v7
-      with:
-        name: "CBOM"
-        path: ${{ steps.cbom.outputs.pattern }}
-        if-no-files-found: warn
-    # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
-    #- name: Update dependency graph
-    #  uses: advanced-security/maven-dependency-submission-action@v5
-    #  if: github.event_name != 'pull_request'
+      - uses: actions/checkout@v6
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          java-version: "21"
+          distribution: "temurin"
+          cache: maven
+
+      - name: Build with Maven
+        run: mvn -B clean package
+
+      - name: Create CBOM
+        uses: cbomkit/cbomkit-action@v2.2.0
+        id: cbom
+        # Persist CBOM after a job has completed and share
+        # that CBOM with another job in the same workflow.
+
+      - name: Upload CBOM artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: "CBOM"
+          path: ${{ steps.cbom.outputs.pattern }}
+          if-no-files-found: warn
+
+      # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
+      #- name: Update dependency graph
+      #  uses: advanced-security/maven-dependency-submission-action@v5
+      #  if: github.event_name != 'pull_request'

README.md

@@ -3,7 +3,6 @@
 [![License](https://img.shields.io/github/license/cbomkit/sonar-cryptography.svg?)](https://opensource.org/licenses/Apache-2.0) <!--- long-description-skip-begin -->
 [![Current Release](https://img.shields.io/github/release/cbomkit/sonar-cryptography.svg?logo=IBM)](https://github.com/cbomkit/sonar-cryptography/releases)
 
-
 This repository contains a SonarQube Plugin that detects cryptographic assets
 in source code and generates [CBOM](https://cyclonedx.org/capabilities/cbom/).
 It is part of **the [CBOMKit](https://github.com/cbomkit) toolset**.
@@ -23,11 +22,10 @@ It is part of **the [CBOMKit](https://github.com/cbomkit) toolset**.
 ## Version compatibility
 
 | Plugin Version  | SonarQube Version              |
-|-----------------|--------------------------------|
+| --------------- | ------------------------------ |
 | 1.3.7 and up    | SonarQube 9.9 (LTS) and up     |
-| 1.3.2 and 1.3.6 | SonarQube 9.8 (LTS) up to 10.8 | 
-| 1.2.0 to 1.3.1  | SonarQube 9.8 (LTS) up to 10.4 |      
-
+| 1.3.2 and 1.3.6 | SonarQube 9.8 (LTS) up to 10.8 |
+| 1.2.0 to 1.3.1  | SonarQube 9.8 (LTS) up to 10.4 |
 
 ## Supported languages and libraries
 
@@ -39,53 +37,58 @@ It is part of **the [CBOMKit](https://github.com/cbomkit) toolset**.
 | Go       | [crypto](https://pkg.go.dev/crypto) (*standard library*)                                      | 100%[^2]         |
 |          | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto)                                 | Partial[^3]      |
 | C#       | [System.Security.Cryptography](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography) | In development[^4] |
-
+| C/C++    | [OpenSSL](https://www.openssl.org/)                                                           | Partial[^5]      |
 
 [^1]: We only cover the BouncyCastle *light-weight API* according to [this specification](https://javadoc.io/static/org.bouncycastle/bctls-jdk14/1.80/specifications.html)
+
 [^2]: All packages under [`crypto`](https://pkg.go.dev/crypto@go1.25.6#section-directories) are covered except `crypto/x509`
+
 [^3]: Covers `golang.org/x/crypto/hkdf`, `golang.org/x/crypto/pbkdf2`, and `golang.org/x/crypto/sha3`
 [^4]: C# support uses an [ANTLR v7 grammar](https://github.com/antlr/grammars-v4/tree/master/csharp) to parse source files directly. The current csharp support only covers the language support and does not contain detection rules other than the rules used for verifying the detection engine. **This is not yet meant for active usage!** **Known limitations of the detection engine:** no cross-method variable tracking (only single-method scope), only works for c# v7, string-based matching (no type resolution)
 
+[^5]: Covers OpenSSL EVP API (ciphers, digests, MACs, KDFs, key agreement, key generation, signatures), legacy API, SSL/TLS functions, and PRNG. Requires the [sonar-cxx](https://github.com/SonarOpenCommunity/sonar-cxx) plugin.
+
 > [!NOTE]
 > The plugin is designed in a modular way so that it can be extended to support additional languages and recognition rules to support more libraries.
-> - To add support for another language or cryptography library, see [*Extending the Sonar Cryptography Plugin to add support for another language or cryptography library*](./docs/LANGUAGE_SUPPORT.md)
-> - If you just want to know more about the syntax for writing new detection rules, see [*Writing new detection rules for the Sonar Cryptography Plugin*](./docs/DETECTION_RULE_STRUCTURE.md)
+>
+> - To add support for another language or cryptography library, see [_Extending the Sonar Cryptography Plugin to add support for another language or cryptography library_](./docs/LANGUAGE_SUPPORT.md)
+> - If you just want to know more about the syntax for writing new detection rules, see [_Writing new detection rules for the Sonar Cryptography Plugin_](./docs/DETECTION_RULE_STRUCTURE.md)
 
 ## Installation
 
-> [!NOTE] 
-> To run the plugin, you need a running SonarQube instance with one of the supported 
+> [!NOTE]
+> To run the plugin, you need a running SonarQube instance with one of the supported
 > versions. If you don't have one but want to try the plugin, you can use the
-> included Docker Compose to set up a development environment. See 
+> included Docker Compose to set up a development environment. See
 > [here](CONTRIBUTING.md#build) for instructions.
 
 Copy the plugin (the JAR file from the [latest releases](https://github.com/cbomkit/sonar-cryptography/releases))
-to `$SONARQUBE_HOME/extensions/plugins` and restart 
+to `$SONARQUBE_HOME/extensions/plugins` and restart
 SonarQube ([more](https://docs.sonarqube.org/latest/setup-and-upgrade/install-a-plugin/)).
 
 ## Using
 
-The plugin provides new inventory rules (Cbomkit Cryptography Repository) regarding the use of cryptography for 
+The plugin provides new inventory rules (Cbomkit Cryptography Repository) regarding the use of cryptography for
 the supported languages.
-If you enable these rules, a source code scan creates a cryptographic inventory by creating a 
-[CBOM](https://cyclonedx.org/capabilities/cbom/) with all cryptographic assets and writing 
+If you enable these rules, a source code scan creates a cryptographic inventory by creating a
+[CBOM](https://cyclonedx.org/capabilities/cbom/) with all cryptographic assets and writing
 a `cbom.json` to the scan directory.
 
 ### Add Cryptography Rules to your Quality Profile
 
 This plugin incorporates rules specifically focused on cryptography.
 
-> To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at 
+> To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at
 > least one of these cryptography-related rules.
 
 ![Activate Rules Crypto Rules](docs/images/rules.png)
 
-As of the current version, the plugin contains one single rule for creating a cryptographic inventory. 
+As of the current version, the plugin contains one single rule for creating a cryptographic inventory.
 Future updates may introduce additional rules to expand functionality.
 
 ### Scan Source Code
 
-Now you can follow the [SonarQube documentation](https://docs.sonarqube.org/latest/analyzing-source-code/overview/) 
+Now you can follow the [SonarQube documentation](https://docs.sonarqube.org/latest/analyzing-source-code/overview/)
 to start your first scan.
 
 ### Visualizing your CBOM
@@ -188,6 +191,7 @@ The plugin generates a `cbom.json` file in [CycloneDX CBOM format](https://cyclo
 ```
 
 The CBOM includes:
+
 - **Algorithms**: Hash functions, ciphers, key exchange mechanisms with their parameters
 - **Keys and secrets**: Private keys, secret keys, and other cryptographic materials
 - **Evidence**: Source file locations where each asset was detected
@@ -267,10 +271,10 @@ Run with `go run gen_package.go`, then delete the script.
 
 2. **Check for dependencies**: Some packages depend on types from other packages. Common dependencies:
 
-| Package | May require |
-|---------|-------------|
-| `crypto/hmac` | `hash` |
-| `crypto/cipher` | `io` |
+| Package           | May require  |
+| ----------------- | ------------ |
+| `crypto/hmac`     | `hash`       |
+| `crypto/cipher`   | `io`         |
 | `crypto/*` (most) | `io`, `hash` |
 
 3. **Add mapping entry** to `mapping_generated.go` in alphabetical order:
@@ -283,17 +287,17 @@ Run with `go run gen_package.go`, then delete the script.
 
 ### File naming convention
 
-| Package Path | Export Data File |
-|--------------|------------------|
-| `crypto/hmac` | `crypto_hmac.o` |
-| `crypto/elliptic` | `crypto_elliptic.o` |
+| Package Path                 | Export Data File    |
+| ---------------------------- | ------------------- |
+| `crypto/hmac`                | `crypto_hmac.o`     |
+| `crypto/elliptic`            | `crypto_elliptic.o` |
 | `golang.org/x/crypto/bcrypt` | `x_crypto_bcrypt.o` |
 
 </details>
 
 ## Help and troubleshooting
 
-If you encounter difficulties or unexpected results while installing the plugin with SonarQube, or when trying to scan a repository, please check out our guide [*Testing your configuration and troubleshooting*](docs/TROUBLESHOOTING.md) to run our plugin with step-by-step instructions.
+If you encounter difficulties or unexpected results while installing the plugin with SonarQube, or when trying to scan a repository, please check out our guide [_Testing your configuration and troubleshooting_](docs/TROUBLESHOOTING.md) to run our plugin with step-by-step instructions.
 
 ## Contribution Guidelines
 
@@ -305,4 +309,4 @@ start a discussion using [GitHub Discussions](https://github.com/cbomkit/sonar-c
 
 ## License
 
-[Apache License 2.0](LICENSE.txt)
+[Apache License 2.0](LICENSE.txt)

cpp/pom.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.ibm</groupId>
+        <artifactId>sonar-cryptography</artifactId>
+        <version>2.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>cpp</artifactId>
+
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.ibm</groupId>
+            <artifactId>engine</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>com.ibm</groupId>
+            <artifactId>output</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>com.ibm</groupId>
+            <artifactId>enricher</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>com.ibm</groupId>
+            <artifactId>rules</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.sonarsource.analyzer-commons</groupId>
+            <artifactId>sonar-analyzer-test-commons</artifactId>
+            <version>2.18.0.3393</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

cpp/src/main/java/com/ibm/plugin/CxxAggregator.java

@@ -0,0 +1,68 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin;
+
+import com.ibm.engine.language.ILanguageSupport;
+import com.ibm.engine.language.LanguageSupporter;
+import com.ibm.mapper.model.INode;
+import com.ibm.output.IAggregator;
+import com.sonar.cxx.sslr.api.AstNode;
+import com.sonar.cxx.sslr.api.Grammar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import javax.annotation.Nonnull;
+import org.sonar.cxx.squidbridge.SquidAstVisitorContext;
+import org.sonar.cxx.squidbridge.api.Symbol;
+import org.sonar.cxx.squidbridge.checks.SquidCheck;
+
+public final class CxxAggregator implements IAggregator {
+
+    private static ILanguageSupport<
+                    SquidCheck<?>, AstNode, Symbol, SquidAstVisitorContext<? extends Grammar>>
+            cxxLanguageSupport = LanguageSupporter.cxxLanguageSupporter();
+    private static List<INode> detectedNodes = new ArrayList<>();
+
+    private CxxAggregator() {
+        // nothing
+    }
+
+    public static void addNodes(@Nonnull List<INode> newNodes) {
+        detectedNodes.addAll(newNodes);
+        IAggregator.log(newNodes);
+    }
+
+    @Nonnull
+    public static List<INode> getDetectedNodes() {
+        return Collections.unmodifiableList(detectedNodes);
+    }
+
+    @Nonnull
+    public static ILanguageSupport<
+                    SquidCheck<?>, AstNode, Symbol, SquidAstVisitorContext<? extends Grammar>>
+            getLanguageSupport() {
+        return cxxLanguageSupport;
+    }
+
+    public static void reset() {
+        cxxLanguageSupport = LanguageSupporter.cxxLanguageSupporter();
+        detectedNodes = new ArrayList<>();
+    }
+}

cpp/src/main/java/com/ibm/plugin/CxxCheckRegistrar.java

@@ -0,0 +1,48 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin;
+
+import java.util.List;
+import org.sonar.cxx.squidbridge.api.CxxCustomRuleRepository;
+import org.sonarsource.api.sonarlint.SonarLintSide;
+
+/**
+ * Registers C++ cryptography detection rules with the sonar-cxx analysis framework.
+ *
+ * <p>This class implements the {@link CxxCustomRuleRepository} interface provided by sonar-cxx,
+ * which allows external plugins to register custom checks that will be executed during C++ code
+ * analysis.
+ *
+ * <p>The sonar-cxx plugin will discover this class via service loading and invoke the {@link
+ * #checkClasses()} method to obtain the list of check classes to instantiate and run.
+ */
+@SonarLintSide
+public class CxxCheckRegistrar implements CxxCustomRuleRepository {
+
+    @Override
+    public String repositoryKey() {
+        return CxxScannerRuleDefinition.REPOSITORY_KEY;
+    }
+
+    @Override
+    public List<Class<?>> checkClasses() {
+        return CxxRuleList.getChecks();
+    }
+}