sonar pmd\p3c插件源码初步解析

本篇文章主要围绕对sonar-pmd-p3c插件的解析

版本说明

组件	版本
sonarqube	8.4
sonar-pmd-p3c.jar	3.2.1
pmd-java	6.15.0
p3c-pmd	2.1.0

参考文献

1.ali-p3c-pmd仓库
2.pmd仓库
3.sonar-pmd仓库
4.sonar-pmd-p3c仓库

关系图

基于以上开源插件讲解

增加规则

我是以sonar-pmd-p3c插件3.2.1版本为基础进行修改

1. 规则列表显示

sonar-pmd-p3c\sonar-pmd-plugin\src\main\resources\org\sonar\l10n\pmd.properties
增加：
rule.pmd.AvoidMessageDigestField.name=Avoid Message Digest Field

用于此处：

2. 规则代码添加

sonar-pmd-p3c\sonar-pmd-plugin\src\main\resources\org\sonar\plugins\pmd\rules.xml
增加：
  <rule key="AvoidMessageDigestField">
    <priority>MAJOR</priority>
    <configKey>category/java/bestpractices.xml/AvoidMessageDigestField</configKey>
<!--    <status>DEPRECATED</status>如果此条规则弃用，则添加此属性-->
  </rule>

3.规则类型配置

sonar-pmd-p3c\sonar-pmd-plugin\src\main\resources\com\sonar\sqale\pmd-model.xml
增加：
<chc>
    <rule-repo>pmd</rule-repo>
    <rule-key>AvoidMessageDigestField</rule-key>
    <prop>
      <key>remediationFunction</key>
      <txt>CONSTANT_ISSUE</txt>
    </prop>
    <prop>
      <key>offset</key>
      <val>10</val>
      <txt>min</txt>
    </prop>
  </chc>

4.为何是问题页面

在sonar-pmd-p3c\sonar-pmd-plugin\src\main\resources\org\sonar\l10n\pmd\rules\pmd</kbd>

目录下新建AvoidMessageDigestField.html,添加内容。

Declaring a MessageDigest instance as a field make this instance directly available to multiple threads.
Such sharing of MessageDigest instances should be avoided if possible since it leads to wrong results
if the access is not synchronized correctly.
Just create a new instance and use it locally, where you need it.
Creating a new instance is easier than synchronizing access to a shared instance.
<pre>
import java.security.MessageDigest;
	public class AvoidMessageDigestFieldExample {
		private final MessageDigest sharedMd;
		public AvoidMessageDigestFieldExample() throws Exception {
			sharedMd = MessageDigest.getInstance("SHA-256");
		}
		public byte[] calculateHashShared(byte[] data) {
			// sharing a MessageDigest like this without synchronizing access
			// might lead to wrong results
			sharedMd.reset();
			sharedMd.update(data);
			return sharedMd.digest();
		}

		// better
		public byte[] calculateHash(byte[] data) throws Exception {
			MessageDigest md = MessageDigest.getInstance("SHA-256");
			md.update(data);
			return md.digest();
		}
	}
</pre>

html文件内容来源？
确认我们增加的是pmd规则，找到本地仓库下载的pmd-java依赖包
打开sonar-pmd-p3c\sonar-pmd-plugin\pom.xml文件，查找pmd-java包

   <dependency>
      <groupId>net.sourceforge.pmd</groupId>
      <artifactId>pmd-java</artifactId>
    </dependency>

我的本地仓库在C:\Users\Administrator.m2\repository\net\sourceforge\pmd\pmd-java
查看pmd-java版本号：D:\IdeaProjects\sonar-pmd-p3c\pom.xml

    <pmd.version>6.15.0</pmd.version>

进入本地仓库，只有jar包

解压pmd-java-6.15.0.jar,查看规则所在的bestpractices.xml文件，这里的路径与上文2.规则代码添加路径一致。
bestpractices.xml文件关于此条规则的代码，挑出rule name、message、description<kbd>example代码放入AvoidMessageDigestField.html文件即可：

		<rule name="AvoidMessageDigestField"
			  language="java"
			  since="6.18.0"
			  message="You shouldn't declare field of MessageDigest type, because unsynchronized access could cause problems"
			  typeResolution="true"
			  class="net.sourceforge.pmd.lang.rule.XPathRule"
			  externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_bestpractices.html#avoidmessagedigestfield">
			<description>
				Declaring a MessageDigest instance as a field make this instance directly available to multiple threads.
				Such sharing of MessageDigest instances should be avoided if possible since it leads to wrong results
				if the access is not synchronized correctly.
				Just create a new instance and use it locally, where you need it.
				Creating a new instance is easier than synchronizing access to a shared instance.
			</description>
			<priority>3</priority>
			<properties>
				<property name="version" value="2.0"/>
				<property name="xpath">
					<value>
						<![CDATA[
	//FieldDeclaration[pmd-java:typeIs('java.security.MessageDigest')]
	]]>
					</value>
				</property>
			</properties>
			<example>
				<![CDATA[
	import java.security.MessageDigest;
	public class AvoidMessageDigestFieldExample {
		private final MessageDigest sharedMd;
		public AvoidMessageDigestFieldExample() throws Exception {
			sharedMd = MessageDigest.getInstance("SHA-256");
		}
		public byte[] calculateHashShared(byte[] data) {
			// sharing a MessageDigest like this without synchronizing access
			// might lead to wrong results
			sharedMd.reset();
			sharedMd.update(data);
			return sharedMd.digest();
		}

		// better
		public byte[] calculateHash(byte[] data) throws Exception {
			MessageDigest md = MessageDigest.getInstance("SHA-256");
			md.update(data);
			return md.digest();
		}
	}
	]]>
			</example>
		</rule>

5. 控制台mvn clean package -DskipTests打包
6. jar包放入sonarqube-8.4.1.35646/extensions/plugins/,切换sonarqube重启应用
7. 此插件html显示，如：
   
8. 其它小优化
   更改jar包名称，与sonar-pmd-plugin区分
   github上有N多插件，有些只是有pmd-java,它也叫这个名字，而我用的插件是整合是pmd-java和com.alibaba.p3c-pmd的。
   \sonar-pmd-p3c\sonar-pmd-plugin\pom.xml更改项目标识符

<artifactId>sonar-pmd-p3c-plugin</artifactId>

更改规则名称，与sonar-pmd-plugin区分
\sonar-pmd-p3c\sonar-pmd-plugin\src\main\java\org\sonar\plugins\pmd\PmdConstants.java更改

    public static final String REPOSITORY_NAME = "PMD-p3c";

整改后的源码和jar下载

https://download.csdn.net/download/sincool1003/74101211