Plist files not detect and scanned in Sonar

Rules and Languages New rules / language support
, ,
1
  • description of the Rule.
    I want to detect specific configuration in a plist file (that follows xml), which is basically specific for iOS applications.
    However, sonar does not take the plist file and onboard it in the project for scanning, even if I explicitly include it: sonar.inclussions=**/*.plist

I am also creating a rule from the xPath xml template to do that specific detection and it does not work either since the plist file is not being onboarded.

Moreover, if I change the extension to .xml, the file is recognised but there is no detection whatsoever, only an error on the file.

  • Original file not being detected by Sonar:
    info.plist
    (this is only part of the file, with the config I want to detect)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>AppIdentifierPrefix</key>
...
...
     <dict>
		<key>NSExceptionDomains</key>
		<dict>
			<key>service.domain.com</key>
			<dict>
				<key>NSIncludesSubdomains</key>
				<true/>
				<key>NSExceptionAllowsInsecureHTTPLoads</key>
				<true/>
				<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
				<true/>
				<key>NSRequiresCertificateTransparency</key>
				<false/>
			</dict>
                </dict>
...
...
</dict>
</plist>
  • The file has been renamed and crafted a rule using XPath xml templates.
    The file is renamed to info.xml and now detected. Created a rule using the XPath template for xml with this very simple pattern.
**expression**	
//key[text()='NSExceptionAllowsInsecureHTTPLoads']
**filePattern**	
**/*.plist, **/*.xml
message	
**The issue message**
Avoid setting 'NSExceptionAllowsInsecureHTTPLoads' or 'NSThirdPartyExceptionAllowsInsecureHTTPLoads' to true in 'info.plist' files as it weakens transport security. Consider using HTTPS or removing this exception.

With that, I do not get any alerts but the following warning in the logs:

WARN  Missing blame information for the following files:
WARN    * path/info.xml

The warning disappears by setting Disable the SCM Sensor to True, but the rule still does not trigger

  • End goal
    Get Sonar to detect and scan .plist files and apply a xPath rule to detect the HTTP insecure configuration.
2

Hi,

As you’ve discovered, .plist isn’t a default XML file extension. You need to edit the language’s list of recognized extensions to add it. You’ll find that at both the global and project administration levels.

What is the error?

As the docs make clear, only XPath 1.0 is supported.

 
HTH,
Ann

3

That is the error. I will go ahead and try adding the new extension and making sure XPath 1.0 is used!

4

Hi,

That warning is totally unrelated.

 
Ann

5

The rule works now. The thing failing really was the FilePattern what was not matching correctly.

It does now works perfectly, thanks!

1 Like
6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.