All posts by dotte

Checkstyle custom rule

JAVA

1、找到本地eclipse所在工作目录{WorkSpace}

2、checkstyle rule的目录:{WorkSpace}\.metadata\.plugins\net.sf.eclipsecs.core

3、internal_config_xxxxx.xml  替换其中的内容如下(最好先新增一个自定义规则再替换,不要覆盖默认的规则)

Sample:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE module PUBLIC “-//Puppy Crawl//DTD Check Configuration 1.3//EN” “http://www.puppycrawl.com/dtds/configuration_1_3.dtd”>

<!–
This configuration file was written by the eclipse-cs plugin configuration editor
–>
<!–
Checkstyle-Configuration: Cpus
Description: none
–>
<module name=”Checker”>
<property name=”severity” value=”warning”/>
<module name=”TreeWalker”>
<module name=”CyclomaticComplexity”>
<property name=”max” value=”20″/>
</module>
<module name=”MethodLength”>
<property name=”max” value=”100″/>
</module>
<module name=”TypeName”>
<message key=”name.invalidPattern” value=”Type name ”{0}” must match pattern ”{1}”.”/>
</module>
<module name=”ClassTypeParameterName”>
<property name=”format” value=”(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)”/>
<message key=”name.invalidPattern” value=”Class type name ”{0}” must match pattern ”{1}”.”/>
</module>
<module name=”MethodTypeParameterName”>
<property name=”format” value=”(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)”/>
<message key=”name.invalidPattern” value=”Method type name ”{0}” must match pattern ”{1}”.”/>
</module>
<module name=”AnnotationLocation”>
<property name=”tokens” value=”VARIABLE_DEF”/>
<property name=”allowSamelineMultipleAnnotations” value=”true”/>
</module>
<module name=”JavadocMethod”>
<property name=”allowMissingParamTags” value=”true”/>
<property name=”allowMissingThrowsTags” value=”true”/>
<property name=”allowMissingReturnTag” value=”true”/>
<property name=”suppressLoadErrors” value=”true”/>
</module>
<module name=”BooleanExpressionComplexity”>
<property name=”max” value=”4″/>
</module>
<module name=”JavaNCSS”/>
<module name=”LineLength”>
<property name=”max” value=”100″/>
<property name=”tabWidth” value=”4″/>
</module>
<module name=”Indentation”>
<property name=”severity” value=”ignore”/>
<metadata name=”net.sf.eclipsecs.core.lastEnabledSeverity” value=”inherit”/>
</module>
<module name=”LeftCurly”/>
<module name=”NoWhitespaceBefore”/>
<module name=”PackageName”>
<property name=”format” value=”^[a-z]+(\.[a-z_][a-z0-9_]*)*$”/>
</module>
<module name=”ConstantName”/>
<module name=”LocalVariableName”/>
<module name=”MemberName”/>
<module name=”MethodName”/>
<module name=”PackageDeclaration”/>
<module name=”OneStatementPerLine”/>
<module name=”AvoidStarImport”/>
<module name=”ArrayTypeStyle”/>
<module name=”FallThrough”/>
<module name=”JavadocType”/>
<module name=”WhitespaceAround”>
<property name=”tokens” value=”ASSIGN,BAND,BAND_ASSIGN,BOR,BOR_ASSIGN,BSR,BSR_ASSIGN,BXOR,BXOR_ASSIGN,COLON,DIV,DIV_ASSIGN,DO_WHILE,EQUAL,GE,GT,LAND,LCURLY,LE,LITERAL_ASSERT,LITERAL_CATCH,LITERAL_DO,LITERAL_ELSE,LITERAL_FINALLY,LITERAL_FOR,LITERAL_IF,LITERAL_RETURN,LITERAL_SYNCHRONIZED,LITERAL_TRY,LITERAL_WHILE,LOR,LT,MINUS,MINUS_ASSIGN,MOD,MOD_ASSIGN,NOT_EQUAL,PLUS,PLUS_ASSIGN,RCURLY,SL,SLIST,SL_ASSIGN,SR,SR_ASSIGN,STAR,STAR_ASSIGN,TYPE_EXTENSION_AND,WILDCARD_TYPE”/>
<property name=”allowEmptyConstructors” value=”true”/>
<property name=”allowEmptyMethods” value=”true”/>
<property name=”allowEmptyTypes” value=”true”/>
<property name=”allowEmptyLoops” value=”true”/>
</module>
</module>
<module name=”FileLength”>
<property name=”max” value=”1000″/>
</module>
</module>

java code static check tools

JAVA

checkstyle:
http://checkstyle.sourceforge.net/

Google Java Style
http://checkstyle.sourceforge.net/reports/google-java-style.html

Findbugs
PMD
Checkstyle
Lint4J
Classycle
JDepend
SISSy
Google Codepro

Open Source or Free Tools Of This Type
Google CodeSearchDiggity – Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
FindBugs – Find Bugs (including some security flaws) in Java Programs
FxCop (Microsoft) – FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs
RATS (Fortify) – Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
OWASP SWAAT Project – Simplistic Beta Tool – Languages: Java, JSP, ASP .Net, and PHP
Flawfinder Flawfinder – Scans C and C++
RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications
Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
VCG – Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
Commercial Tools Of This Type
BugScout (Buguroo Offensive Security)

Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.

Contrast from Contrast Security

Contrast is not a static analysis tool like these others. It instruments the running application and provides code level results, but doesn’t actually perform static analysis. It monitors the code that is actually running.

IBM Security AppScan Source Edition (formerly Ounce)
Insight (KlocWork)
Parasoft Test (Parasoft)
Pitbull Source Code Control (Pitbull SCC)

Software application designed to solve efficiently application source code control with the appropriate compiled files to ensure integrity prior to placing it into production. Providing added value,allows the analysis of source code to identify if it has a malware that affects the normal functioning of the application.

Seeker (Quotium)

Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.

Source Patrol (Pentest)
Static Source Code Analysis with CodeSecure™ (Armorize Technologies)
Kiuwan – SaaS Software Quality & Security Analysis (Optimyth)
Static Code Analysis (Checkmarx)
Security Advisor (Coverity)
PVS-Studio (PVS-Studio)
Source Code Analysis (HP/Fortify)
Veracode (Veracode)
Sentinel Source solution (Whitehat)

from:https://www.owasp.org/index.php/Source_Code_Analysis_Tools

Linux下设置tomcat自启动

Linux, SHELL,

usr/lib/systemd/system

在当前目录下创建worker.service文件,内容如下:

[Unit]
Description=CPUS Transfer Worker
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/root/bin/Transwork/startAll.sh

[Install]
WantedBy=multi-user.target
~
tomcat.service

[Unit]
Description=Tomcat
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/share/apache-tomcat-8.0.9/bin/startup.sh
ExecStop=/usr/share/apache-tomcat-8.0.9/bin/shutdown.sh

[Install]
WantedBy=multi-user.target
~
~
~
~
Refer:
CentOS7 增加tomcat 启动,停止,使用systemctl进行配置http://www.itnose.net/detail/6163208.html

Other:
查看全部服务命令:
systemctl list-unit-files –type service
查看服务
systemctl status name.service
启动服务
systemctl start name.service
停止服务
systemctl stop name.service
重启服务
systemctl restart name.service增加开机启动
systemctl enable name.service
删除开机启动
systemctl disable name.service
其中.service 可以省略。

Linux 常用命令

Linux,

su

cd /usr/share/apache-tomcat-8.0.9/webapps/

ls

mkdir src

rm -rf  file1

cp -rp folder1 folder2

递归拷贝folder1下的文件到folder2
cp folder1/*  ./folder2 -R

mv  folder1 folder2

clear

exit

history

history > /var/history

tail -f  access_log

pwd

diff sshd_config sshd_config.orig

 

 

ps  -ef|grep java

netstat -an | grep 80

kill -9 14665

pkill java

telnet 127.0.0.1 80

ifconfig

 

vi server.xml

whereis ntpd

whereis systemd

which mysql

mysql -u u -p p

find | grep trans

find ./ -name mysql

grep httpd.conf

grep -ri dbdriver *

cat catalina.out

ps auxww|grep aegis

cat log.20151216.log | grep “2015/12/16 23” | less

grep -r proxy *

less mod_auth_mysql_3.0.0_patch_apache2.4.diff

cat BUILD

tar xvzf mod_auth_mysql-3.0.0.tar.gz

screen

java -jar w.jar &

 

patch < mod_auth_mysql_3.0.0_patch_apache2.4.diff

patch -p1 < mod_auth_mysql_3.0.0_patch_apache2.4.diff

rpm search apxs

yum search apxs

yum install httpd-devel

apxs -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c

yum search mysql | grep devel

yum install apr-util-mysql

locate apr_dbd_mysql

rpm -qf /usr/lib64/apr-util-1/apr_dbd_mysql.so

 

man tcpdump

sudo  tcpdump -ni eth1 -w dump.dat port 80

sudo tcpdump -ni eth0 -w dump.pcap port 80 or port 443

sudo tcpdump -ni eth0 -w dump.pcap port 80 and host {host}

 

md5sum COMODORSADomainValidationSecureServerCA.crt

sha1sum COMODORSADomainValidationSecureServerCA.crt