From 4fb8da1588ea9f009dd316807cb0ea54a070864b Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Wed, 14 Feb 2024 17:01:29 +0200
Subject: [PATCH] feat(java): third parties rollbar

---
 rules/java/third_parties/rollbar.yml          | 51 +++++++++++++++++++
 tests/java/third_parties/rollbar/test.js      | 18 +++++++
 .../third_parties/rollbar/testdata/main.java  | 35 +++++++++++++
 3 files changed, 104 insertions(+)
 create mode 100644 rules/java/third_parties/rollbar.yml
 create mode 100644 tests/java/third_parties/rollbar/test.js
 create mode 100644 tests/java/third_parties/rollbar/testdata/main.java

diff --git a/rules/java/third_parties/rollbar.yml b/rules/java/third_parties/rollbar.yml
new file mode 100644
index 000000000..cc3b93869
--- /dev/null
+++ b/rules/java/third_parties/rollbar.yml
@@ -0,0 +1,51 @@
+imports:
+  - java_shared_lang_datatype
+  - java_shared_lang_instance
+patterns:
+  - pattern: |
+      $<ROLLBAR>.$<METHOD>($<...>$<DATA_TYPE>$<...>);
+    filters:
+      - variable: ROLLBAR
+        detection: java_third_parties_rollbar_instance
+      - variable: METHOD
+        values:
+          - debug
+          - error
+          - info
+          - setPersonData
+      - variable: DATA_TYPE
+        detection: java_shared_lang_datatype
+auxiliary:
+  - id: java_third_parties_rollbar_instance
+    patterns:
+      - pattern: $<ROLLBAR>;
+        filters:
+          - variable: ROLLBAR
+            detection: java_shared_lang_instance
+            scope: cursor
+            filters:
+              - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+                regex: \A(com\.rollbar\.notifier\.)?Rollbar\z
+languages:
+  - java
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: Leakage of sensitive data to RollBar
+  remediation_message: |
+    ## Description
+    Leaking sensitive data to third-party loggers is a common cause of data
+    leaks and can lead to data breaches. This rule looks for instances of
+    sensitive data sent to Rollbar.
+
+    ## Remediations
+
+    When logging errors or events, ensure all sensitive data is removed.
+
+    ## Resources
+    - [Rollbar docs](https://docs.rollbar.com/docs/java)
+  cwe_id:
+    - 201
+  associated_recipe: Rollbar
+  id: java_third_parties_rollbar
+  documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_rollbar
diff --git a/tests/java/third_parties/rollbar/test.js b/tests/java/third_parties/rollbar/test.js
new file mode 100644
index 000000000..669a740ee
--- /dev/null
+++ b/tests/java/third_parties/rollbar/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("rollbar", () => {
+    const testCase = "main.java"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
\ No newline at end of file
diff --git a/tests/java/third_parties/rollbar/testdata/main.java b/tests/java/third_parties/rollbar/testdata/main.java
new file mode 100644
index 000000000..77477e87f
--- /dev/null
+++ b/tests/java/third_parties/rollbar/testdata/main.java
@@ -0,0 +1,35 @@
+// Use bearer:expected java_third_parties_rollbar to flag expected findings
+
+import com.rollbar.notifier.Rollbar;
+import com.rollbar.notifier.config.Config;
+import com.rollbar.notifier.config.ConfigBuilder;
+
+public class Foo {
+  protected void bad(User user) {
+    Config config = ConfigBuilder.withAccessToken("<post_server_item_access_token>")
+        .environment("production")
+        .codeVersion("1.0.0")
+        .build();
+    Rollbar rollbar = new Rollbar(config);
+    // bearer:expected java_third_parties_rollbar
+    rollbar.error(user.email);
+    // bearer:expected java_third_parties_rollbar
+    rollbar.info("This is an info message about " + user.name);
+    // bearer:expected java_third_parties_rollbar
+    rollbar.setPersonData(user.uuid,user.name,user.email);
+    // bearer:expected java_third_parties_rollbar
+    rollbar.debug("Here is some debug message for " + user.name);
+  }
+
+  public void good(User user) {
+    Config config = ConfigBuilder.withAccessToken("<post_server_item_access_token>")
+        .environment("production")
+        .codeVersion("1.0.0")
+        .build();
+    Rollbar rollbar = new Rollbar(config);
+    rollbar.error("Some error message");
+    rollbar.info("This is an info message about " + user.uuid);
+    rollbar.setPersonData(user.uuid);
+    rollbar.debug("Here is some debug message for " + user.uuid);
+  }
+}
\ No newline at end of file