From 528022bc8aa28d2fcef2e1e54370d874ff9965ab Mon Sep 17 00:00:00 2001
From: Antoine Vigneau <antoine.vigneau@sonarsource.com>
Date: Wed, 7 Jun 2023 15:44:35 +0200
Subject: [PATCH] SQSCANNER-115 Fix SSF-392

---
 it/pom.xml                                    |  2 +-
 pom.xml                                       |  6 ++---
 .../sonarsource/scanner/cli/SystemInfo.java   | 25 ++++++++++++++++++-
 .../scanner/cli/SystemInfoTest.java           | 12 +++++++++
 4 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/it/pom.xml b/it/pom.xml
index 85323f86..6719a2c9 100644
--- a/it/pom.xml
+++ b/it/pom.xml
@@ -25,7 +25,7 @@
     <sonar.buildVersion>7.9.1</sonar.buildVersion>
     <!-- following properties must be set in command-line : sonar.runtimeVersion and sonarRunner.version -->
 
-    <maven.compiler.release>8</maven.compiler.release>
+    <maven.compiler.release>11</maven.compiler.release>
   </properties>
 
   <dependencies>
diff --git a/pom.xml b/pom.xml
index 9fad6ad3..83a11bd9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,7 +59,7 @@
     <!-- Release: enable publication to Bintray -->
     <artifactsToPublish>${project.groupId}:${project.artifactId}:zip,${project.groupId}:${project.artifactId}:zip:linux,${project.groupId}:${project.artifactId}:zip:windows,${project.groupId}:${project.artifactId}:zip:macosx,${project.groupId}:${project.artifactId}:json:cyclonedx</artifactsToPublish>
 
-    <maven.compiler.release>8</maven.compiler.release>
+    <maven.compiler.release>11</maven.compiler.release>
   </properties>
 
   <dependencies>
@@ -179,7 +179,7 @@
               <rules>
                 <requireFilesSize>
                   <minsize>560000</minsize>
-                  <maxsize>590000</maxsize>
+                  <maxsize>600000</maxsize>
                   <files>
                     <file>${project.build.directory}/sonar-scanner-${project.version}.zip</file>
                   </files>
@@ -193,7 +193,7 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-javadoc-plugin</artifactId>
         <configuration>
-      	  <source>8</source>
+      	  <source>11</source>
         </configuration>
       </plugin>
       <plugin>
diff --git a/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java b/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java
index 5dfd6bd0..84696fbf 100644
--- a/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java
+++ b/src/main/java/org/sonarsource/scanner/cli/SystemInfo.java
@@ -19,7 +19,16 @@
  */
 package org.sonarsource.scanner.cli;
 
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
 class SystemInfo {
+  private static final Set<String> SENSITIVE_JVM_ARGUMENTS = Set.of(
+      "-Dsonar.login",
+      "-Dsonar.password",
+      "-Dsonar.token");
+  private static final Pattern PATTERN_ARGUMENT_SEPARATOR = Pattern.compile("\\s+");
   private static System2 system = new System2();
 
   private SystemInfo() {
@@ -35,8 +44,22 @@ static void print(Logs logger) {
     logger.info(os());
     String scannerOpts = system.getenv("SONAR_SCANNER_OPTS");
     if (scannerOpts != null) {
-      logger.info("SONAR_SCANNER_OPTS=" + scannerOpts);
+      logger.info("SONAR_SCANNER_OPTS=" + redactSensitiveArguments(scannerOpts));
+    }
+  }
+
+  private static String redactSensitiveArguments(String scannerOpts) {
+    return PATTERN_ARGUMENT_SEPARATOR.splitAsStream(scannerOpts)
+      .map(SystemInfo::redactArgumentIfSensistive)
+      .collect(Collectors.joining(" "));
+  }
+
+  private static String redactArgumentIfSensistive(String argument) {
+    String[] elems = argument.split("=");
+    if (elems.length > 0 && SENSITIVE_JVM_ARGUMENTS.contains(elems[0])) {
+      return elems[0] + "=*";
     }
+    return argument;
   }
 
   static String java() {
diff --git a/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java b/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java
index c6c05859..3e11c444 100644
--- a/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java
+++ b/src/test/java/org/sonarsource/scanner/cli/SystemInfoTest.java
@@ -89,4 +89,16 @@ public void should_print() {
     verify(logs).info("SONAR_SCANNER_OPTS=arg");
     verifyNoMoreInteractions(logs);
   }
+
+  @Test
+  public void should_not_print_sensitive_data() {
+    mockOs();
+    mockJava();
+    when(mockSystem.getenv("SONAR_SCANNER_OPTS"))
+      .thenReturn("-Dsonar.login=login -Dsonar.whatever=whatever -Dsonar.password=password -Dsonar.whatever2=whatever2 -Dsonar.token=token");
+
+    SystemInfo.print(logs);
+
+    verify(logs).info("SONAR_SCANNER_OPTS=-Dsonar.login=* -Dsonar.whatever=whatever -Dsonar.password=* -Dsonar.whatever2=whatever2 -Dsonar.token=*");
+  }
 }