Add several Sonar hotspot mappings (#486)

pixee · Dec 18, 2024 · b841ee3 · b841ee3
1 parent 394739f
commit b841ee3
Show file tree

Hide file tree

Showing 122 changed files with 1,183 additions and 75 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -64,7 +64,7 @@ jobs:
           python-version: '3.11'
 
       - name: Install Semgrep
-        run: python3 -m pip install semgrep
+        run: python3 -m pip install semgrep==1.84.1
 
       - name: Run Check task
         uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ jobs:
           python-version: '3.11'
 
       - name: Install Semgrep
-        run: python3 -m pip install semgrep
+        run: python3 -m pip install semgrep==1.84.1
 
       - uses: actions/setup-java@v3
         with:

diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ Follow these instructions if you intend to modify and build this project from so
    [here](https://semgrep.dev/docs/getting-started/#installing-and-running-semgrep-locally)
    for instructions. It can usually be done via `pip`:
    ```shell
-   pip install semgrep
+   pip install semgrep==1.84.1
    ```
 
 If your python library paths contain your home directory as a root folder (i.e.

diff --git a/core-codemods/src/intTest/java/io/codemodder/integration/GitRepositoryTest.java b/core-codemods/src/intTest/java/io/codemodder/integration/GitRepositoryTest.java
@@ -97,7 +97,12 @@ protected void verifyNoFailedFiles(final CodeTFReport report) {
             .map(CodeTFResult::getFailedFiles)
             .flatMap(Collection::stream)
             .toList();
-    assertThat(failedFiles.size(), is(0));
+    if (!failedFiles.isEmpty()) {
+      System.out.println("Failed files during scan:");
+      failedFiles.forEach(System.err::println);
+    }
+    int size = failedFiles.size();
+    assertThat(size, is(0));
   }
 
   protected void verifyStandardCodemodResults(final List<CodeTFChangesetEntry> fileChanges) {

diff --git a/core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java b/core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java
@@ -12,6 +12,7 @@
 import io.codemodder.codemods.semgrep.SemgrepServletResponseWriterXSSCodemod;
 import io.codemodder.codemods.semgrep.SemgrepWeakRandomCodemod;
 import io.codemodder.codemods.semgrep.SemgrepXXECodemod;
+import io.codemodder.codemods.sonar.*;
 import java.util.List;
 
 /**
@@ -89,12 +90,15 @@ public static List<Class<? extends CodeChanger>> asList() {
         SemgrepOverlyPermissiveFilePermissionsCodemod.class,
         SimplifyRestControllerAnnotationsCodemod.class,
         SubstituteReplaceAllCodemod.class,
+        SonarCookieMissingSecureFlagCodemod.class,
         SonarJNDIInjectionCodemod.class,
         SonarObjectDeserializationCodemod.class,
         SonarRemoveUnthrowableExceptionCodemod.class,
         SonarSQLInjectionCodemod.class,
         SonarSSRFCodemod.class,
         SonarUnsafeReflectionRemediationCodemod.class,
+        SonarWeakHashingAlgorithmCodemod.class,
+        SonarWeakRandomCodemod.class,
         SonarXXECodemod.class,
         SQLParameterizerCodemod.class,
         SSRFCodemod.class,

diff --git a/...r/codemods/AddMissingOverrideCodemod.java → ...mods/sonar/AddMissingOverrideCodemod.java b/...r/codemods/AddMissingOverrideCodemod.java → ...mods/sonar/AddMissingOverrideCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.body.MethodDeclaration;

diff --git a/...voidImplicitPublicConstructorCodemod.java → ...voidImplicitPublicConstructorCodemod.java b/...voidImplicitPublicConstructorCodemod.java → ...voidImplicitPublicConstructorCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Modifier;

diff --git a/...codemods/ConstantNameStringGenerator.java → ...ds/sonar/ConstantNameStringGenerator.java b/...codemods/ConstantNameStringGenerator.java → ...ds/sonar/ConstantNameStringGenerator.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import java.util.Set;
 import java.util.regex.Matcher;

diff --git a/...er/codemods/CreateConstantForLiteral.java → ...emods/sonar/CreateConstantForLiteral.java b/...er/codemods/CreateConstantForLiteral.java → ...emods/sonar/CreateConstantForLiteral.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Modifier;

diff --git a/...demods/DeclareVariableOnSeparateLine.java → .../sonar/DeclareVariableOnSeparateLine.java b/...demods/DeclareVariableOnSeparateLine.java → .../sonar/DeclareVariableOnSeparateLine.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;

diff --git a/...DeclareVariableOnSeparateLineCodemod.java → ...DeclareVariableOnSeparateLineCodemod.java b/...DeclareVariableOnSeparateLineCodemod.java → ...DeclareVariableOnSeparateLineCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/...bleOnSeparateLineForFieldDeclaration.java → ...bleOnSeparateLineForFieldDeclaration.java b/...bleOnSeparateLineForFieldDeclaration.java → ...bleOnSeparateLineForFieldDeclaration.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;

diff --git a/...parateLineForVariableDeclarationExpr.java → ...parateLineForVariableDeclarationExpr.java b/...parateLineForVariableDeclarationExpr.java → ...parateLineForVariableDeclarationExpr.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;

diff --git a/...er/codemods/DefineConstantForLiteral.java → ...emods/sonar/DefineConstantForLiteral.java b/...er/codemods/DefineConstantForLiteral.java → ...emods/sonar/DefineConstantForLiteral.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.Range;
 import com.github.javaparser.ast.CompilationUnit;

diff --git a/...mods/DefineConstantForLiteralCodemod.java → ...onar/DefineConstantForLiteralCodemod.java b/...mods/DefineConstantForLiteralCodemod.java → ...onar/DefineConstantForLiteralCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.StringLiteralExpr;

diff --git a/...mods/FixRedundantStaticOnEnumCodemod.java → ...onar/FixRedundantStaticOnEnumCodemod.java b/...mods/FixRedundantStaticOnEnumCodemod.java → ...onar/FixRedundantStaticOnEnumCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.body.EnumDeclaration;

diff --git a/...HardenStringParseToPrimitivesCodemod.java → ...HardenStringParseToPrimitivesCodemod.java b/...HardenStringParseToPrimitivesCodemod.java → ...HardenStringParseToPrimitivesCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/...desMatchParentSynchronizationCodemod.java → ...desMatchParentSynchronizationCodemod.java b/...desMatchParentSynchronizationCodemod.java → ...desMatchParentSynchronizationCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/.../codemods/RemoveCommentedCodeCodemod.java → ...ods/sonar/RemoveCommentedCodeCodemod.java b/.../codemods/RemoveCommentedCodeCodemod.java → ...ods/sonar/RemoveCommentedCodeCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.comments.Comment;

diff --git a/...moveRedundantVariableCreationCodemod.java → ...moveRedundantVariableCreationCodemod.java b/...moveRedundantVariableCreationCodemod.java → ...moveRedundantVariableCreationCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.*;

diff --git a/...r/codemods/RemoveUnusedImportCodemod.java → ...mods/sonar/RemoveUnusedImportCodemod.java b/...r/codemods/RemoveUnusedImportCodemod.java → ...mods/sonar/RemoveUnusedImportCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.ImportDeclaration;

diff --git a/...ods/RemoveUnusedLocalVariableCodemod.java → ...nar/RemoveUnusedLocalVariableCodemod.java b/...ods/RemoveUnusedLocalVariableCodemod.java → ...nar/RemoveUnusedLocalVariableCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/...ods/RemoveUnusedPrivateMethodCodemod.java → ...nar/RemoveUnusedPrivateMethodCodemod.java b/...ods/RemoveUnusedPrivateMethodCodemod.java → ...nar/RemoveUnusedPrivateMethodCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/...mods/RemoveUselessParenthesesCodemod.java → ...onar/RemoveUselessParenthesesCodemod.java b/...mods/RemoveUselessParenthesesCodemod.java → ...onar/RemoveUselessParenthesesCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.EnclosedExpr;

diff --git a/...ReplaceStreamCollectorsToListCodemod.java → ...ReplaceStreamCollectorsToListCodemod.java b/...ReplaceStreamCollectorsToListCodemod.java → ...ReplaceStreamCollectorsToListCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;

diff --git a/...lifyRestControllerAnnotationsCodemod.java → ...lifyRestControllerAnnotationsCodemod.java b/...lifyRestControllerAnnotationsCodemod.java → ...lifyRestControllerAnnotationsCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import static io.codemodder.ast.ASTTransforms.addImportIfMissing;
 import static io.codemodder.ast.ASTTransforms.removeImportIfUnused;

diff --git a/...emods/src/main/java/io/codemodder/codemods/sonar/SonarCookieMissingSecureFlagCodemod.java b/...emods/src/main/java/io/codemodder/codemods/sonar/SonarCookieMissingSecureFlagCodemod.java
@@ -0,0 +1,62 @@
+package io.codemodder.codemods.sonar;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleHotspot;
+import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.missingsecureflag.MissingSecureFlagRemediator;
+import io.codemodder.sonar.model.Hotspot;
+import io.codemodder.sonar.model.SonarFinding;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.inject.Inject;
+
+@Codemod(
+    id = "sonar:java/cookie-missing-secure-flag-2092",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SonarCookieMissingSecureFlagCodemod extends SonarRemediatingJavaParserChanger {
+
+  private final Remediator<Hotspot> remediationStrategy;
+  private final RuleHotspot issues;
+
+  @Inject
+  public SonarCookieMissingSecureFlagCodemod(
+      @ProvidedSonarScan(ruleId = "java:S2092") final RuleHotspot hotspots) {
+    super(GenericRemediationMetadata.MISSING_SECURE_FLAG.reporter(), hotspots);
+    this.issues = Objects.requireNonNull(hotspots);
+    this.remediationStrategy = new MissingSecureFlagRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "java:S2092",
+        "Make sure creating this cookie without the \"secure\" flag is safe here.",
+        "https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-2092/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    List<Hotspot> issuesForFile = issues.getResultsByPath(context.path());
+    return remediationStrategy.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        issuesForFile,
+        SonarFinding::getKey,
+        i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
+        i ->
+            i.getTextRange() != null
+                ? Optional.of(i.getTextRange().getEndLine())
+                : Optional.empty(),
+        i -> Optional.empty());
+  }
+}
diff --git a/...r/codemods/SonarJNDIInjectionCodemod.java → ...mods/sonar/SonarJNDIInjectionCodemod.java b/...r/codemods/SonarJNDIInjectionCodemod.java → ...mods/sonar/SonarJNDIInjectionCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;

diff --git a/...ds/SonarObjectDeserializationCodemod.java → ...ar/SonarObjectDeserializationCodemod.java b/...ds/SonarObjectDeserializationCodemod.java → ...ar/SonarObjectDeserializationCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;

diff --git a/...narRemoveUnthrowableExceptionCodemod.java → ...narRemoveUnthrowableExceptionCodemod.java b/...narRemoveUnthrowableExceptionCodemod.java → ...narRemoveUnthrowableExceptionCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.type.ClassOrInterfaceType;

diff --git a/...er/codemods/SonarSQLInjectionCodemod.java → ...emods/sonar/SonarSQLInjectionCodemod.java b/...er/codemods/SonarSQLInjectionCodemod.java → ...emods/sonar/SonarSQLInjectionCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.Expression;

diff --git a/...codemodder/codemods/SonarSSRFCodemod.java → ...dder/codemods/sonar/SonarSSRFCodemod.java b/...codemodder/codemods/SonarSSRFCodemod.java → ...dder/codemods/sonar/SonarSSRFCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;

diff --git a/...arUnsafeReflectionRemediationCodemod.java → ...arUnsafeReflectionRemediationCodemod.java b/...arUnsafeReflectionRemediationCodemod.java → ...arUnsafeReflectionRemediationCodemod.java
@@ -1,4 +1,4 @@
-package io.codemodder.codemods;
+package io.codemodder.codemods.sonar;
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;

diff --git a/...codemods/src/main/java/io/codemodder/codemods/sonar/SonarWeakHashingAlgorithmCodemod.java b/...codemods/src/main/java/io/codemodder/codemods/sonar/SonarWeakHashingAlgorithmCodemod.java
@@ -0,0 +1,62 @@
+package io.codemodder.codemods.sonar;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleHotspot;
+import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator;
+import io.codemodder.sonar.model.Hotspot;
+import io.codemodder.sonar.model.SonarFinding;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.inject.Inject;
+
+@Codemod(
+    id = "sonar:java/weak-hash-4790",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SonarWeakHashingAlgorithmCodemod extends SonarRemediatingJavaParserChanger {
+
+  private final Remediator<Hotspot> remediationStrategy;
+  private final RuleHotspot issues;
+
+  @Inject
+  public SonarWeakHashingAlgorithmCodemod(
+      @ProvidedSonarScan(ruleId = "java:S4790") final RuleHotspot hotspots) {
+    super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), hotspots);
+    this.issues = Objects.requireNonNull(hotspots);
+    this.remediationStrategy = new WeakCryptoAlgorithmRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "java:S4790",
+        "Using weak hashing algorithms is security-sensitive",
+        "https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-4790/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    List<Hotspot> issuesForFile = issues.getResultsByPath(context.path());
+    return remediationStrategy.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        issuesForFile,
+        SonarFinding::getKey,
+        i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
+        i ->
+            i.getTextRange() != null
+                ? Optional.of(i.getTextRange().getEndLine())
+                : Optional.empty(),
+        i -> Optional.empty());
+  }
+}