Add overlapping fix logic (#409)

This adds more the ability to group fixes by location and more tests for
all the fix candidate searcher logic.

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizerCodemod.java

@@ -6,7 +6,6 @@
 import io.codemodder.javaparser.JavaParserChanger;
 import java.util.List;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
 /** Parameterizes SQL statements in the JDBC API. */
 @Codemod(
@@ -29,7 +28,7 @@ public CodemodFileScanningResult visit(
     List<CodemodChange> changes =
         cu.findAll(MethodCallExpr.class).stream()
             .flatMap(mce -> onNodeFound(mce).stream())
-            .collect(Collectors.toList());
+            .toList();
     return CodemodFileScanningResult.withOnlyChanges(changes);
   }
 }

core-codemods/src/main/java/io/codemodder/codemods/util/DefaultJavaParserSQLInjectionRemediatorStrategy.java

@@ -9,6 +9,9 @@
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.codetf.FixedFinding;
 import io.codemodder.codetf.UnfixedFinding;
+import io.codemodder.remediation.FixCandidate;
+import io.codemodder.remediation.FixCandidateSearchResults;
+import io.codemodder.remediation.FixCandidateSearcher;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -42,7 +45,20 @@ public <T> CodemodFileScanningResult remediateAll(
       final Function<T, String> findingIdExtractor,
       final Function<T, Integer> findingLineExtractor) {
 
-    final List<MethodCallExpr> allMethodCalls = cu.findAll(MethodCallExpr.class);
+    FixCandidateSearcher<T> searcher =
+        new FixCandidateSearcher.Builder<T>()
+            .withMatcher(SQLParameterizer::isSupportedJdbcMethodCall)
+            .build();
+
+    FixCandidateSearchResults<T> results =
+        searcher.search(
+            cu,
+            path,
+            detectorRule,
+            new ArrayList<>(findingsForPath),
+            findingIdExtractor,
+            findingLineExtractor,
+            f -> null);
 
     if (findingsForPath.isEmpty()) {
       return CodemodFileScanningResult.none();
@@ -51,55 +67,41 @@ public <T> CodemodFileScanningResult remediateAll(
     final List<UnfixedFinding> unfixedFindings = new ArrayList<>();
     final List<CodemodChange> changes = new ArrayList<>();
 
-    for (T finding : findingsForPath) {
-      final String id = findingIdExtractor.apply(finding);
-      final Integer line = findingLineExtractor.apply(finding);
+    for (FixCandidate<T> fixCandidate : results.fixCandidates()) {
+      List<T> issues = fixCandidate.issues();
+      Integer line = findingLineExtractor.apply(issues.get(0));
 
       if (line == null) {
-        final UnfixedFinding unfixableFinding =
-            new UnfixedFinding(id, detectorRule, path, null, "No line number provided");
-        unfixedFindings.add(unfixableFinding);
-        continue;
-      }
-
-      final List<MethodCallExpr> supportedSqlMethodCallsOnThatLine =
-          allMethodCalls.stream()
-              .filter(methodCallExpr -> methodCallExpr.getRange().get().begin.line == line)
-              .filter(SQLParameterizer::isSupportedJdbcMethodCall)
-              .toList();
-
-      if (supportedSqlMethodCallsOnThatLine.isEmpty()) {
-        final UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id, detectorRule, path, line, "No supported SQL methods found on the given line");
-        unfixedFindings.add(unfixableFinding);
-        continue;
-      }
-
-      if (supportedSqlMethodCallsOnThatLine.size() > 1) {
-        final UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id,
-                detectorRule,
-                path,
-                line,
-                "Multiple supported SQL methods found on the given line");
-        unfixedFindings.add(unfixableFinding);
+        issues.forEach(
+            issue -> {
+              final String id = findingIdExtractor.apply(issue);
+              final UnfixedFinding unfixableFinding =
+                  new UnfixedFinding(id, detectorRule, path, null, "No line number provided");
+              unfixedFindings.add(unfixableFinding);
+            });
         continue;
       }
 
-      final MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
+      final MethodCallExpr methodCallExpr = fixCandidate.methodCall();
       if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
-        changes.add(CodemodChange.from(line, new FixedFinding(id, detectorRule)));
+        issues.forEach(
+            issue -> {
+              final String id = findingIdExtractor.apply(issue);
+              changes.add(CodemodChange.from(line, new FixedFinding(id, detectorRule)));
+            });
       } else {
-        final UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id,
-                detectorRule,
-                path,
-                line,
-                "State changing effects possible or unrecognized code shape");
-        unfixedFindings.add(unfixableFinding);
+        issues.forEach(
+            issue -> {
+              final String id = findingIdExtractor.apply(issue);
+              final UnfixedFinding unfixableFinding =
+                  new UnfixedFinding(
+                      id,
+                      detectorRule,
+                      path,
+                      line,
+                      "State changing effects possible or unrecognized code shape");
+              unfixedFindings.add(unfixableFinding);
+            });
       }
     }
 

core-codemods/src/test/java/io/codemodder/codemods/SensitiveDataLoggingCodemodTest.java

@@ -3,7 +3,9 @@
 import io.codemodder.plugins.llm.test.LLMVerifyingCodemodTestMixin;
 import io.codemodder.plugins.llm.test.OpenAIIntegrationTest;
 import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Disabled;
 
+@Disabled
 @Metadata(
     codemodType = SensitiveDataLoggingCodemod.class,
     testResourceDir = "sensitive-data-logging",

framework/codemodder-base/src/main/java/io/codemodder/CodemodChange.java

@@ -163,6 +163,11 @@ public static CodemodChange from(
     return new CodemodChange(line, dependencyGAVS, List.of(finding));
   }
 
+  public static CodemodChange from(
+      final int line, final List<DependencyGAV> dependencyGAVS, final List<FixedFinding> finding) {
+    return new CodemodChange(line, dependencyGAVS, finding);
+  }
+
   public static CodemodChange from(
       final int line, final String description, final FixedFinding finding) {
     return new CodemodChange(line, description, List.of(finding));

framework/codemodder-base/src/main/java/io/codemodder/remediation/DefaultFixCandidateSearcher.java

@@ -6,7 +6,9 @@
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.codetf.UnfixedFinding;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.function.Function;
 import java.util.function.Predicate;
 
@@ -32,7 +34,6 @@ public FixCandidateSearchResults<T> search(
       final Function<T, Integer> getColumn) {
 
     List<UnfixedFinding> unfixedFindings = new ArrayList<>();
-    List<FixCandidate<T>> fixCandidates = new ArrayList<>();
     List<MethodCallExpr> calls =
         cu.findAll(MethodCallExpr.class).stream()
             .filter(
@@ -44,6 +45,8 @@ public FixCandidateSearchResults<T> search(
             .filter(mce -> matchers.stream().allMatch(m -> m.test(mce)))
             .toList();
 
+    Map<MethodCallExpr, List<T>> fixCandidateToIssueMapping = new HashMap<>();
+
     for (T issue : issuesForFile) {
       String findingId = getKey.apply(issue);
       int line = getLine.apply(issue);
@@ -71,9 +74,14 @@ public FixCandidateSearchResults<T> search(
         continue;
       }
       MethodCallExpr call = callsForIssue.get(0);
-      fixCandidates.add(new FixCandidate<>(call, issue));
+      fixCandidateToIssueMapping.computeIfAbsent(call, k -> new ArrayList<>()).add(issue);
     }
 
+    List<FixCandidate<T>> fixCandidates =
+        fixCandidateToIssueMapping.entrySet().stream()
+            .map(entry -> new FixCandidate<>(entry.getKey(), entry.getValue()))
+            .toList();
+
     return new FixCandidateSearchResults<T>() {
       @Override
       public List<UnfixedFinding> unfixableFindings() {

framework/codemodder-base/src/main/java/io/codemodder/remediation/FixCandidate.java

@@ -1,13 +1,17 @@
 package io.codemodder.remediation;
 
 import com.github.javaparser.ast.expr.MethodCallExpr;
+import java.util.List;
 import java.util.Objects;
 
 /** The potential fix location. */
-public record FixCandidate<T>(MethodCallExpr methodCall, T issue) {
+public record FixCandidate<T>(MethodCallExpr methodCall, List<T> issues) {
 
   public FixCandidate {
     Objects.requireNonNull(methodCall);
-    Objects.requireNonNull(issue);
+    Objects.requireNonNull(issues);
+    if (issues.isEmpty()) {
+      throw new IllegalArgumentException("issues cannot be empty");
+    }
   }
 }

framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/DefaultHeaderInjectionRemediator.java

@@ -63,9 +63,7 @@ public <T> CodemodFileScanningResult remediateAll(
 
     List<CodemodChange> changes = new ArrayList<>();
     for (FixCandidate<T> fixCandidate : results.fixCandidates()) {
-      T issue = fixCandidate.issue();
-      String findingId = getKey.apply(issue);
-      int line = getLine.apply(issue);
+      List<T> issues = fixCandidate.issues();
 
       MethodCallExpr setHeaderCall = fixCandidate.methodCall();
       Expression headerValueArgument = setHeaderCall.getArgument(1);
@@ -94,7 +92,14 @@ public <T> CodemodFileScanningResult remediateAll(
           parentClass.addMember(fixMethod);
         }
       }
-      changes.add(CodemodChange.from(line, new FixedFinding(findingId, detectorRule)));
+
+      // all the line numbers should be the same, so we just grab the first one
+      int line = getLine.apply(fixCandidate.issues().get(0));
+      List<FixedFinding> fixedFindings =
+          issues.stream()
+              .map(issue -> new FixedFinding(getKey.apply(issue), detectorRule))
+              .toList();
+      changes.add(CodemodChange.from(line, List.of(), fixedFindings));
     }
 
     return CodemodFileScanningResult.from(changes, results.unfixableFindings());

framework/codemodder-base/src/main/java/io/codemodder/remediation/jndiinjection/DefaultJNDIInjectionRemediator.java

@@ -61,38 +61,54 @@ public <T> CodemodFileScanningResult remediateAll(
     List<CodemodChange> changes = new ArrayList<>();
 
     for (FixCandidate<T> fixCandidate : results.fixCandidates()) {
-      T issue = fixCandidate.issue();
-      String findingId = getKey.apply(issue);
-      int line = getLine.apply(issue);
+      List<T> issues = fixCandidate.issues();
+      int line = getLine.apply(issues.get(0));
 
       MethodCallExpr lookupCall = fixCandidate.methodCall();
       // get the parent method of the lookup() call
       Optional<MethodDeclaration> parentMethod = lookupCall.findAncestor(MethodDeclaration.class);
       if (parentMethod.isEmpty()) {
-        UnfixedFinding unfixedFinding =
-            new UnfixedFinding(
-                findingId, detectorRule, path, line, "No method found around lookup call");
-        unfixedFindings.add(unfixedFinding);
+        issues.stream()
+            .map(getKey)
+            .map(
+                findingId ->
+                    new UnfixedFinding(
+                        findingId, detectorRule, path, line, "No method found around lookup call"))
+            .forEach(unfixedFindings::add);
         continue;
       }
 
       // confirm its a concrete type -- can't add validation method to
       ClassOrInterfaceDeclaration parentClass =
           parentMethod.get().findAncestor(ClassOrInterfaceDeclaration.class).get();
       if (parentClass.isInterface()) {
-        UnfixedFinding unfixedFinding =
-            new UnfixedFinding(
-                findingId, detectorRule, path, line, "Cannot add validation method to interface");
-        unfixedFindings.add(unfixedFinding);
+        issues.stream()
+            .map(getKey)
+            .map(
+                findingId ->
+                    new UnfixedFinding(
+                        findingId,
+                        detectorRule,
+                        path,
+                        line,
+                        "Cannot add validation method to interface"))
+            .forEach(unfixedFindings::add);
         continue;
       }
 
       Optional<Statement> lookupStatement = lookupCall.findAncestor(Statement.class);
       if (lookupStatement.isEmpty()) {
-        UnfixedFinding unfixedFinding =
-            new UnfixedFinding(
-                findingId, detectorRule, path, line, "No statement found around lookup call");
-        unfixedFindings.add(unfixedFinding);
+        issues.stream()
+            .map(getKey)
+            .map(
+                findingId ->
+                    new UnfixedFinding(
+                        findingId,
+                        detectorRule,
+                        path,
+                        line,
+                        "No statement found around lookup call"))
+            .forEach(unfixedFindings::add);
         continue;
       }
 
@@ -102,26 +118,47 @@ public <T> CodemodFileScanningResult remediateAll(
 
       Optional<Node> lookupParentNode = lookupStatement.get().getParentNode();
       if (lookupParentNode.isEmpty()) {
-        UnfixedFinding unfixedFinding =
-            new UnfixedFinding(
-                findingId, detectorRule, path, line, "No parent node found around lookup call");
-        unfixedFindings.add(unfixedFinding);
+        issues.stream()
+            .map(getKey)
+            .map(
+                findingId ->
+                    new UnfixedFinding(
+                        findingId,
+                        detectorRule,
+                        path,
+                        line,
+                        "No parent node found around lookup call"))
+            .forEach(unfixedFindings::add);
         continue;
       }
 
       if (!(lookupParentNode.get() instanceof BlockStmt blockStmt)) {
-        UnfixedFinding unfixedFinding =
-            new UnfixedFinding(
-                findingId, detectorRule, path, line, "No block statement found around lookup call");
-        unfixedFindings.add(unfixedFinding);
+        issues.stream()
+            .map(getKey)
+            .map(
+                findingId ->
+                    new UnfixedFinding(
+                        findingId,
+                        detectorRule,
+                        path,
+                        line,
+                        "No block statement found around lookup call"))
+            .forEach(unfixedFindings::add);
         continue;
       }
 
       // add the validation call to the block statement
       int index = blockStmt.getStatements().indexOf(lookupStatement.get());
       List<DependencyGAV> deps =
           fixStrategy.fix(cu, parentClass, lookupCall, contextNameVariable, blockStmt, index);
-      changes.add(CodemodChange.from(line, deps, new FixedFinding(findingId, detectorRule)));
+
+      List<FixedFinding> fixedFindings =
+          issues.stream()
+              .map(getKey)
+              .map(findingId -> new FixedFinding(findingId, detectorRule))
+              .toList();
+
+      changes.add(CodemodChange.from(line, deps, fixedFindings));
     }
 
     List<UnfixedFinding> allUnfixedFindings = new ArrayList<>(results.unfixableFindings());