pixee
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java‎
Lines changed: 3 additions & 3 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/SonarObjectDeserializationCodemod.java‎
Lines changed: 7 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/SonarObjectDeserializationCodemod.java‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/SonarSQLInjectionCodemod.java‎
Lines changed: 25 additions & 2 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/SonarSQLInjectionCodemod.java‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/SonarSSRFCodemod.java‎
Lines changed: 7 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/SonarSSRFCodemod.java‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/SonarUnsafeReflectionRemediationCodemod.java‎
Lines changed: 7 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/SonarUnsafeReflectionRemediationCodemod.java‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLDeserializationOfUserControlledDataCodemod.java‎
Lines changed: 9 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLDeserializationOfUserControlledDataCodemod.java‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLHttpResponseSplittingCodemod.java‎
Lines changed: 9 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLHttpResponseSplittingCodemod.java‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLSQLInjectionCodemod.java‎
Lines changed: 25 additions & 2 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLSQLInjectionCodemod.java‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLSSRFCodemod.java‎
Lines changed: 9 additions & 4 deletions b/‎core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLSSRFCodemod.java‎
Lines changed: 9 additions & 4 deletions
@@ -27,15 +27,15 @@ public final class DefectDojoSqlInjectionCodemod extends JavaParserChanger
     implements FixOnlyCodeChanger {
 
   private final RuleFindings findings;
-  private final Remediator<Finding> remediatorStrategy;
+  private final Remediator<Finding> remediationStrategy;
 
   @Inject
   public DefectDojoSqlInjectionCodemod(
       @DefectDojoScan(ruleId = "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli")
           RuleFindings findings) {
     super(CodemodReporterStrategy.fromClasspath(SQLParameterizerCodemod.class));
     this.findings = Objects.requireNonNull(findings);
-    this.remediatorStrategy = new SQLInjectionRemediator<>();
+    this.remediationStrategy = new SQLInjectionRemediator<>();
   }
 
   @Override
@@ -55,7 +55,7 @@ public DetectorRule detectorRule() {
   public CodemodFileScanningResult visit(
       final CodemodInvocationContext context, final CompilationUnit cu) {
     List<Finding> findingsForThisPath = findings.getForPath(context.path());
-    return remediatorStrategy.remediateAll(
+    return remediationStrategy.remediateAll(
         cu,
         context.path().toString(),
         detectorRule(),
 
@@ -7,11 +7,14 @@
 import io.codemodder.providers.sonar.RuleIssue;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.javadeserialization.JavaDeserializationRemediator;
 import io.codemodder.sonar.model.Issue;
 import io.codemodder.sonar.model.SonarFinding;
+import io.codemodder.sonar.model.TextRange;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** Fixes Object Deserialization issues found by sonar rule javasecurity:S5135. */
@@ -22,15 +25,15 @@
     importance = Importance.HIGH)
 public final class SonarObjectDeserializationCodemod extends SonarRemediatingJavaParserChanger {
 
-  private final JavaDeserializationRemediator remediator;
+  private final Remediator<Issue> remediator;
   private final RuleIssue issues;
 
   @Inject
   public SonarObjectDeserializationCodemod(
       @ProvidedSonarScan(ruleId = "javasecurity:S5135") final RuleIssue issues) {
     super(GenericRemediationMetadata.DESERIALIZATION.reporter(), issues);
     this.issues = Objects.requireNonNull(issues);
-    this.remediator = JavaDeserializationRemediator.DEFAULT;
+    this.remediator = new JavaDeserializationRemediator<>();
   }
 
   @Override
@@ -52,7 +55,7 @@ public CodemodFileScanningResult visit(
         issuesForFile,
         SonarFinding::getKey,
         i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
-        i -> i.getTextRange() != null ? i.getTextRange().getEndLine() : null,
-        i -> i.getTextRange() != null ? i.getTextRange().getStartOffset() : null);
+        i -> Optional.ofNullable(i.getTextRange()).map(TextRange::getEndLine),
+        i -> Optional.ofNullable(i.getTextRange()).map(tr -> tr.getStartOffset() + 1));
   }
 }
@@ -1,14 +1,18 @@
 package io.codemodder.codemods;
 
 import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.Expression;
 import io.codemodder.*;
+import io.codemodder.ast.ASTs;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sonar.ProvidedSonarScan;
 import io.codemodder.providers.sonar.RuleHotspot;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.FixCandidateSearcher;
 import io.codemodder.remediation.GenericRemediationMetadata;
 import io.codemodder.remediation.Remediator;
-import io.codemodder.remediation.sqlinjection.SQLInjectionRemediator;
+import io.codemodder.remediation.SearcherStrategyRemediator;
+import io.codemodder.remediation.sqlinjection.SQLInjectionFixComposer;
 import io.codemodder.sonar.model.Hotspot;
 import io.codemodder.sonar.model.SonarFinding;
 import io.codemodder.sonar.model.TextRange;
@@ -32,7 +36,26 @@ public SonarSQLInjectionCodemod(
       @ProvidedSonarScan(ruleId = "java:S2077") final RuleHotspot hotspots) {
     super(GenericRemediationMetadata.SQL_INJECTION.reporter(), hotspots);
     this.hotspots = Objects.requireNonNull(hotspots);
-    this.remediationStrategy = new SQLInjectionRemediator<>();
+    this.remediationStrategy =
+        new SearcherStrategyRemediator.Builder<Hotspot>()
+            .withSearcherStrategyPair(
+                new FixCandidateSearcher.Builder<Hotspot>()
+                    .withMatcher(
+                        n ->
+                            Optional.empty()
+                                // is the argument of the call
+                                .or(
+                                    () ->
+                                        Optional.of(n)
+                                            .map(
+                                                m ->
+                                                    m instanceof Expression ? (Expression) m : null)
+                                            .flatMap(ASTs::isArgumentOfMethodCall)
+                                            .filter(SQLInjectionFixComposer::match))
+                                .isPresent())
+                    .build(),
+                new SQLInjectionFixComposer())
+            .build();
   }
 
   @Override
 
@@ -7,11 +7,14 @@
 import io.codemodder.providers.sonar.RuleIssue;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.ssrf.SSRFRemediator;
 import io.codemodder.sonar.model.Issue;
 import io.codemodder.sonar.model.SonarFinding;
+import io.codemodder.sonar.model.TextRange;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** Fixes SSRF issues found by sonar rule javasecurity:S5144. */
@@ -22,15 +25,15 @@
     importance = Importance.HIGH)
 public final class SonarSSRFCodemod extends SonarRemediatingJavaParserChanger {
 
-  private final SSRFRemediator remediator;
+  private final Remediator<Issue> remediator;
   private final RuleIssue issues;
 
   @Inject
   public SonarSSRFCodemod(
       @ProvidedSonarScan(ruleId = "javasecurity:S5144") final RuleIssue issues) {
     super(GenericRemediationMetadata.SSRF.reporter(), issues);
     this.issues = Objects.requireNonNull(issues);
-    this.remediator = SSRFRemediator.DEFAULT;
+    this.remediator = new SSRFRemediator<>();
   }
 
   @Override
@@ -52,7 +55,7 @@ public CodemodFileScanningResult visit(
         issuesForFile,
         SonarFinding::getKey,
         i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
-        i -> i.getTextRange() != null ? i.getTextRange().getEndLine() : null,
-        i -> i.getTextRange() != null ? i.getTextRange().getStartOffset() : null);
+        i -> Optional.ofNullable(i.getTextRange()).map(TextRange::getEndLine),
+        i -> Optional.ofNullable(i.getTextRange()).map(tr -> tr.getStartOffset() + 1));
   }
 }
@@ -7,9 +7,12 @@
 import io.codemodder.providers.sonar.RuleIssue;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.reflectioninjection.ReflectionInjectionRemediator;
 import io.codemodder.sonar.model.Issue;
+import io.codemodder.sonar.model.TextRange;
 import java.util.Objects;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** Sonar remediation codemod for S2658: Classes should not be loaded dynamically. */
@@ -21,14 +24,14 @@
 public final class SonarUnsafeReflectionRemediationCodemod
     extends SonarRemediatingJavaParserChanger {
 
-  private final ReflectionInjectionRemediator remediator;
+  private final Remediator<Issue> remediator;
   private final RuleIssue issues;
 
   @Inject
   public SonarUnsafeReflectionRemediationCodemod(
       @ProvidedSonarScan(ruleId = "java:S2658") final RuleIssue issues) {
     super(GenericRemediationMetadata.REFLECTION_INJECTION.reporter(), issues);
-    this.remediator = ReflectionInjectionRemediator.DEFAULT;
+    this.remediator = new ReflectionInjectionRemediator<>();
     this.issues = Objects.requireNonNull(issues);
   }
 
@@ -50,7 +53,7 @@ public CodemodFileScanningResult visit(
         issues.getResultsByPath(context.path()),
         Issue::getKey,
         i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
-        i -> i.getTextRange() != null ? i.getTextRange().getEndLine() : null,
-        i -> i.getTextRange().getStartOffset());
+        i -> Optional.ofNullable(i.getTextRange()).map(TextRange::getEndLine),
+        i -> Optional.empty());
   }
 }
@@ -1,11 +1,14 @@
 package io.codemodder.codemods.codeql;
 
+import com.contrastsecurity.sarif.Result;
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.javadeserialization.JavaDeserializationRemediator;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** A codemod for automatically fixing untrusted deserialization from CodeQL. */
@@ -17,13 +20,13 @@
 public final class CodeQLDeserializationOfUserControlledDataCodemod
     extends CodeQLRemediationCodemod {
 
-  private final JavaDeserializationRemediator remediator;
+  private final Remediator<Result> remediator;
 
   @Inject
   public CodeQLDeserializationOfUserControlledDataCodemod(
       @ProvidedCodeQLScan(ruleId = "java/unsafe-deserialization") final RuleSarif sarif) {
     super(GenericRemediationMetadata.DESERIALIZATION.reporter(), sarif);
-    this.remediator = JavaDeserializationRemediator.DEFAULT;
+    this.remediator = new JavaDeserializationRemediator<>();
   }
 
   @Override
@@ -44,7 +47,9 @@ public CodemodFileScanningResult visit(
         ruleSarif.getResultsByLocationPath(context.path()),
         SarifFindingKeyUtil::buildFindingId,
         r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn());
+        r -> Optional.of(r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r ->
+            Optional.of(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
   }
 }
@@ -1,11 +1,14 @@
 package io.codemodder.codemods.codeql;
 
+import com.contrastsecurity.sarif.Result;
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.headerinjection.HeaderInjectionRemediator;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** A codemod for automatically fixing HTTP response splitting from CodeQL. */
@@ -16,13 +19,13 @@
     executionPriority = CodemodExecutionPriority.HIGH)
 public final class CodeQLHttpResponseSplittingCodemod extends CodeQLRemediationCodemod {
 
-  private final HeaderInjectionRemediator remediator;
+  private final Remediator<Result> remediator;
 
   @Inject
   public CodeQLHttpResponseSplittingCodemod(
       @ProvidedCodeQLScan(ruleId = "java/http-response-splitting") final RuleSarif sarif) {
     super(GenericRemediationMetadata.HEADER_INJECTION.reporter(), sarif);
-    this.remediator = HeaderInjectionRemediator.DEFAULT;
+    this.remediator = new HeaderInjectionRemediator<>();
   }
 
   @Override
@@ -43,7 +46,9 @@ public CodemodFileScanningResult visit(
         ruleSarif.getResultsByLocationPath(context.path()),
         SarifFindingKeyUtil::buildFindingId,
         r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn());
+        r -> Optional.of(r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r ->
+            Optional.of(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
   }
 }
@@ -2,12 +2,16 @@
 
 import com.contrastsecurity.sarif.Result;
 import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.Expression;
 import io.codemodder.*;
+import io.codemodder.ast.ASTs;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.FixCandidateSearcher;
 import io.codemodder.remediation.GenericRemediationMetadata;
 import io.codemodder.remediation.Remediator;
-import io.codemodder.remediation.sqlinjection.SQLInjectionRemediator;
+import io.codemodder.remediation.SearcherStrategyRemediator;
+import io.codemodder.remediation.sqlinjection.SQLInjectionFixComposer;
 import java.util.Optional;
 import javax.inject.Inject;
 
@@ -25,7 +29,26 @@ public final class CodeQLSQLInjectionCodemod extends CodeQLRemediationCodemod {
   public CodeQLSQLInjectionCodemod(
       @ProvidedCodeQLScan(ruleId = "java/sql-injection") final RuleSarif sarif) {
     super(GenericRemediationMetadata.SQL_INJECTION.reporter(), sarif);
-    this.remediator = new SQLInjectionRemediator<>();
+    this.remediator =
+        new SearcherStrategyRemediator.Builder<Result>()
+            .withSearcherStrategyPair(
+                new FixCandidateSearcher.Builder<Result>()
+                    .withMatcher(
+                        n ->
+                            Optional.empty()
+                                // is the argument of the call
+                                .or(
+                                    () ->
+                                        Optional.of(n)
+                                            .map(
+                                                m ->
+                                                    m instanceof Expression ? (Expression) m : null)
+                                            .flatMap(ASTs::isArgumentOfMethodCall)
+                                            .filter(SQLInjectionFixComposer::match))
+                                .isPresent())
+                    .build(),
+                new SQLInjectionFixComposer())
+            .build();
   }
 
   @Override
 
@@ -1,11 +1,14 @@
 package io.codemodder.codemods.codeql;
 
+import com.contrastsecurity.sarif.Result;
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.ssrf.SSRFRemediator;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** A codemod for automatically fixing SQL injection from CodeQL. */
@@ -16,12 +19,12 @@
     executionPriority = CodemodExecutionPriority.HIGH)
 public final class CodeQLSSRFCodemod extends CodeQLRemediationCodemod {
 
-  private final SSRFRemediator remediator;
+  private final Remediator<Result> remediator;
 
   @Inject
   public CodeQLSSRFCodemod(@ProvidedCodeQLScan(ruleId = "java/ssrf") final RuleSarif sarif) {
     super(GenericRemediationMetadata.SSRF.reporter(), sarif);
-    this.remediator = SSRFRemediator.DEFAULT;
+    this.remediator = new SSRFRemediator<>();
   }
 
   @Override
@@ -42,7 +45,9 @@ public CodemodFileScanningResult visit(
         ruleSarif.getResultsByLocationPath(context.path()),
         SarifFindingKeyUtil::buildFindingId,
         r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine(),
-        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn());
+        r -> Optional.of(r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r ->
+            Optional.of(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
   }
 }