Sonar codemod to Replace the "@controller" annotation by "@RestController" and remove all "@responsebody" annotations. (#255)

carlosu7 · web-flow · commit 25e81b81e112 · 2023-12-08T18:16:41.000-06:00
Given example: https://sonarcloud.io/project/issues?cleanCodeAttributeCategories=CONSISTENT&resolved=false&id=nahsra_WebGoat_10_23&open=AYvtrj4zLCzGLicz7AqC&tab=code Sonar rule Reference: https://rules.sonarsource.com/java/RSPEC-6833/
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod.java
@@ -0,0 +1,84 @@
+package io.codemodder.codemods;
+
+import static io.codemodder.ast.ASTTransforms.addImportIfMissing;
+import static io.codemodder.ast.ASTTransforms.removeImportIfUnused;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.body.MethodDeclaration;
+import com.github.javaparser.ast.expr.AnnotationExpr;
+import com.github.javaparser.ast.expr.MarkerAnnotationExpr;
+import io.codemodder.*;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleIssues;
+import io.codemodder.providers.sonar.SonarPluginJavaParserChanger;
+import io.codemodder.providers.sonar.api.Issue;
+import java.util.List;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/**
+ * A codemod to replace `@Controller` with `@RestController` and remove `@ResponseBody` annotations
+ */
+@Codemod(
+    id = "sonar:java/simplify-rest-controller-annotations-s6833",
+    reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SimplifyRestControllerAnnotationsCodemod
+    extends SonarPluginJavaParserChanger<ClassOrInterfaceDeclaration> {
+
+  @Inject
+  public SimplifyRestControllerAnnotationsCodemod(
+      @ProvidedSonarScan(ruleId = "java:S6833") final RuleIssues issues) {
+    super(issues, ClassOrInterfaceDeclaration.class, RegionNodeMatcher.MATCHES_START);
+  }
+
+  @Override
+  public boolean onIssueFound(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final ClassOrInterfaceDeclaration classOrInterfaceDeclaration,
+      final Issue issue) {
+
+    final Optional<AnnotationExpr> controllerAnnotationOptional =
+        classOrInterfaceDeclaration.getAnnotationByName("Controller");
+
+    if (controllerAnnotationOptional.isEmpty()) {
+      return false;
+    }
+
+    replaceControllerToRestControllerAnnotation(cu, controllerAnnotationOptional.get());
+
+    final Optional<AnnotationExpr> responseBodyClassAnnotationOptional =
+        classOrInterfaceDeclaration.getAnnotationByName("ResponseBody");
+
+    responseBodyClassAnnotationOptional.ifPresent(AnnotationExpr::remove);
+
+    removeResponseBodyAnnotationFromClassMethods(classOrInterfaceDeclaration);
+
+    removeImportIfUnused(cu, "org.springframework.web.bind.annotation.ResponseBody");
+
+    return true;
+  }
+
+  private void replaceControllerToRestControllerAnnotation(
+      final CompilationUnit cu, final AnnotationExpr controllerAnnotation) {
+    final AnnotationExpr restControllerAnnotation = new MarkerAnnotationExpr("RestController");
+    controllerAnnotation.replace(restControllerAnnotation);
+    removeImportIfUnused(cu, "org.springframework.stereotype.Controller");
+    addImportIfMissing(cu, "org.springframework.web.bind.annotation.RestController");
+  }
+
+  private void removeResponseBodyAnnotationFromClassMethods(
+      final ClassOrInterfaceDeclaration classOrInterfaceDeclaration) {
+    final List<MethodDeclaration> methods = classOrInterfaceDeclaration.getMethods();
+    if (methods != null && !methods.isEmpty()) {
+      methods.forEach(
+          method -> {
+            final Optional<AnnotationExpr> responseBodyMethodAnnotationOptional =
+                method.getAnnotationByName("ResponseBody");
+            responseBodyMethodAnnotationOptional.ifPresent(AnnotationExpr::remove);
+          });
+    }
+  }
+}
diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod/description.md b/core-codemods/src/main/resources/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod/description.md
@@ -0,0 +1,16 @@
+This change makes it harder for developers to make a mistake when writing REST controllers in Spring. By marking the top level type with `@RestController`, it is now assumed that all the methods within it will return a Java object representing the response body. Thus, there is no need to specify, for each method, the `@ResponseBody` annotation.
+
+Our changes look something like this:
+
+```diff
+-   import org.springframework.stereotype.Controller;
+-   import org.springframework.web.bind.annotation.ResponseBody;
++   import org.springframework.web.bind.annotation.RestController;
+-   @Controller
++   @RestController
+    public class AccountController {
+      ...
+-     @ResponseBody
+      public AccountDetails viewAccount() {
+        ...
+```
diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod/report.json
@@ -0,0 +1,7 @@
+{
+  "summary" : "Replace `@Controller` with `@RestController` and remove `@ResponseBody` annotations (Sonar).",
+  "change" : "Replace `@Controller` with `@RestController` and remove `@ResponseBody` annotations.",
+  "references" : [
+    "https://rules.sonarsource.com/java/RSPEC-6833/"
+  ]
+}
diff --git a/core-codemods/src/test/java/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemodTest.java
@@ -0,0 +1,11 @@
+package io.codemodder.codemods;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = SimplifyRestControllerAnnotationsCodemod.class,
+    testResourceDir = "simplify-rest-controller-annotations-s6833",
+    renameTestFile = "src/main/java/org/owasp/webgoat/container/service/SessionService.java",
+    dependencies = {})
+final class SimplifyRestControllerAnnotationsCodemodTest implements CodemodTestMixin {}
diff --git a/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/Test.java.after b/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/Test.java.after
@@ -0,0 +1,31 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequiredArgsConstructor
+public class SessionService {
+
+  private final WebSession webSession;
+  private final RestartLessonService restartLessonService;
+  private final Messages messages;
+
+  @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+  public String applySecurity() {
+    webSession.toggleSecurity();
+    restartLessonService.restartLesson();
+
+    var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+    return messages.getMessage(msg);
+  }
+}
diff --git a/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/Test.java.before b/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/Test.java.before
@@ -0,0 +1,33 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+@RequiredArgsConstructor
+public class SessionService {
+
+  private final WebSession webSession;
+  private final RestartLessonService restartLessonService;
+  private final Messages messages;
+
+  @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+  @ResponseBody
+  public String applySecurity() {
+    webSession.toggleSecurity();
+    restartLessonService.restartLesson();
+
+    var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+    return messages.getMessage(msg);
+  }
+}
diff --git a/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/sonar-issues.json b/core-codemods/src/test/resources/simplify-rest-controller-annotations-s6833/sonar-issues.json
@@ -0,0 +1,92 @@
+{
+  "total": 1,
+  "p": 1,
+  "ps": 500,
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 500,
+    "total": 1
+  },
+  "effortTotal": 5,
+  "debtTotal": 5,
+  "issues": [
+    {
+      "key": "AYvtrj4zLCzGLicz7AqC",
+      "rule": "java:S6833",
+      "severity": "MAJOR",
+      "component": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/container/service/SessionService.java",
+      "project": "nahsra_WebGoat_10_23",
+      "line": 16,
+      "hash": "dee1a9dfa91ea501126d7a4ecdad8cd0",
+      "textRange": {
+        "startLine": 16,
+        "endLine": 16,
+        "startOffset": 0,
+        "endOffset": 11
+      },
+      "flows": [
+        {
+          "locations": [
+            {
+              "component": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/container/service/SessionService.java",
+              "textRange": {
+                "startLine": 25,
+                "endLine": 25,
+                "startOffset": 2,
+                "endOffset": 15
+              },
+              "msg": "Remove this \"@ResponseBody\" annotation."
+            }
+          ]
+        }
+      ],
+      "status": "OPEN",
+      "message": "Replace the \"@Controller\" annotation by \"@RestController\" and remove all \"@ResponseBody\" annotations.",
+      "effort": "5min",
+      "debt": "5min",
+      "tags": [
+        "spring"
+      ],
+      "creationDate": "2022-04-09T14:56:12+0200",
+      "updateDate": "2023-11-20T17:58:54+0100",
+      "type": "CODE_SMELL",
+      "organization": "nahsra",
+      "cleanCodeAttribute": "CONVENTIONAL",
+      "cleanCodeAttributeCategory": "CONSISTENT",
+      "impacts": [
+        {
+          "softwareQuality": "MAINTAINABILITY",
+          "severity": "MEDIUM"
+        }
+      ]
+    }
+  ],
+  "components": [
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoat_10_23",
+      "uuid": "AYvtqxxxzY4Rr5NHn4Om",
+      "enabled": true,
+      "qualifier": "TRK",
+      "name": "WebGoat_10_23",
+      "longName": "WebGoat_10_23"
+    },
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/container/service/SessionService.java",
+      "uuid": "AYvtrjqJLCzGLicz7Abj",
+      "enabled": true,
+      "qualifier": "FIL",
+      "name": "SessionService.java",
+      "longName": "src/main/java/org/owasp/webgoat/container/service/SessionService.java",
+      "path": "src/main/java/org/owasp/webgoat/container/service/SessionService.java"
+    }
+  ],
+  "organizations": [
+    {
+      "key": "nahsra",
+      "name": "Arshan Dabirsiaghi"
+    }
+  ],
+  "facets": []
+}
