Handle comma-separated filename inputs for Sonar issues JSON and Sonar hotspots JSON (#365)

Issue: #364

Example of running a list of sonar findings files:
```

./gradlew :core-codemods:run --args='--output /Users/iwa/Documents/GitHub/WebGoat_12_23/WebGoat_12_23.codetf --verbose --sonar-issues-json /Users/iwa/Desktop/sonar1.json,/Users/iwa/Desktop/sonar2.json --log-format human /Users/iwa/Documents/GitHub/WebGoat_12_23/'
```

Sonar hotspot CLI input was the only update since there's no
implementation for it yet

Author: carlosu7

core-codemods/src/test/java/io/codemodder/codemods/AddMissingOverrideCodemodTest.java

@@ -7,5 +7,6 @@
     codemodType = AddMissingOverrideCodemod.class,
     testResourceDir = "add-missing-override-s1161",
     renameTestFile = "src/main/java/SqlInjectionLesson10b.java",
-    dependencies = {})
+    dependencies = {},
+    sonarIssuesJsonFiles = {"sonar-issues_1.json", "sonar-issues_2.json"})
 final class AddMissingOverrideCodemodTest implements CodemodTestMixin {}

…missing-override-s1161/sonar-issues.json …ssing-override-s1161/sonar-issues_1.jsoncore-codemods/src/test/resources/add-missing-override-s1161/sonar-issues.json renamed to core-codemods/src/test/resources/add-missing-override-s1161/sonar-issues_1.json core-codemods/src/test/resources/add-missing-override-s1161/sonar-issues.json renamed to core-codemods/src/test/resources/add-missing-override-s1161/sonar-issues_1.json

@@ -0,0 +1,42 @@
+{
+  "total": 1,
+  "p": 1,
+  "ps": 500,
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 500,
+    "total": 1
+  },
+  "effortTotal": 5,
+  "debtTotal": 5,
+  "issues": [
+  ],
+  "components": [
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoat_10_23",
+      "uuid": "AYvtqxxxzY4Rr5NHn4Om",
+      "enabled": true,
+      "qualifier": "TRK",
+      "name": "WebGoat_10_23",
+      "longName": "WebGoat_10_23"
+    },
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java",
+      "uuid": "AYvtrjqILCzGLicz7AX9",
+      "enabled": true,
+      "qualifier": "FIL",
+      "name": "SqlInjectionLesson10b.java",
+      "longName": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java",
+      "path": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java"
+    }
+  ],
+  "organizations": [
+    {
+      "key": "nahsra",
+      "name": "Arshan Dabirsiaghi"
+    }
+  ],
+  "facets": []
+}

core-codemods/src/test/resources/add-missing-override-s1161/sonar-issues_2.json

@@ -118,8 +118,9 @@ final class CLI implements Callable<Integer> {
   @CommandLine.Option(
       names = {"--sonar-issues-json"},
       description =
-          "a path to a file containing the result of a call to the Sonar Web API Issues endpoint")
-  private Path sonarIssuesJsonFilePath;
+          "comma-separated set of path(s) to file(s) containing the result of a call to the Sonar Web API Issues endpoint",
+      split = ",")
+  private List<String> sonarIssuesJsonFilePaths;
 
   @CommandLine.Option(
       names = {"--defectdojo-findings-json"},
@@ -130,8 +131,9 @@ final class CLI implements Callable<Integer> {
   @CommandLine.Option(
       names = {"--sonar-hotspots-json"},
       description =
-          "a path to a file containing the result of a call to the Sonar Web API Hotspots endpoint")
-  private Path sonarHotspotsJsonFilePath;
+          "comma-separated set of path(s) to file(s) containing the result of a call to the Sonar Web API Hotspots endpoint",
+      split = ",")
+  private List<Path> sonarHotspotsJsonFilePaths;
 
   @CommandLine.Option(
       names = {"--contrast-vulnerabilities-xml"},
@@ -378,8 +380,8 @@ public Integer call() throws IOException {
 
       // create the loader
       CodeDirectory codeDirectory = new DefaultCodeDirectory(projectPath);
-      List<Path> sarifFiles =
-          sarifs != null ? sarifs.stream().map(Path::of).collect(Collectors.toList()) : List.of();
+      List<Path> sarifFiles = convertToPaths(sarifs);
+      List<Path> sonarIssuesJsonFiles = convertToPaths(sonarIssuesJsonFilePaths);
       Map<String, List<RuleSarif>> pathSarifMap =
           SarifParser.create().parseIntoMap(sarifFiles, codeDirectory);
       List<ParameterArgument> codemodParameters =
@@ -394,7 +396,7 @@ public Integer call() throws IOException {
               filePaths,
               pathSarifMap,
               codemodParameters,
-              sonarIssuesJsonFilePath,
+              sonarIssuesJsonFiles,
               defectDojoFindingsJsonFilePath,
               contrastVulnerabilitiesXmlFilePath);
       List<CodemodIdPair> codemods = loader.getCodemods();
@@ -513,6 +515,10 @@ public Integer call() throws IOException {
     }
   }
 
+  private List<Path> convertToPaths(final List<String> pathsStr) {
+    return pathsStr != null ? pathsStr.stream().map(Path::of).toList() : List.of();
+  }
+
   /**
    * Performs a resetting of the logging settings because they're wildly different if we do
    * structured logging.

framework/codemodder-base/src/main/java/io/codemodder/CLI.java

@@ -28,7 +28,7 @@ public CodemodLoader(
       final List<Path> includedFiles,
       final Map<String, List<RuleSarif>> ruleSarifByTool,
       final List<ParameterArgument> codemodParameters,
-      final Path sonarIssuesJsonFile,
+      final List<Path> sonarIssuesJsonFiles,
       final Path defectDojoFindingsJsonFile,
       final Path contrastVulnerabilitiesXmlFilePath) {
 
@@ -100,7 +100,7 @@ public CodemodLoader(
               pathExcludes,
               orderedCodemodTypes,
               allWantedSarifs,
-              sonarIssuesJsonFile,
+              sonarIssuesJsonFiles,
               defectDojoFindingsJsonFile,
               contrastVulnerabilitiesXmlFilePath);
       allModules.addAll(modules);

framework/codemodder-base/src/main/java/io/codemodder/CodemodLoader.java

@@ -22,8 +22,8 @@ public interface CodemodProvider {
    *     their own analysis)
    * @param codemodTypes the codemod types that are being run
    * @param sarifs the SARIF output of tools that are being run
-   * @param sonarIssuesJsonPath the path to a Sonar issues JSON file retrieved from their web API --
-   *     may be null
+   * @param sonarIssuesJsonPaths the path to a Sonar issues JSON file retrieved from their web API
+   *     -- may be null
    * @param contrastFindingsJsonPath the path to a Contrast findings JSON file retrieved from their
    *     web API -- may be null
    * @return a set of modules that perform dependency injection
@@ -35,14 +35,14 @@ Set<AbstractModule> getModules(
       List<String> pathExcludes,
       List<Class<? extends CodeChanger>> codemodTypes,
       List<RuleSarif> sarifs,
-      Path sonarIssuesJsonPath,
+      List<Path> sonarIssuesJsonPaths,
       Path defectDojoFindingsJsonPath,
       Path contrastFindingsJsonPath);
 
   /**
    * Tools this provider is interested in processing the SARIF output of. Codemodder CLI will look
    * for the SARIF outputted by tools in this list in the repository root and then provide the
-   * results to {@link #getModules(Path, List, List, List, List, List, Path, Path, Path)} as a
+   * results to {@link #getModules(Path, List, List, List, List, List, List, Path, Path)} as a
    * {@link List} of {@link RuleSarif}s.
    *
    * <p>By default, this returns an empty list.

framework/codemodder-base/src/main/java/io/codemodder/CodemodProvider.java

@@ -17,6 +17,7 @@
 import java.nio.file.StandardCopyOption;
 import java.util.*;
 import java.util.function.Function;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.DynamicTest;
 import org.junit.jupiter.api.TestFactory;
@@ -76,7 +77,8 @@ default Stream<DynamicTest> generateTestCases(@TempDir final Path tmpDir) throws
                 projectProviders,
                 metadata.doRetransformTest(),
                 metadata.expectingFixesAtLines(),
-                metadata.expectingFailedFixesAtLines());
+                metadata.expectingFailedFixesAtLines(),
+                metadata.sonarIssuesJsonFiles());
 
     return DynamicTest.stream(inputStream, displayNameGenerator, testExecutor);
   }
@@ -91,7 +93,8 @@ private void verifyCodemod(
       final List<ProjectProvider> projectProviders,
       final boolean doRetransformTest,
       final int[] expectedFixLines,
-      final int[] expectingFailedFixesAtLines)
+      final int[] expectingFailedFixesAtLines,
+      final String[] sonarIssuesJsonFiles)
       throws IOException {
 
     // create a copy of the test file in the temp directory to serve as our "repository"
@@ -111,8 +114,21 @@ private void verifyCodemod(
       pathToJavaFile = newPathToJavaFile;
     }
 
-    // add the sonar JSON if one exists
-    Path sonarJson = testResourceDir.resolve("sonar-issues.json");
+    final List<String> sonarJsons =
+        sonarIssuesJsonFiles != null ? Arrays.asList(sonarIssuesJsonFiles) : new ArrayList<>();
+
+    final List<Path> sonarJsonsPaths =
+        sonarJsons.stream()
+            .map(testResourceDir::resolve)
+            .filter(Files::exists)
+            .collect(Collectors.toList());
+
+    if (sonarJsonsPaths.isEmpty()) {
+      Path defaultPath = testResourceDir.resolve("sonar-issues.json");
+      if (Files.exists(defaultPath)) {
+        sonarJsonsPaths.add(defaultPath);
+      }
+    }
 
     // Check for any sarif files and build the RuleSarif map
     CodeDirectory codeDir = CodeDirectory.from(tmpDir);
@@ -139,7 +155,7 @@ private void verifyCodemod(
             List.of(pathToJavaFile),
             map,
             List.of(),
-            Files.exists(sonarJson) ? sonarJson : null,
+            sonarJsonsPaths,
             Files.exists(defectDojo) ? defectDojo : null,
             Files.exists(contrastXml) ? contrastXml : null);
 

framework/codemodder-testutils/src/main/java/io/codemodder/testutils/CodemodTestMixin.java

@@ -48,4 +48,7 @@
 
   /** The expected failed fix metadata that the codemod should report. */
   int[] expectingFailedFixesAtLines() default {};
+
+  /** Sonar issues file names for testing multiple json files */
+  String[] sonarIssuesJsonFiles() default {};
 }

framework/codemodder-testutils/src/main/java/io/codemodder/testutils/Metadata.java

@@ -19,7 +19,7 @@ public Set<AbstractModule> getModules(
       final List<String> excludePaths,
       final List<Class<? extends CodeChanger>> codemodTypes,
       final List<RuleSarif> sarifs,
-      final Path sonarIssuesJsonFile,
+      final List<Path> sonarIssuesJsonPaths,
       final Path defectDojoFindingsJsonFile,
       final Path contrastFindingsJsonPath) {
     return Set.of(new AppScanModule(codemodTypes, sarifs));

plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/AppScanProvider.java

@@ -19,7 +19,7 @@ public Set<AbstractModule> getModules(
       final List<String> excludePaths,
       final List<Class<? extends CodeChanger>> codemodTypes,
       final List<RuleSarif> sarifs,
-      final Path sonarIssuesJsonFile,
+      final List<Path> sonarIssuesJsonPaths,
       final Path defectDojoFindingsJsonFile,
       final Path contrastFindingsJsonPath) {
     return Set.of(new AwsClientModule());