Provided semgrep scan detection tool metadata (#344)

carlosu7 · web-flow · commit 8e979de9b8b4 · 2024-04-11T07:40:40.000-06:00
Populate detectionTool metadata for Semgrep codemods (`@ProvidedSemgrepScan`) Issue #314
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java
@@ -13,6 +13,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 import javax.inject.Inject;
 
 /** This codemod knows how to translate */
@@ -46,6 +47,11 @@ public DetectorRule getDetectorRule() {
         "https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli");
   }
 
+  @Override
+  public Optional<FixedFinding> getFixedFinding(String id) {
+    return Optional.of(new FixedFinding(id, getDetectorRule()));
+  }
+
   @Override
   public CodemodFileScanningResult visit(
       final CodemodInvocationContext context, final CompilationUnit cu) {
@@ -103,8 +109,7 @@ public CodemodFileScanningResult visit(
 
       MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
       if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
-        FixedFinding fixedFinding = new FixedFinding(id, getDetectorRule());
-        changes.add(CodemodChange.from(line, fixedFinding));
+        changes.add(CodemodChange.from(line, getFixedFinding(id).get()));
       } else {
         UnfixedFinding unfixableFinding =
             new UnfixedFinding(
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/SemgrepOverlyPermissiveFilePermissionsCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/SemgrepOverlyPermissiveFilePermissionsCodemod.java
@@ -11,8 +11,10 @@
 import com.github.javaparser.ast.expr.StringLiteralExpr;
 import com.github.javaparser.ast.stmt.ExpressionStmt;
 import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
 import io.codemodder.javaparser.ChangesResult;
 import io.codemodder.providers.sarif.semgrep.ProvidedSemgrepScan;
+import io.codemodder.providers.sarif.semgrep.SemgrepSarifJavaParserChanger;
 import java.util.Optional;
 import javax.inject.Inject;
 
@@ -27,10 +29,7 @@ public final class SemgrepOverlyPermissiveFilePermissionsCodemod
 
   @Inject
   public SemgrepOverlyPermissiveFilePermissionsCodemod(
-      @ProvidedSemgrepScan(
-              ruleId =
-                  "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission")
-          final RuleSarif sarif) {
+      @ProvidedSemgrepScan(ruleId = RULE_ID) final RuleSarif sarif) {
     super(
         new PermissionAddCallChanger(sarif),
         new FromStringChanger(sarif),
@@ -45,7 +44,7 @@ public SemgrepOverlyPermissiveFilePermissionsCodemod(
    * PosixFilePermissions.fromString("rwxrwxrwx"));}
    */
   private static final class InlineFromStringChanger
-      extends SarifPluginJavaParserChanger<ExpressionStmt> {
+      extends SemgrepSarifJavaParserChanger<ExpressionStmt> {
 
     private InlineFromStringChanger(final RuleSarif sarif) {
       super(
@@ -82,6 +81,11 @@ public ChangesResult onResultFound(
       }
       return ChangesResult.noChanges;
     }
+
+    @Override
+    public DetectorRule getDetectorRule() {
+      return new DetectorRule(RULE_ID, RULE_NAME, RULE_URL);
+    }
   }
 
   /**
@@ -90,7 +94,7 @@ public ChangesResult onResultFound(
    * <p>{@code var p = Permissions.fromString("rwxrwxrwx")}
    */
   private static final class FromStringChanger
-      extends SarifPluginJavaParserChanger<ExpressionStmt> {
+      extends SemgrepSarifJavaParserChanger<ExpressionStmt> {
     private FromStringChanger(final RuleSarif sarif) {
       super(
           sarif,
@@ -118,6 +122,11 @@ public ChangesResult onResultFound(
       }
       return ChangesResult.noChanges;
     }
+
+    @Override
+    public DetectorRule getDetectorRule() {
+      return new DetectorRule(RULE_ID, RULE_NAME, RULE_URL);
+    }
   }
 
   private static ChangesResult fixFromString(final MethodCallExpr fromStringCall) {
@@ -139,7 +148,7 @@ private static ChangesResult fixFromString(final MethodCallExpr fromStringCall)
    * java.util.Set#add(Object)} call.
    */
   private static final class PermissionAddCallChanger
-      extends SarifPluginJavaParserChanger<MethodCallExpr> {
+      extends SemgrepSarifJavaParserChanger<MethodCallExpr> {
 
     private PermissionAddCallChanger(final RuleSarif sarif) {
       super(
@@ -170,6 +179,11 @@ public ChangesResult onResultFound(
       return ChangesResult.noChanges;
     }
 
+    @Override
+    public DetectorRule getDetectorRule() {
+      return new DetectorRule(RULE_ID, RULE_NAME, RULE_URL);
+    }
+
     private ChangesResult fixAdd(final MethodCallExpr call) {
       NodeList<Expression> arguments = call.getArguments();
       Expression permissionArgument = arguments.get(0);
@@ -190,4 +204,11 @@ private ChangesResult fixAdd(final MethodCallExpr call) {
       return ChangesResult.changesApplied;
     }
   }
+
+  private static final String RULE_ID =
+      "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission";
+  private static final String RULE_NAME =
+      "Fix overly permissive file permissions (issue discovered by Semgrep)";
+  private static final String RULE_URL =
+      "https://registry.semgrep.dev/rule/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission";
 }
diff --git a/core-codemods/src/test/java/io/codemodder/codemods/SemgrepOverlyPermissiveFilePermissionsCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/SemgrepOverlyPermissiveFilePermissionsCodemodTest.java
@@ -7,5 +7,6 @@
     codemodType = SemgrepOverlyPermissiveFilePermissionsCodemod.class,
     testResourceDir = "semgrep-overly-permissive-file-permission",
     doRetransformTest = false,
-    dependencies = {})
+    dependencies = {},
+    expectingFixesAtLines = {14, 15, 25, 22})
 final class SemgrepOverlyPermissiveFilePermissionsCodemodTest implements CodemodTestMixin {}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/CodemodChange.java b/framework/codemodder-base/src/main/java/io/codemodder/CodemodChange.java
@@ -35,6 +35,17 @@ private CodemodChange(final int lineNumber, final List<DependencyGAV> dependenci
     this.fixedFindings = List.of();
   }
 
+  private CodemodChange(
+      final int lineNumber,
+      final List<DependencyGAV> dependenciesNeeded,
+      final List<FixedFinding> fixedFindings) {
+    this.lineNumber = lineNumber;
+    this.dependenciesNeeded = Objects.requireNonNull(dependenciesNeeded, "dependenciesNeeded");
+    this.parameters = List.of();
+    this.description = null;
+    this.fixedFindings = fixedFindings;
+  }
+
   private CodemodChange(final int lineNumber, final FixedFinding finding) {
     this.lineNumber = lineNumber;
     this.dependenciesNeeded = List.of();
@@ -138,6 +149,11 @@ public static CodemodChange from(final int line, final FixedFinding finding) {
     return new CodemodChange(line, finding);
   }
 
+  public static CodemodChange from(
+      final int line, final List<DependencyGAV> dependencyGAVS, final FixedFinding finding) {
+    return new CodemodChange(line, dependencyGAVS, List.of(finding));
+  }
+
   /** A {@link } */
   public static CodemodChange from(
       final int line, final Parameter parameter, final String valueUsed) {
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/FixOnlyCodeChanger.java b/framework/codemodder-base/src/main/java/io/codemodder/FixOnlyCodeChanger.java
@@ -1,6 +1,8 @@
 package io.codemodder;
 
 import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import java.util.Optional;
 
 /**
  * A codemod that only fixes issues and does not perform its own detection, instead relying on
@@ -15,4 +17,7 @@ public interface FixOnlyCodeChanger {
 
   /** A description of the rule. */
   DetectorRule getDetectorRule();
+
+  /** Abstract method to build a {@link FixedFinding} object */
+  Optional<FixedFinding> getFixedFinding(String id);
 }
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/SarifPluginFixOnlyCodeChanger.java b/framework/codemodder-base/src/main/java/io/codemodder/SarifPluginFixOnlyCodeChanger.java
@@ -0,0 +1,22 @@
+package io.codemodder;
+
+import com.github.javaparser.ast.Node;
+import io.codemodder.codetf.FixedFinding;
+import java.util.Optional;
+
+public abstract class SarifPluginFixOnlyCodeChanger<T extends Node>
+    extends SarifPluginJavaParserChanger<T> implements FixOnlyCodeChanger {
+
+  protected SarifPluginFixOnlyCodeChanger(
+      final RuleSarif sarif,
+      final Class<? extends Node> nodeType,
+      final RegionNodeMatcher regionNodeMatcher,
+      final CodemodReporterStrategy reporterStrategy) {
+    super(sarif, nodeType, regionNodeMatcher, reporterStrategy);
+  }
+
+  @Override
+  public Optional<FixedFinding> getFixedFinding(String id) {
+    return Optional.of(new FixedFinding(id, getDetectorRule()));
+  }
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/SarifPluginJavaParserChanger.java b/framework/codemodder-base/src/main/java/io/codemodder/SarifPluginJavaParserChanger.java
@@ -6,11 +6,13 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
 import com.google.common.annotations.VisibleForTesting;
+import io.codemodder.codetf.FixedFinding;
 import io.codemodder.javaparser.ChangesResult;
 import io.codemodder.javaparser.JavaParserChanger;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 
 /**
  * Provides base functionality for making JavaParser-based changes based on results found by a sarif
@@ -131,9 +133,18 @@ public CodemodFileScanningResult visit(
             if (regionNodeMatcher.matches(region, range)) {
               ChangesResult changeSuccessful = onResultFound(context, cu, (T) node, result);
               if (changeSuccessful.areChangesApplied()) {
-                codemodChanges.add(
-                    CodemodChange.from(
-                        region.start().line(), changeSuccessful.getDependenciesRequired()));
+                final Optional<FixedFinding> optionalFixedFinding = getFixedFinding();
+                if (optionalFixedFinding.isPresent()) {
+                  codemodChanges.add(
+                      CodemodChange.from(
+                          region.start().line(),
+                          changeSuccessful.getDependenciesRequired(),
+                          optionalFixedFinding.get()));
+                } else {
+                  codemodChanges.add(
+                      CodemodChange.from(
+                          region.start().line(), changeSuccessful.getDependenciesRequired()));
+                }
               }
             }
           }
@@ -144,6 +155,10 @@ public CodemodFileScanningResult visit(
     return CodemodFileScanningResult.withOnlyChanges(codemodChanges);
   }
 
+  protected Optional<FixedFinding> getFixedFinding() {
+    return Optional.empty();
+  }
+
   @Override
   public boolean shouldRun() {
     List<Run> runs = sarif.rawDocument().getRuns();
diff --git a/framework/codemodder-base/src/test/java/io/codemodder/DefaultCodemodExecutorTest.java b/framework/codemodder-base/src/test/java/io/codemodder/DefaultCodemodExecutorTest.java
@@ -802,6 +802,11 @@ public String vendorName() {
     public DetectorRule getDetectorRule() {
       return rule;
     }
+
+    @Override
+    public Optional<FixedFinding> getFixedFinding(String id) {
+      return Optional.of(new FixedFinding(id, getDetectorRule()));
+    }
   }
 
   private static final DependencyGAV dependency1 =
diff --git a/plugins/codemodder-plugin-semgrep/src/main/java/io/codemodder/providers/sarif/semgrep/SemgrepSarifJavaParserChanger.java b/plugins/codemodder-plugin-semgrep/src/main/java/io/codemodder/providers/sarif/semgrep/SemgrepSarifJavaParserChanger.java
@@ -0,0 +1,28 @@
+package io.codemodder.providers.sarif.semgrep;
+
+import com.github.javaparser.ast.Node;
+import io.codemodder.CodemodReporterStrategy;
+import io.codemodder.RegionNodeMatcher;
+import io.codemodder.RuleSarif;
+import io.codemodder.SarifPluginFixOnlyCodeChanger;
+
+/**
+ * Provides foundational functionality for modifying Java code using JavaParser based on findings
+ * from a SARIF file generated by Semgrep analysis.
+ */
+public abstract class SemgrepSarifJavaParserChanger<T extends Node>
+    extends SarifPluginFixOnlyCodeChanger<T> {
+
+  protected SemgrepSarifJavaParserChanger(
+      final RuleSarif sarif,
+      final Class<? extends Node> nodeType,
+      final RegionNodeMatcher regionNodeMatcher,
+      final CodemodReporterStrategy reporterStrategy) {
+    super(sarif, nodeType, regionNodeMatcher, reporterStrategy);
+  }
+
+  @Override
+  public String vendorName() {
+    return "Semgrep";
+  }
+}
diff --git a/plugins/codemodder-plugin-sonar/src/main/java/io/codemodder/providers/sonar/SonarPluginJavaParserChanger.java b/plugins/codemodder-plugin-sonar/src/main/java/io/codemodder/providers/sonar/SonarPluginJavaParserChanger.java
@@ -4,12 +4,14 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
 import io.codemodder.*;
+import io.codemodder.codetf.FixedFinding;
 import io.codemodder.javaparser.ChangesResult;
 import io.codemodder.javaparser.JavaParserChanger;
 import io.codemodder.providers.sonar.api.Issue;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 
 /** Provides base functionality for making JavaParser-based changes based on Sonar results. */
 public abstract class SonarPluginJavaParserChanger<T extends Node> extends JavaParserChanger
@@ -112,4 +114,9 @@ public String vendorName() {
    */
   public abstract ChangesResult onIssueFound(
       CodemodInvocationContext context, CompilationUnit cu, T node, Issue issue);
+
+  @Override
+  public Optional<FixedFinding> getFixedFinding(String id) {
+    return Optional.of(new FixedFinding(id, getDetectorRule()));
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -802,6 +802,11 @@ public String vendorName() {`
`802`	`802`	`public DetectorRule getDetectorRule() {`
`803`	`803`	`return rule;`
`804`	`804`	`}`
	`805`	`+`
	`806`	`+ @Override`
	`807`	`+ public Optional<FixedFinding> getFixedFinding(String id) {`
	`808`	`+ return Optional.of(new FixedFinding(id, getDetectorRule()));`
	`809`	`+ }`
`805`	`810`	`}`
`806`	`811`
`807`	`812`	`private static final DependencyGAV dependency1 =`