Sonar codemod for removing unused private method codemod (#266)

example
https://sonarcloud.io/project/issues?fileUuids=AYvtrjqILCzGLicz7AZw&resolved=false&types=CODE_SMELL&id=nahsra_WebGoat_10_23&open=AYx_HQhaOVCWpCEOKEAO

reference: https://rules.sonarsource.com/java/RSPEC-1144/

Author: carlosu7

core-codemods/src/main/java/io/codemodder/codemods/RemoveUnusedPrivateMethodCodemod.java

@@ -0,0 +1,51 @@
+package io.codemodder.codemods;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.body.MethodDeclaration;
+import com.github.javaparser.ast.expr.SimpleName;
+import io.codemodder.Codemod;
+import io.codemodder.CodemodExecutionPriority;
+import io.codemodder.CodemodInvocationContext;
+import io.codemodder.ReviewGuidance;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleIssues;
+import io.codemodder.providers.sonar.SonarPluginJavaParserChanger;
+import io.codemodder.providers.sonar.api.Issue;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for removing unused private methods. */
+@Codemod(
+    id = "sonar:java/remove-unused-private-method-s1144",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class RemoveUnusedPrivateMethodCodemod
+    extends SonarPluginJavaParserChanger<SimpleName> {
+
+  @Inject
+  public RemoveUnusedPrivateMethodCodemod(
+      @ProvidedSonarScan(ruleId = "java:S1144") final RuleIssues issues) {
+    super(issues, SimpleName.class);
+  }
+
+  @Override
+  public boolean onIssueFound(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final SimpleName node,
+      final Issue issue) {
+
+    final Optional<Node> methodDeclarationOptional = node.getParentNode();
+
+    if (methodDeclarationOptional.isEmpty()) {
+      return false;
+    }
+
+    final MethodDeclaration methodDeclaration = (MethodDeclaration) methodDeclarationOptional.get();
+
+    methodDeclaration.removeForced();
+
+    return true;
+  }
+}

core-codemods/src/main/resources/io/codemodder/codemods/RemoveUnusedPrivateMethodCodemod/description.md

@@ -0,0 +1,9 @@
+This change removes unused `private` methods. Dead code can cause confusion and increase the mental load of maintainers. It can increase your maintenance burden as you have to keep that unused code compiling when you make sweeping changes to the APIs used within the method.
+
+Our changes look something like this:
+
+```diff
+-   private String getUuid(){
+-       return uuid;
+-   }
+```

core-codemods/src/main/resources/io/codemodder/codemods/RemoveUnusedPrivateMethodCodemod/report.json

@@ -0,0 +1,8 @@
+{
+  "summary" : "Removed unused private method (Sonar).",
+  "change" : "Removed unused private method.",
+  "references" : [
+    "https://rules.sonarsource.com/java/RSPEC-1144/",
+    "https://understandlegacycode.com/blog/delete-unused-code/"
+  ]
+}

core-codemods/src/main/resources/io/codemodder/codemods/ReplaceStreamCollectorsToListCodemod/description.md

@@ -1,4 +1,4 @@
-This change modernizes the a stream's `List` creation to be driven from the simple, and more readable [`Stream#toList()`](https://docs.oracle.com/javase/16/docs/api/java.base/java/util/stream/Collectors.html#toList()) method.
+This change modernizes a stream's `List` creation to be driven from the simple, and more readable [`Stream#toList()`](https://docs.oracle.com/javase/16/docs/api/java.base/java/util/stream/Collectors.html#toList()) method.
 
 Our changes look something like this:
 

core-codemods/src/test/java/io/codemodder/codemods/RemoveUnusedPrivateMethodCodemodTest.java

@@ -0,0 +1,12 @@
+package io.codemodder.codemods;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = RemoveUnusedPrivateMethodCodemod.class,
+    testResourceDir = "remove-unused-private-method-s1144",
+    renameTestFile =
+        "src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java",
+    dependencies = {})
+final class RemoveUnusedPrivateMethodCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/resources/remove-unused-private-method-s1144/Test.java.after

@@ -0,0 +1,114 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.authbypass;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/** Created by appsec on 7/18/17. */
+public class AccountVerificationHelper {
+
+  // simulating database storage of verification credentials
+  private static final Integer verifyUserId = 1223445;
+  private static final Map<String, String> userSecQuestions = new HashMap<>();
+
+  static {
+    userSecQuestions.put("secQuestion0", "Dr. Watson");
+    userSecQuestions.put("secQuestion1", "Baker Street");
+  }
+
+  private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
+
+  static {
+    secQuestionStore.put(verifyUserId, userSecQuestions);
+  }
+
+  // end 'data store set up'
+
+  // this is to aid feedback in the attack process and is not intended to be part of the
+  // 'vulnerable' code
+  public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
+    boolean likely = false;
+
+    if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
+      likely = true;
+    }
+
+    if ((submittedAnswers.containsKey("secQuestion0")
+            && submittedAnswers
+                .get("secQuestion0")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
+        && (submittedAnswers.containsKey("secQuestion1")
+            && submittedAnswers
+                .get("secQuestion1")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
+      likely = true;
+    } else {
+      likely = false;
+    }
+
+    return likely;
+  }
+
+  // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
+
+  public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
+    // short circuit if no questions are submitted
+    if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
+      return false;
+    }
+
+    if (submittedQuestions.containsKey("secQuestion0")
+        && !submittedQuestions
+            .get("secQuestion0")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
+      return false;
+    }
+
+    if (submittedQuestions.containsKey("secQuestion1")
+        && !submittedQuestions
+            .get("secQuestion1")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+      return false;
+    }
+
+    unusedSuccess(true, 1);
+    unusedFailsOverload(1,2,3);
+    unusedFailsOverload(1, 2);
+
+    // else
+    return true;
+  }
+
+  private void unusedSuccess(boolean a, int b){
+      System.out.println(b);
+  }
+
+  private void unusedFailsOverload(Integer a, Integer b, Integer c){
+      System.out.println(a + c);
+  }
+
+  private void unusedFailsOverload(Integer a, Integer b){
+      unusedFailsOverload(a, b, null);
+  }
+}

core-codemods/src/test/resources/remove-unused-private-method-s1144/Test.java.before

@@ -0,0 +1,118 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.authbypass;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/** Created by appsec on 7/18/17. */
+public class AccountVerificationHelper {
+
+  // simulating database storage of verification credentials
+  private static final Integer verifyUserId = 1223445;
+  private static final Map<String, String> userSecQuestions = new HashMap<>();
+
+  static {
+    userSecQuestions.put("secQuestion0", "Dr. Watson");
+    userSecQuestions.put("secQuestion1", "Baker Street");
+  }
+
+  private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
+
+  static {
+    secQuestionStore.put(verifyUserId, userSecQuestions);
+  }
+
+  // end 'data store set up'
+
+  // this is to aid feedback in the attack process and is not intended to be part of the
+  // 'vulnerable' code
+  public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
+    boolean likely = false;
+
+    if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
+      likely = true;
+    }
+
+    if ((submittedAnswers.containsKey("secQuestion0")
+            && submittedAnswers
+                .get("secQuestion0")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
+        && (submittedAnswers.containsKey("secQuestion1")
+            && submittedAnswers
+                .get("secQuestion1")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
+      likely = true;
+    } else {
+      likely = false;
+    }
+
+    return likely;
+  }
+
+  // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
+
+  public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
+    // short circuit if no questions are submitted
+    if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
+      return false;
+    }
+
+    if (submittedQuestions.containsKey("secQuestion0")
+        && !submittedQuestions
+            .get("secQuestion0")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
+      return false;
+    }
+
+    if (submittedQuestions.containsKey("secQuestion1")
+        && !submittedQuestions
+            .get("secQuestion1")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+      return false;
+    }
+
+    unusedSuccess(true, 1);
+    unusedFailsOverload(1,2,3);
+    unusedFailsOverload(1, 2);
+
+    // else
+    return true;
+  }
+
+  private void unusedSuccess(boolean a, int b){
+      System.out.println(b);
+  }
+
+  private void unusedFailsOverload(Integer a, Integer b, Integer c){
+      System.out.println(a + c);
+  }
+
+  private void unusedFailsOverload(Integer a, Integer b){
+      unusedFailsOverload(a, b, null);
+  }
+
+  private void unusedMethod(){
+      System.out.println("I'm unused :(");
+  }
+}