Add more tests and remove codemod we're not ready for (#459)

* Moves remediators that were for some reason in core-codemods to the
framework
* Removes a codemod we're not ready to do yet (CodeQL reports
vulnerabilities at odds locations in comparison to other tools)
* Made tests harder to pass
* Styling cleanup

Author: nahsra

core-codemods/src/intTest/java/io/codemodder/integration/WebGoat20238Test.java

@@ -68,10 +68,10 @@ void it_remediates_webgoat_2023_8() throws Exception {
     assertThat(jwtChange.getChanges().get(0).getLineNumber(), equalTo(113));
     assertThat(jwtChange.getChanges().get(1).getLineNumber(), equalTo(140));
 
-    verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-randomness", 0);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/ssrf", 1);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/xxe", 1);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/sql-injection", 6);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-cookie", 2);
+    verifyCodemodsHitWithChangesetCount(report, "codeql:java/unsafe-deserialization", 2);
   }
 }

core-codemods/src/intTest/java/io/codemodder/integration/WebGoat822Test.java

@@ -171,7 +171,6 @@ void it_transforms_webgoat_with_codeql() throws Exception {
     assertThat(ajaxJwtChange.getChanges().size(), equalTo(1));
     assertThat(ajaxJwtChange.getChanges().get(0).getLineNumber(), equalTo(53));
 
-    verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-randomness", 0);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/ssrf", 3);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/sql-injection", 5);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-cookie", 1);

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -30,12 +30,12 @@ public static List<Class<? extends CodeChanger>> asList() {
         CodeQLHttpResponseSplittingCodemod.class,
         CodeQLInputResourceLeakCodemod.class,
         CodeQLInsecureCookieCodemod.class,
-        CodeQLInsecureRandomnessCodemod.class,
         CodeQLJDBCResourceLeakCodemod.class,
         CodeQLJEXLInjectionCodemod.class,
         CodeQLJNDIInjectionCodemod.class,
         CodeQLMavenSecureURLCodemod.class,
         CodeQLOutputResourceLeakCodemod.class,
+        CodeQLPredictableSeedCodemod.class,
         CodeQLSQLInjectionCodemod.class,
         CodeQLSSRFCodemod.class,
         CodeQLStackTraceExposureCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/SonarSSRFCodemod.java

@@ -2,12 +2,12 @@
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
-import io.codemodder.codemods.remediators.ssrf.SSRFRemediator;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sonar.ProvidedSonarScan;
 import io.codemodder.providers.sonar.RuleIssue;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.ssrf.SSRFRemediator;
 import io.codemodder.sonar.model.Issue;
 import io.codemodder.sonar.model.SonarFinding;
 import java.util.List;

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLInsecureRandomnessCodemod.java

@@ -0,0 +1,56 @@
+package io.codemodder.codemods.codeql;
+
+import com.contrastsecurity.sarif.Result;
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.predictableseed.PredictableSeedRemediator;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for automatically fixing predictable seeds reported by CodeQL. */
+@Codemod(
+    id = "codeql:java/predictable-seed",
+    reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
+    importance = Importance.MEDIUM,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class CodeQLPredictableSeedCodemod extends CodeQLRemediationCodemod {
+
+  private final Remediator<Result> remediator;
+
+  @Inject
+  public CodeQLPredictableSeedCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/predictable-seed") final RuleSarif sarif) {
+    super(GenericRemediationMetadata.PREDICTABLE_SEED.reporter(), sarif);
+    this.remediator = new PredictableSeedRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "predictable-seed",
+        "Use of a predictable seed in a secure random number generator",
+        "https://codeql.github.com/codeql-query-help/java/java-predictable-seed/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        result -> result.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        result ->
+            Optional.ofNullable(
+                result.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        result ->
+            Optional.ofNullable(
+                result.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
+  }
+}

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLPredictableSeedCodemod.java

@@ -2,10 +2,10 @@
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
-import io.codemodder.codemods.remediators.ssrf.SSRFRemediator;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.ssrf.SSRFRemediator;
 import javax.inject.Inject;
 
 /** A codemod for automatically fixing SQL injection from CodeQL. */

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLSSRFCodemod.java

@@ -9,10 +9,10 @@
 import io.codemodder.ReviewGuidance;
 import io.codemodder.RuleSarif;
 import io.codemodder.SarifFindingKeyUtil;
-import io.codemodder.codemods.remediators.ssrf.SSRFRemediator;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.semgrep.ProvidedSemgrepScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.ssrf.SSRFRemediator;
 import javax.inject.Inject;
 
 /**

core-codemods/src/main/java/io/codemodder/codemods/semgrep/SemgrepSSRFCodemod.java

@@ -9,9 +9,9 @@
 import io.codemodder.ReviewGuidance;
 import io.codemodder.RuleSarif;
 import io.codemodder.SarifFindingKeyUtil;
-import io.codemodder.codemods.remediators.weakrandom.WeakRandomRemediator;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.semgrep.ProvidedSemgrepScan;
+import io.codemodder.remediation.weakrandom.WeakRandomRemediator;
 import javax.inject.Inject;
 
 /**

core-codemods/src/main/java/io/codemodder/codemods/semgrep/SemgrepWeakRandomCodemod.java

@@ -30,7 +30,7 @@ public List<UnfixedFinding> unfixedFindings() {
   static CodemodFileScanningResult from(
       final List<CodemodChange> changes,
       final List<UnfixedFinding> unfixedFindings,
-      CodeTFAiMetadata codeTFAiMetadata) {
+      final CodeTFAiMetadata codeTFAiMetadata) {
     return new AICodemodFileScanningResult(changes, unfixedFindings, codeTFAiMetadata);
   }