Expose Contrast results to providers (#357)

Adds Contrast results so a provider can pick it up and act on it. Also
adds some utility methods that may be useful for codemod development.

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java

@@ -15,7 +15,10 @@
 import java.util.Objects;
 import javax.inject.Inject;
 
-/** This codemod knows how to translate */
+/**
+ * This codemod knows how to fix SQL injection findings that come through DefectDojo for supported
+ * vendors.
+ */
 @Codemod(
     id = "defectdojo:java/sql-injection",
     reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizer.java

@@ -76,12 +76,17 @@ static boolean isParameterizationCandidate(final MethodCallExpr methodCallExpr)
 
   /** Returns true if this is a fixable JDBC method name. */
   public static boolean isSupportedJdbcMethodCall(final MethodCallExpr methodCall) {
-    return methodCall.getNameAsString().equals("executeQuery")
-        || methodCall.getNameAsString().equals("execute")
-        || methodCall.getNameAsString().equals("executeLargeUpdate")
-        || methodCall.getNameAsString().equals("executeUpdate");
+    return fixableJdbcMethodNames.contains(methodCall.getNameAsString());
   }
 
+  /** Returns a set of fixable JDBC method names. */
+  public static Set<String> fixableJdbcMethodNames() {
+    return fixableJdbcMethodNames;
+  }
+
+  private static final Set<String> fixableJdbcMethodNames =
+      Set.of("executeQuery", "execute", "executeLargeUpdate", "executeUpdate");
+
   /**
    * Tries to find the source of an expression if it can be uniquely defined, otherwise, returns
    * self.

core-codemods/src/test/java/io/codemodder/codemods/AddMissingI18nCodemodTest.java

@@ -255,6 +255,7 @@ private CodemodLoader createLoader(final Class<? extends CodeChanger> codemodTyp
         Map.of(),
         List.of(),
         null,
+        null,
         null);
   }
 

core-codemods/src/test/java/io/codemodder/codemods/JSPScriptletXSSCodemodTest.java

@@ -51,6 +51,7 @@ void it_fixes_jsp(
             Map.of(),
             List.of(),
             null,
+            null,
             null);
     CodemodIdPair codemod = codemodInvoker.getCodemods().get(0);
     CodemodExecutor executor =

core-codemods/src/test/java/io/codemodder/codemods/VerbTamperingCodemodTest.java

@@ -61,6 +61,7 @@ void it_removes_verb_tampering(
             Map.of(),
             List.of(),
             null,
+            null,
             null);
 
     CodemodExecutor executor =

framework/codemodder-base/src/main/java/io/codemodder/CLI.java

@@ -133,6 +133,12 @@ final class CLI implements Callable<Integer> {
           "a path to a file containing the result of a call to the Sonar Web API Hotspots endpoint")
   private Path sonarHotspotsJsonFilePath;
 
+  @CommandLine.Option(
+      names = {"--contrast-vulnerabilities-xml"},
+      description =
+          "a path to a file containing the result of a call to the Contrast Assess XML export API")
+  private Path contrastVulnerabilitiesXmlFilePath;
+
   @CommandLine.Option(
       names = {"--list"},
       description = "print codemod(s) metadata, then exit",
@@ -388,7 +394,8 @@ public Integer call() throws IOException {
               pathSarifMap,
               codemodParameters,
               sonarIssuesJsonFilePath,
-              defectDojoFindingsJsonFilePath);
+              defectDojoFindingsJsonFilePath,
+              contrastVulnerabilitiesXmlFilePath);
       List<CodemodIdPair> codemods = loader.getCodemods();
 
       log.debug("sarif files: {}", sarifFiles.size());

framework/codemodder-base/src/main/java/io/codemodder/CodemodLoader.java

@@ -29,7 +29,8 @@ public CodemodLoader(
       final Map<String, List<RuleSarif>> ruleSarifByTool,
       final List<ParameterArgument> codemodParameters,
       final Path sonarIssuesJsonFile,
-      final Path defectDojoFindingsJsonFile) {
+      final Path defectDojoFindingsJsonFile,
+      final Path contrastVulnerabilitiesXmlFilePath) {
 
     // get all the providers ready for dependency injection & codemod instantiation
     final List<CodemodProvider> providers =
@@ -100,7 +101,8 @@ public CodemodLoader(
               orderedCodemodTypes,
               allWantedSarifs,
               sonarIssuesJsonFile,
-              defectDojoFindingsJsonFile);
+              defectDojoFindingsJsonFile,
+              contrastVulnerabilitiesXmlFilePath);
       allModules.addAll(modules);
     }
 

framework/codemodder-base/src/main/java/io/codemodder/CodemodProvider.java

@@ -15,15 +15,17 @@ public interface CodemodProvider {
    * Return a set of Guice modules that allow dependency injection
    *
    * @param repository the repository root
-   * @param codemodTypes the codemod types that are being run
-   * @param sarifs the SARIF output of tools that are being run
    * @param includedFiles the files that qualify for inclusion based on the patterns provided
    * @param pathIncludes the path includes provided to the CLI (which could inform the providers on
    *     their own analysis)
    * @param pathExcludes the path excludes provided to the CLI (which could inform the providers on
    *     their own analysis)
+   * @param codemodTypes the codemod types that are being run
+   * @param sarifs the SARIF output of tools that are being run
    * @param sonarIssuesJsonPath the path to a Sonar issues JSON file retrieved from their web API --
    *     may be null
+   * @param contrastFindingsJsonPath the path to a Contrast findings JSON file retrieved from their
+   *     web API -- may be null
    * @return a set of modules that perform dependency injection
    */
   Set<AbstractModule> getModules(
@@ -34,13 +36,14 @@ Set<AbstractModule> getModules(
       List<Class<? extends CodeChanger>> codemodTypes,
       List<RuleSarif> sarifs,
       Path sonarIssuesJsonPath,
-      Path defectDojoFindingsJsonPath);
+      Path defectDojoFindingsJsonPath,
+      Path contrastFindingsJsonPath);
 
   /**
    * Tools this provider is interested in processing the SARIF output of. Codemodder CLI will look
    * for the SARIF outputted by tools in this list in the repository root and then provide the
-   * results to {@link #getModules(Path, List, List, List, List, List, Path, Path)} as a {@link
-   * List} of {@link RuleSarif}s.
+   * results to {@link #getModules(Path, List, List, List, List, List, Path, Path, Path)} as a
+   * {@link List} of {@link RuleSarif}s.
    *
    * <p>By default, this returns an empty list.
    *

framework/codemodder-base/src/test/java/io/codemodder/CodemodLoaderTest.java

@@ -410,6 +410,7 @@ private CodemodLoader createLoader(final Class<? extends CodeChanger> codemodTyp
         Map.of(),
         List.of(),
         null,
+        null,
         null);
   }
 
@@ -425,6 +426,7 @@ private CodemodLoader createLoader(
         Map.of(),
         List.of(),
         null,
+        null,
         null);
   }
 
@@ -443,6 +445,7 @@ private CodemodLoader createLoader(
         Map.of(),
         params,
         null,
+        null,
         null);
   }
 }

framework/codemodder-testutils/src/main/java/io/codemodder/testutils/CodemodTestMixin.java

@@ -136,7 +136,8 @@ private void verifyCodemod(
             map,
             List.of(),
             Files.exists(sonarJson) ? sonarJson : null,
-            Files.exists(defectDojo) ? defectDojo : null);
+            Files.exists(defectDojo) ? defectDojo : null,
+            null);
 
     List<CodemodIdPair> codemods = loader.getCodemods();
     assertThat(codemods.size(), equalTo(1));
@@ -231,6 +232,7 @@ private void verifyCodemod(
             map,
             List.of(),
             null,
+            null,
             null);
     CodemodIdPair codemod2 = loader2.getCodemods().get(0);
     CodemodExecutor executor2 =