added new remediator and test

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -37,6 +37,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         CodeQLLogInjectionCodemod.class,
         CodeQLMavenSecureURLCodemod.class,
         CodeQLOutputResourceLeakCodemod.class,
+        CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
         CodeQLPredictableSeedCodemod.class,
         CodeQLRegexInjectionCodemod.class,
         CodeQLSQLInjectionCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.java

@@ -0,0 +1,55 @@
+package io.codemodder.codemods.codeql;
+
+import com.contrastsecurity.sarif.Result;
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for automatically fixing weak crypto algorithms. */
+@Codemod(
+    id = "codeql:java/potentially-weak-cryptographic-algorithm",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod extends CodeQLRemediationCodemod {
+
+  private final Remediator<Result> remediator;
+
+  @Inject
+  public CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/potentially-weak-cryptographic-algorithm")
+          final RuleSarif sarif) {
+    super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), sarif);
+    this.remediator = new WeakCryptoAlgorithmRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "potentially-weak-cryptographic-algorithm",
+        "Use of a potentially broken or risky cryptographic algorithm",
+        "https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r -> Optional.empty());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest.java

@@ -0,0 +1,13 @@
+package io.codemodder.codemods.codeql;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
+    testResourceDir = "codeql-potentially-unsafe-crypto-algorithm",
+    renameTestFile = "app/src/main/java/org/apache/roller/weblogger/util/WSSEUtilities.java",
+    expectingFixesAtLines = {38},
+    doRetransformTest = false,
+    dependencies = {})
+final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/resources/codeql-potentially-unsafe-crypto-algorithm/WSSEUtilities.java.after

@@ -0,0 +1,83 @@
+/*
+ * Copyright 2005, Dave Johnson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.roller.weblogger.util;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.apache.commons.codec.binary.Base64;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Utilties to support WSSE authentication.
+ * @author Dave Johnson
+ */
+public class WSSEUtilities {
+    public static synchronized String generateDigest(
+            byte[] nonce, byte[] created, byte[] password) {
+        String result = null;
+        try {
+            MessageDigest digester = MessageDigest.getInstance("SHA-256");
+            digester.reset();
+            digester.update(nonce);
+            digester.update(created);
+            digester.update(password);
+            byte[] digest = digester.digest();
+            result = base64Encode(digest);
+        }
+        catch (NoSuchAlgorithmException e) {
+            result = null;
+        }
+        return result;
+    }
+    public static byte[] base64Decode(String value) throws IOException {
+        return Base64.decodeBase64(value.getBytes(UTF_8));
+    }
+    public static String base64Encode(byte[] value) {
+        return new String(Base64.encodeBase64(value));
+    }
+    public static String generateWSSEHeader(String userName, String password)
+    throws UnsupportedEncodingException {
+
+        byte[] nonceBytes = Long.toString(new Date().getTime()).getBytes();
+        String nonce = WSSEUtilities.base64Encode(nonceBytes);
+
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
+        String created = sdf.format(new Date());
+
+        String digest = WSSEUtilities.generateDigest(
+                nonceBytes, created.getBytes(UTF_8), password.getBytes(UTF_8));
+
+        StringBuilder header = new StringBuilder("UsernameToken Username=\"");
+        header.append(userName);
+        header.append("\", ");
+        header.append("PasswordDigest=\"");
+        header.append(digest);
+        header.append("\", ");
+        header.append("Nonce=\"");
+        header.append(nonce);
+        header.append("\", ");
+        header.append("Created=\"");
+        header.append(created);
+        header.append("\"");
+        return header.toString();
+    }
+}

core-codemods/src/test/resources/codeql-potentially-unsafe-crypto-algorithm/WSSEUtilities.java.before

@@ -0,0 +1,83 @@
+/*
+ * Copyright 2005, Dave Johnson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.roller.weblogger.util;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.apache.commons.codec.binary.Base64;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Utilties to support WSSE authentication.
+ * @author Dave Johnson
+ */
+public class WSSEUtilities {
+    public static synchronized String generateDigest(
+            byte[] nonce, byte[] created, byte[] password) {
+        String result = null;
+        try {
+            MessageDigest digester = MessageDigest.getInstance("SHA");
+            digester.reset();
+            digester.update(nonce);
+            digester.update(created);
+            digester.update(password);
+            byte[] digest = digester.digest();
+            result = base64Encode(digest);
+        }
+        catch (NoSuchAlgorithmException e) {
+            result = null;
+        }
+        return result;
+    }
+    public static byte[] base64Decode(String value) throws IOException {
+        return Base64.decodeBase64(value.getBytes(UTF_8));
+    }
+    public static String base64Encode(byte[] value) {
+        return new String(Base64.encodeBase64(value));
+    }
+    public static String generateWSSEHeader(String userName, String password)
+    throws UnsupportedEncodingException {
+
+        byte[] nonceBytes = Long.toString(new Date().getTime()).getBytes();
+        String nonce = WSSEUtilities.base64Encode(nonceBytes);
+
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
+        String created = sdf.format(new Date());
+
+        String digest = WSSEUtilities.generateDigest(
+                nonceBytes, created.getBytes(UTF_8), password.getBytes(UTF_8));
+
+        StringBuilder header = new StringBuilder("UsernameToken Username=\"");
+        header.append(userName);
+        header.append("\", ");
+        header.append("PasswordDigest=\"");
+        header.append(digest);
+        header.append("\", ");
+        header.append("Nonce=\"");
+        header.append(nonce);
+        header.append("\", ");
+        header.append("Created=\"");
+        header.append(created);
+        header.append("\"");
+        return header.toString();
+    }
+}