Sonarcloud codemod - Harden String Parse to primitives (Integer/Float constructor cases) (#252)

Finish Sonarcloud codemod (HardenStringParseToPrimitivesCodemod) to
enforce the appropriate parsing technique for converting Strings to
primitive types in the codebase.

This PR handles the `new Float`//`new Integer` constructor cases
(ObjectCreationExpr nodes).

Previous PR that handles `.valueOf` cases ->
#250

Sonar rule reference https://rules.sonarsource.com/java/RSPEC-2130/

sonar cloud issues related to string-to-primitive conversion:
https://sonarcloud.io/project/issues?fileUuids=AYvtrjqILCzGLicz7AY_&resolved=false&id=nahsra_WebGoat_10_23

**IMPORTANT NOTE!!!!**

As you can see on the
[Test.java.before](https://github.com/pixee/codemodder-java/compare/sonar-codemod-integer-parseInt...sonar-codemod-harden-string-parsing-CONSTRUCTORS?expand=1#diff-4676d84eb5c765c1163ce8dde3e2f8a0c437ef1122c9e6ad490ff599557a655b)
the following cases are not reported by
[sonarcloud](https://sonarcloud.io/project/issues?fileUuids=AYvtrjqILCzGLicz7AY_&resolved=false&id=nahsra_WebGoat_10_23):

```
float myFloatValue = (new Float(myNum)).floatValue();
int myIntValue = (new Integer(myNum)).intValue();
```

Therefore, those cases are not being fixed

---------

Co-authored-by: Arshan Dabirsiaghi <[email protected]>

Author: carlosu7

core-codemods/src/main/java/io/codemodder/codemods/HardenStringParseToPrimitivesCodemod.java

@@ -3,8 +3,7 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;
-import com.github.javaparser.ast.expr.Expression;
-import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.*;
 import com.github.javaparser.ast.type.Type;
 import io.codemodder.*;
 import io.codemodder.providers.sonar.ProvidedSonarScan;
@@ -24,14 +23,83 @@
     executionPriority = CodemodExecutionPriority.HIGH)
 public final class HardenStringParseToPrimitivesCodemod extends CompositeJavaParserChanger {
 
-  // TODO create another static sonar java parser changer to handle constructor cases
-  // (ObjectCreationExpr)
   @Inject
   public HardenStringParseToPrimitivesCodemod(
-      final HardenParseForValueOfChanger parseMethodCallExprChanger) {
-    super(parseMethodCallExprChanger);
+      final HardenParseForConstructorChanger hardenParseForConstructorChanger,
+      final HardenParseForValueOfChanger hardenParseForValueOfChanger) {
+    super(hardenParseForConstructorChanger, hardenParseForValueOfChanger);
   }
 
+  private static Optional<String> determineParsingMethodForType(final String type) {
+    if ("java.lang.Integer".equals(type) || "Integer".equals(type)) {
+      return Optional.of("parseInt");
+    }
+
+    if ("java.lang.Float".equals(type) || "Float".equals(type)) {
+      return Optional.of("parseFloat");
+    }
+
+    return Optional.empty();
+  }
+
+  /**
+   * Handles cases where Strings are converted to numbers using constructors like new Integer("24")
+   * or new Float("12").
+   */
+  private static final class HardenParseForConstructorChanger
+      extends SonarPluginJavaParserChanger<ObjectCreationExpr> {
+
+    @Inject
+    public HardenParseForConstructorChanger(
+        @ProvidedSonarScan(ruleId = "java:S2130") final RuleIssues issues) {
+      super(
+          issues,
+          ObjectCreationExpr.class,
+          RegionNodeMatcher.MATCHES_START,
+          CodemodReporterStrategy.empty());
+    }
+
+    @Override
+    public boolean onIssueFound(
+        final CodemodInvocationContext context,
+        final CompilationUnit cu,
+        final ObjectCreationExpr objectCreationExpr,
+        final Issue issue) {
+
+      final String type = objectCreationExpr.getType().asString();
+      final Expression argumentExpression = objectCreationExpr.getArguments().get(0);
+
+      final Optional<Expression> argument = extractArgumentExpression(argumentExpression);
+
+      final Optional<String> replacementMethod = determineParsingMethodForType(type);
+
+      if (replacementMethod.isPresent() && argument.isPresent()) {
+        MethodCallExpr replacementExpr =
+            new MethodCallExpr(new NameExpr(type), replacementMethod.get());
+
+        replacementExpr.addArgument(argument.get());
+
+        objectCreationExpr.replace(replacementExpr);
+        return true;
+      }
+
+      return false;
+    }
+
+    private Optional<Expression> extractArgumentExpression(Expression argumentExpression) {
+      if (argumentExpression instanceof StringLiteralExpr
+          || argumentExpression instanceof NameExpr) {
+        return Optional.of(argumentExpression);
+      }
+      // Handle other cases or return null if unable to extract the argument expression
+      return Optional.empty();
+    }
+  }
+
+  /**
+   * Handles cases where Strings are converted to numbers using the static method .valueOf() from
+   * Integer or Float classes.
+   */
   private static final class HardenParseForValueOfChanger
       extends SonarPluginJavaParserChanger<MethodCallExpr> {
 
@@ -57,10 +125,10 @@ public boolean onIssueFound(
       if ("valueOf".equals(methodName)) {
         final String targetType = retrieveTargetTypeFromMethodCallExpr(methodCallExpr);
 
-        final String replacementMethod = determineParsingMethodForType(targetType);
+        final Optional<String> replacementMethod = determineParsingMethodForType(targetType);
 
-        if (replacementMethod != null) {
-          methodCallExpr.setName(replacementMethod);
+        if (replacementMethod.isPresent()) {
+          methodCallExpr.setName(replacementMethod.get());
 
           return handleMethodCallChainsAfterValueOfIfNeeded(methodCallExpr);
         }
@@ -79,15 +147,6 @@ private String retrieveTargetTypeFromMethodCallExpr(final MethodCallExpr methodC
           : optionalTypeArguments.get().get(0).toString();
     }
 
-    private String determineParsingMethodForType(final String type) {
-      return switch (type) {
-        case "java.lang.Integer" -> "parseInt";
-        case "java.lang.Float" -> "parseFloat";
-          // Add more cases if needed
-        default -> null;
-      };
-    }
-
     private boolean handleMethodCallChainsAfterValueOfIfNeeded(
         final MethodCallExpr methodCallExpr) {
 

core-codemods/src/test/resources/harden-string-parse-to-primitives-s2130/Test.java.after

@@ -17,14 +17,19 @@ public class Flags {
 
   public Flag getFlag(Lesson forLesson) {
     String myNum = "42.0";
-    float myFloat = new Float(myNum);
+    //comment
 
     String lessonName = forLesson.getName();
     int challengeNumber = Integer.parseInt(lessonName.substring(lessonName.length() - 1));
-    float floatNumber = Float.parseFloat(myNum);
+    float floatNumber = Float.parseFloat("12.1");
     float floatValue = Float.parseFloat(myNum);
-    float intValue = Integer.parseInt(myNum);
-    System.out.println(myFloat + floatValue + intValue + floatNumber);
+    float intValue = Integer.parseInt("12.1");
+
+      float myFloat = Float.parseFloat(myNum);
+      int myInteger = Integer.parseInt("42.0");
+      float myFloatValue = (new Float(myNum)).floatValue();
+      int myIntValue = (new Integer(myNum)).intValue();
+      System.out.println(myFloat + floatValue + intValue + floatNumber + myInteger + myIntValue + myFloatValue + myFloat);
     return FLAGS.get(challengeNumber);
   }
 

core-codemods/src/test/resources/harden-string-parse-to-primitives-s2130/Test.java.before

@@ -17,14 +17,19 @@ public class Flags {
 
   public Flag getFlag(Lesson forLesson) {
     String myNum = "42.0";
-    float myFloat = new Float(myNum);
+    //comment
 
     String lessonName = forLesson.getName();
     int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
-    float floatNumber = Float.valueOf(myNum);
+    float floatNumber = Float.valueOf("12.1");
     float floatValue = Float.valueOf(myNum).floatValue();
-    float intValue = Integer.valueOf(myNum).intValue();
-    System.out.println(myFloat + floatValue + intValue + floatNumber);
+    float intValue = Integer.valueOf("12.1").intValue();
+
+      float myFloat = new Float(myNum);
+      int myInteger = new Integer("42.0");
+      float myFloatValue = (new Float(myNum)).floatValue();
+      int myIntValue = (new Integer(myNum)).intValue();
+      System.out.println(myFloat + floatValue + intValue + floatNumber + myInteger + myIntValue + myFloatValue + myFloat);
     return FLAGS.get(challengeNumber);
   }
 

core-codemods/src/test/resources/harden-string-parse-to-primitives-s2130/sonar-issues.json

@@ -1,15 +1,50 @@
 {
-  "total": 5,
+  "total": 6,
   "p": 1,
   "ps": 500,
   "paging": {
     "pageIndex": 1,
     "pageSize": 500,
-    "total": 5
+    "total": 6
   },
-  "effortTotal": 25,
-  "debtTotal": 25,
+  "effortTotal": 30,
+  "debtTotal": 30,
   "issues": [
+    {
+      "key": "AYwmb6JsSgLxngfUhaWn",
+      "rule": "java:S2130",
+      "severity": "MINOR",
+      "component": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java",
+      "project": "nahsra_WebGoat_10_23",
+      "line": 29,
+      "hash": "e8d98f9baed7eca69d81e26f0dbf17bc",
+      "textRange": {
+        "startLine": 29,
+        "endLine": 29,
+        "startOffset": 22,
+        "endOffset": 40
+      },
+      "flows": [],
+      "status": "OPEN",
+      "message": "Use \"Integer.parseInt\" for this string-to-int conversion.",
+      "effort": "5min",
+      "debt": "5min",
+      "tags": [
+        "performance"
+      ],
+      "creationDate": "2023-12-01T18:28:54+0100",
+      "updateDate": "2023-12-01T18:28:54+0100",
+      "type": "CODE_SMELL",
+      "organization": "nahsra",
+      "cleanCodeAttribute": "CONVENTIONAL",
+      "cleanCodeAttributeCategory": "CONSISTENT",
+      "impacts": [
+        {
+          "softwareQuality": "MAINTAINABILITY",
+          "severity": "LOW"
+        }
+      ]
+    },
     {
       "key": "AYwihbvytTDRswqzoUqo",
       "rule": "java:S2130",
@@ -121,13 +156,13 @@
       "severity": "MINOR",
       "component": "nahsra_WebGoat_10_23:src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java",
       "project": "nahsra_WebGoat_10_23",
-      "line": 20,
-      "hash": "f6070e2b27ea25b14551cb2e887631a2",
+      "line": 28,
+      "hash": "bd129f84f059826048f35d0736374bfa",
       "textRange": {
-        "startLine": 20,
-        "endLine": 20,
-        "startOffset": 20,
-        "endOffset": 36
+        "startLine": 28,
+        "endLine": 28,
+        "startOffset": 22,
+        "endOffset": 38
       },
       "flows": [],
       "status": "OPEN",

plugins/codemodder-plugin-sonar/src/main/java/io/codemodder/providers/sonar/SonarModule.java

@@ -82,6 +82,9 @@ protected void configure() {
                   .flatMap(Arrays::stream)
                   .toList();
 
+          // Outside the loop, create a map to track already bound ruleIds
+          final Map<String, Boolean> boundRuleIds = new HashMap<>();
+
           injectableParams.forEach(
               param -> {
                 ProvidedSonarScan annotation = param.getAnnotation(ProvidedSonarScan.class);
@@ -95,6 +98,13 @@ protected void configure() {
                           + ")");
                 }
 
+                final String ruleId = annotation.ruleId();
+
+                // Check if the ruleId has already been bound
+                if (boundRuleIds.containsKey(ruleId)) {
+                  return; // Skip binding if already bound
+                }
+
                 // bind from existing scan
                 List<Issue> issues = perRuleBreakdown.get(annotation.ruleId());
 
@@ -114,6 +124,8 @@ protected void configure() {
                       });
                   RuleIssues ruleIssues = new DefaultRuleIssues(issuesByPath);
                   bind(RuleIssues.class).annotatedWith(annotation).toInstance(ruleIssues);
+                  // Mark the ruleId as bound
+                  boundRuleIds.put(ruleId, true);
                 }
               });
         }