New RSA key size transformer and semgrep codemod (#711)

* add debug statements

* new semgrep codemod for rsa key size

* document

* refactor

Author: clavedeluna

src/codemodder/codemods/libcst_transformer.py

@@ -278,9 +278,11 @@ def apply(
             return None
 
         if not file_context.codemod_changes:
+            logger.debug("No changes produced for %s", file_path)
             return None
 
         if not (diff := create_diff_from_tree(source_tree, tree)):
+            logger.debug("No code diff produced for %s", file_path)
             return None
 
         change_set = ChangeSet(

src/codemodder/scripts/generate_docs.py

@@ -339,7 +339,12 @@ class DocMetadata:
         importance="Medium",
         guidance_explained="Our change provides the most secure way to create cookies in Django. However, it's possible you have configured your Django application configurations to use secure cookies. In these cases, using the default parameters for `set_cookie` is safe.",
         need_sarif="Yes (Semgrep)",
-    )
+    ),
+    "rsa-key-size": DocMetadata(
+        importance="Medium",
+        guidance_explained="This codemod updates the key size for RSA to the `2048` recommended minimum. Since this is an important security fix that follows modern cryptographic standards, we believe this change can be safely merged without review.",
+        need_sarif="Yes (Semgrep)",
+    ),
 }
 ALL_CODEMODS_METADATA = (
     CORE_CODEMODS | DEFECTDOJO_CODEMODS | SONAR_CODEMODS | SEMGREP_CODEMODS

src/core_codemods/__init__.py

@@ -58,6 +58,7 @@
 from .semgrep.semgrep_enable_jinja2_autoescape import SemgrepEnableJinja2Autoescape
 from .semgrep.semgrep_harden_pyyaml import SemgrepHardenPyyaml
 from .semgrep.semgrep_jwt_decode_verify import SemgrepJwtDecodeVerify
+from .semgrep.semgrep_rsa_key_size import SemgrepRsaKeySize
 from .semgrep.semgrep_subprocess_shell_false import SemgrepSubprocessShellFalse
 from .semgrep.semgrep_use_defused_xml import SemgrepUseDefusedXml
 from .sonar.sonar_break_or_continue_out_of_loop import SonarBreakOrContinueOutOfLoop
@@ -208,5 +209,6 @@
         SemgrepSubprocessShellFalse,
         SemgrepDjangoSecureSetCookie,
         SemgrepHardenPyyaml,
+        SemgrepRsaKeySize,
     ],
 )

src/core_codemods/semgrep/semgrep_rsa_key_size.py

@@ -0,0 +1,82 @@
+import libcst as cst
+
+from codemodder.codemods.base_codemod import (
+    Metadata,
+    ReviewGuidance,
+    ToolMetadata,
+    ToolRule,
+)
+from codemodder.codemods.libcst_transformer import (
+    LibcstResultTransformer,
+    LibcstTransformerPipeline,
+    NewArg,
+)
+from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.result import fuzzy_column_match, same_line
+from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
+
+RSA_KEYSIZE = "2048"
+
+
+class RsaKeySizeTransformer(LibcstResultTransformer):
+    change_description = "Change the RSA key size to 2048"
+
+    def on_result_found(self, original_node, updated_node):
+        if len(original_node.args) < 2:
+            return original_node
+
+        if original_node.args[1].keyword is None:
+            new_args = [original_node.args[0], self.make_new_arg(RSA_KEYSIZE)]
+        else:
+            new_args = self.replace_args(
+                original_node,
+                [NewArg(name="key_size", value=RSA_KEYSIZE, add_if_missing=False)],
+            )
+        return self.update_arg_target(updated_node, new_args)
+
+    def filter_by_result(self, node) -> bool:
+        """
+        Special case result-matching for this rule because the SAST
+        results returned have a start/end column for the key_size keyword
+        within the call, not for the entire call.
+        """
+        match node:
+            case cst.Call():
+                pos_to_match = self.node_position(node)
+                return any(
+                    self.match_location(pos_to_match, result)
+                    for result in self.results or []
+                )
+        return False
+
+    def match_location(self, pos, result):
+        return any(
+            same_line(pos, location) and fuzzy_column_match(pos, location)
+            for location in result.locations
+        )
+
+
+SemgrepRsaKeySize = SemgrepCodemod(
+    metadata=Metadata(
+        name="rsa-key-size",
+        summary=RsaKeySizeTransformer.change_description.title(),
+        description=RsaKeySizeTransformer.change_description.title(),
+        review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW,
+        tool=ToolMetadata(
+            name="Semgrep",
+            rules=[
+                ToolRule(
+                    id=(
+                        rule_id := "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
+                    ),
+                    name="insufficient-rsa-key-size",
+                    url=semgrep_url_from_id(rule_id),
+                )
+            ],
+        ),
+        references=[],
+    ),
+    transformer=LibcstTransformerPipeline(RsaKeySizeTransformer),
+    detector=SemgrepSarifFileDetector(),
+    requested_rules=[rule_id],
+)

tests/codemods/semgrep/test_semgrep_rsa_key_size.py

@@ -0,0 +1,82 @@
+import json
+
+from codemodder.codemods.test import BaseSASTCodemodTest
+from core_codemods.semgrep.semgrep_rsa_key_size import SemgrepRsaKeySize
+
+
+class TestSemgrepRsaKeySize(BaseSASTCodemodTest):
+    codemod = SemgrepRsaKeySize
+    tool = "semgrep"
+
+    def test_name(self):
+        assert self.codemod.name == "rsa-key-size"
+
+    def _run_and_assert_with_results(self, tmpdir, input_code, expected_output):
+        results = {
+            "runs": [
+                {
+                    "results": [
+                        {
+                            "fingerprints": {"matchBasedId/v1": "123"},
+                            "locations": [
+                                {
+                                    "physicalLocation": {
+                                        "artifactLocation": {
+                                            "uri": "code.py",
+                                            "uriBaseId": "%SRCROOT%",
+                                        },
+                                        "region": {
+                                            "endColumn": 37,
+                                            "endLine": 3,
+                                            "snippet": {
+                                                "text": "rsa.generate_private_key(65537, 1024)"
+                                            },
+                                            "startColumn": 33,
+                                            "startLine": 3,
+                                        },
+                                    }
+                                }
+                            ],
+                            "message": {
+                                "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."
+                            },
+                            "properties": {},
+                            "ruleId": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
+                        }
+                    ]
+                }
+            ]
+        }
+        self.run_and_assert(
+            tmpdir,
+            input_code,
+            expected_output,
+            results=json.dumps(results),
+        )
+
+    def test_keysize_arg(self, tmpdir):
+        input_code = """\
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        
+        rsa.generate_private_key(65537, 1024)
+        """
+        expected_output = """\
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        
+        rsa.generate_private_key(65537, 2048)
+        """
+
+        self._run_and_assert_with_results(tmpdir, input_code, expected_output)
+
+    def test_keysize_kwarg(self, tmpdir):
+        input_code = """\
+        from cryptography.hazmat.primitives.asymmetric import rsa
+
+        rsa.generate_private_key(65537, key_size=1024)
+        """
+        expected_output = """\
+        from cryptography.hazmat.primitives.asymmetric import rsa
+
+        rsa.generate_private_key(65537, key_size=2048)
+        """
+        self._run_and_assert_with_results(tmpdir, input_code, expected_output)