generalize sonar urls (#600)

clavedeluna · web-flow · commit 17b9fa1c23a2 · 2024-05-30T11:57:12.000Z
* generalize sonar urls

* use sonar rule for testing
diff --git a/src/core_codemods/sonar/api.py b/src/core_codemods/sonar/api.py
@@ -7,7 +7,7 @@
 from codemodder.context import CodemodExecutionContext
 from codemodder.result import ResultSet
 from core_codemods.api.core_codemod import CoreCodemod, SASTCodemod
-from core_codemods.sonar.results import SonarResultSet
+from core_codemods.sonar.results import SonarResultSet, sonar_url_from_id
 
 
 class SonarCodemod(SASTCodemod):
@@ -22,9 +22,9 @@ def from_core_codemod(
         other: CoreCodemod,
         rule_id: str,
         rule_name: str,
-        rule_url: str,
         transformer: BaseTransformerPipeline | None = None,
     ):
+        rule_url = sonar_url_from_id(rule_id)
         return SonarCodemod(
             metadata=Metadata(
                 name=name,
diff --git a/src/core_codemods/sonar/results.py b/src/core_codemods/sonar/results.py
@@ -11,6 +11,17 @@
 from codemodder.result import LineInfo, Location, ResultSet, SASTResult
 
 
+def sonar_url_from_id(rule_id: str) -> str:
+    # convert "python:SXXX" or "pythonsecurity:SXXX" to XXX
+    try:
+        rule_id = rule_id.split(":")[1][1:]
+    except IndexError:
+        logger.debug("Invalid sonar rule id: %s", rule_id)
+        raise
+
+    return f"https://rules.sonarsource.com/python/RSPEC-{rule_id}/"
+
+
 class SonarLocation(Location):
     @classmethod
     def from_json_location(cls, json_location) -> Self:
@@ -48,7 +59,7 @@ def from_result(cls, result: dict) -> Self:
                 rule=Rule(
                     id=rule_id,
                     name=rule_id,
-                    url=None,
+                    url=sonar_url_from_id(rule_id),
                 ),
             ),
         )
diff --git a/src/core_codemods/sonar/sonar_break_or_continue_out_of_loop.py b/src/core_codemods/sonar/sonar_break_or_continue_out_of_loop.py
@@ -6,5 +6,4 @@
     other=BreakOrContinueOutOfLoop,
     rule_id="python:S1716",
     rule_name='"break" and "continue" should not be used outside a loop',
-    rule_url="https://rules.sonarsource.com/python/RSPEC-1716/",
 )
diff --git a/src/core_codemods/sonar/sonar_disable_graphql_introspection.py b/src/core_codemods/sonar/sonar_disable_graphql_introspection.py
@@ -6,5 +6,4 @@
     other=DisableGraphQLIntrospection,
     rule_id="python:S6786",
     rule_name="GraphQL introspection should be disabled in production",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-6786/",
 )
diff --git a/src/core_codemods/sonar/sonar_django_json_response_type.py b/src/core_codemods/sonar/sonar_django_json_response_type.py
@@ -6,5 +6,4 @@
     other=DjangoJsonResponseType,
     rule_id="pythonsecurity:S5131",
     rule_name="Endpoints should not be vulnerable to reflected XSS attacks (Django)",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5131/",
 )
diff --git a/src/core_codemods/sonar/sonar_django_model_without_dunder_str.py b/src/core_codemods/sonar/sonar_django_model_without_dunder_str.py
@@ -6,5 +6,4 @@
     other=DjangoModelWithoutDunderStr,
     rule_id="python:S6554",
     rule_name='Django models should define a "__str__" method',
-    rule_url="https://rules.sonarsource.com/python/RSPEC-6554/",
 )
diff --git a/src/core_codemods/sonar/sonar_django_receiver_on_top.py b/src/core_codemods/sonar/sonar_django_receiver_on_top.py
@@ -6,5 +6,4 @@
     other=DjangoReceiverOnTop,
     rule_id="python:S6552",
     rule_name="Django signal handler functions should have the `@receiver` decorator on top of all other decorators",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-6552/",
 )
diff --git a/src/core_codemods/sonar/sonar_enable_jinja2_autoescape.py b/src/core_codemods/sonar/sonar_enable_jinja2_autoescape.py
@@ -6,5 +6,4 @@
     other=EnableJinja2Autoescape,
     rule_id="python:S5247",
     rule_name="Disabling auto-escaping in template engines is security-sensitive",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-5247/",
 )
diff --git a/src/core_codemods/sonar/sonar_exception_without_raise.py b/src/core_codemods/sonar/sonar_exception_without_raise.py
@@ -6,5 +6,4 @@
     other=ExceptionWithoutRaise,
     rule_id="python:S3984",
     rule_name="Exceptions should not be created without being raised",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-3984/",
 )
diff --git a/src/core_codemods/sonar/sonar_fix_assert_tuple.py b/src/core_codemods/sonar/sonar_fix_assert_tuple.py
@@ -6,5 +6,4 @@
     other=FixAssertTuple,
     rule_id="python:S5905",
     rule_name="Assert should not be called on a tuple literal",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5905/",
 )
diff --git a/src/core_codemods/sonar/sonar_fix_float_equality.py b/src/core_codemods/sonar/sonar_fix_float_equality.py
@@ -6,5 +6,4 @@
     other=FixFloatEquality,
     rule_id="python:S1244",
     rule_name="Floating point numbers should not be tested for equality",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-1244/",
 )
diff --git a/src/core_codemods/sonar/sonar_fix_math_isclose.py b/src/core_codemods/sonar/sonar_fix_math_isclose.py
@@ -33,6 +33,5 @@ def match_location(self, pos, result):
     other=FixMathIsClose,
     rule_id="python:S6727",
     rule_name="The abs_tol parameter should be provided when using math.isclose to compare values to 0",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-6727/",
     transformer=LibcstTransformerPipeline(FixMathIsCloseSonarTransformer),
 )
diff --git a/src/core_codemods/sonar/sonar_fix_missing_self_or_cls.py b/src/core_codemods/sonar/sonar_fix_missing_self_or_cls.py
@@ -6,5 +6,4 @@
     other=FixMissingSelfOrCls,
     rule_id="python:S5719",
     rule_name="Instance and class methods should have at least one positional parameter",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-5719/",
 )
diff --git a/src/core_codemods/sonar/sonar_flask_json_response_type.py b/src/core_codemods/sonar/sonar_flask_json_response_type.py
@@ -6,5 +6,4 @@
     other=FlaskJsonResponseType,
     rule_id="pythonsecurity:S5131",
     rule_name="Endpoints should not be vulnerable to reflected XSS attacks (Flask)",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5131/",
 )
diff --git a/src/core_codemods/sonar/sonar_jwt_decode_verify.py b/src/core_codemods/sonar/sonar_jwt_decode_verify.py
@@ -34,6 +34,5 @@ def match_location(self, pos, result):
     other=JwtDecodeVerify,
     rule_id="python:S5659",
     rule_name="JWT should be signed and verified",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-5659/",
     transformer=LibcstTransformerPipeline(JwtDecodeVerifySonarTransformer),
 )
diff --git a/src/core_codemods/sonar/sonar_literal_or_new_object_identity.py b/src/core_codemods/sonar/sonar_literal_or_new_object_identity.py
@@ -6,5 +6,4 @@
     other=LiteralOrNewObjectIdentity,
     rule_id="python:S5796",
     rule_name="New objects should not be created only to check their identity",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5796/",
 )
diff --git a/src/core_codemods/sonar/sonar_numpy_nan_equality.py b/src/core_codemods/sonar/sonar_numpy_nan_equality.py
@@ -6,5 +6,4 @@
     other=NumpyNanEquality,
     rule_id="python:S6725",
     rule_name="Equality checks should not be made against `numpy.nan`",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-6725/",
 )
diff --git a/src/core_codemods/sonar/sonar_remove_assertion_in_pytest_raises.py b/src/core_codemods/sonar/sonar_remove_assertion_in_pytest_raises.py
@@ -8,5 +8,4 @@
     other=RemoveAssertionInPytestRaises,
     rule_id="python:S5915",
     rule_name="Assertions should not be made at the end of blocks expecting an exception",
-    rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5915/",
 )
diff --git a/src/core_codemods/sonar/sonar_secure_random.py b/src/core_codemods/sonar/sonar_secure_random.py
@@ -6,5 +6,4 @@
     other=SecureRandom,
     rule_id="python:S2245",
     rule_name="Using pseudorandom number generators (PRNGs) is security-sensitive",
-    rule_url="https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2245/",
 )
diff --git a/src/core_codemods/sonar/sonar_sql_parameterization.py b/src/core_codemods/sonar/sonar_sql_parameterization.py
@@ -6,5 +6,4 @@
     other=SQLQueryParameterization,
     rule_id="pythonsecurity:S3649",
     rule_name="Database queries should not be vulnerable to injection attacks",
-    rule_url="https://rules.sonarsource.com/python/RSPEC-3649/",
 )
diff --git a/src/core_codemods/sonar/sonar_tempfile_mktemp.py b/src/core_codemods/sonar/sonar_tempfile_mktemp.py
@@ -6,5 +6,4 @@
     other=TempfileMktemp,
     rule_id="python:S5445",
     rule_name="Insecure temporary file creation methods should not be used",
-    rule_url="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5445/",
 )
diff --git a/src/core_codemods/sonar/sonar_url_sandbox.py b/src/core_codemods/sonar/sonar_url_sandbox.py
@@ -6,5 +6,4 @@
     other=UrlSandbox,
     rule_id="pythonsecurity:S5144",
     rule_name="Server-side requests should not be vulnerable to forging attacks",
-    rule_url="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5144/",
 )
diff --git a/tests/test_libcst_transformer.py b/tests/test_libcst_transformer.py
@@ -100,6 +100,7 @@ def _apply_and_assert_with_tool(mocker, transformer, reason, results):
     assert len(file_context.failures) == 1
     assert len(file_context.unfixed_findings) == 1
     assert file_context.unfixed_findings[0].reason == reason
+    return file_context
 
 
 def test_parse_error(mocker, caplog):
@@ -143,7 +144,11 @@ def test_transformer_error_with_defectdojo(mocker, caplog):
 def test_transformer_error_with_sonar(mocker, caplog):
     transformer = mocker.MagicMock(spec=LibcstResultTransformer)
     transformer.transform.side_effect = ParserSyntaxError
-    _apply_and_assert_with_tool(
+    file_context = _apply_and_assert_with_tool(
         mocker, transformer, "Failed to transform file", SONAR_RESULTS
     )
     assert "Failed to transform file" in caplog.text
+    assert (
+        file_context.unfixed_findings[0].rule.url
+        == "https://rules.sonarsource.com/python/RSPEC-1716/"
+    )
diff --git a/tests/test_results.py b/tests/test_results.py
@@ -9,7 +9,7 @@ def test_or(self, tmpdir):
         issues1 = {
             "issues": [
                 {
-                    "rule": "rule",
+                    "rule": "python:S5659",
                     "status": "OPEN",
                     "component": "code.py",
                     "textRange": {
@@ -24,7 +24,7 @@ def test_or(self, tmpdir):
         issues2 = {
             "issues": [
                 {
-                    "rule": "rule",
+                    "rule": "python:S5659",
                     "status": "OPEN",
                     "component": "code.py",
                     "textRange": {
@@ -45,15 +45,21 @@ def test_or(self, tmpdir):
         result2 = SonarResultSet.from_json(sonar_json2)
 
         combined = result1 | result2
-        assert len(combined["rule"][Path("code.py")]) == 2
-        assert result2["rule"][Path("code.py")][0] in combined["rule"][Path("code.py")]
-        assert result1["rule"][Path("code.py")][0] in combined["rule"][Path("code.py")]
+        assert len(combined["python:S5659"][Path("code.py")]) == 2
+        assert (
+            result2["python:S5659"][Path("code.py")][0]
+            in combined["python:S5659"][Path("code.py")]
+        )
+        assert (
+            result1["python:S5659"][Path("code.py")][0]
+            in combined["python:S5659"][Path("code.py")]
+        )
 
     def test_sonar_only_open_issues(self, tmpdir):
         issues = {
             "issues": [
                 {
-                    "rule": "rule",
+                    "rule": "python:S5659",
                     "status": "OPEN",
                     "component": "code.py",
                     "textRange": {
@@ -64,7 +70,7 @@ def test_sonar_only_open_issues(self, tmpdir):
                     },
                 },
                 {
-                    "rule": "rule",
+                    "rule": "python:S5659",
                     "status": "RESOLVED",
                     "component": "code.py",
                     "textRange": {
@@ -80,13 +86,13 @@ def test_sonar_only_open_issues(self, tmpdir):
         sonar_json1.write_text(json.dumps(issues))
 
         result = SonarResultSet.from_json(sonar_json1)
-        assert len(result["rule"][Path("code.py")]) == 1
+        assert len(result["python:S5659"][Path("code.py")]) == 1
 
     def test_sonar_flows(self, tmpdir):
         issues = {
             "issues": [
                 {
-                    "rule": "rule",
+                    "rule": "python:S5659",
                     "textRange": {
                         "startLine": 1,
                         "endLine": 1,
@@ -118,7 +124,7 @@ def test_sonar_flows(self, tmpdir):
         sonar_json1.write_text(json.dumps(issues))
 
         resultset = SonarResultSet.from_json(sonar_json1)
-        result = resultset["rule"][Path("code.py")][0]
+        result = resultset["python:S5659"][Path("code.py")][0]
         assert result.codeflows
         assert result.codeflows[0]
         assert result.codeflows[0][0].start.line == 1

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=BreakOrContinueOutOfLoop,`
`7`	`7`	`rule_id="python:S1716",`
`8`	`8`	`rule_name='"break" and "continue" should not be used outside a loop',`
`9`		`- rule_url="https://rules.sonarsource.com/python/RSPEC-1716/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=DisableGraphQLIntrospection,`
`7`	`7`	`rule_id="python:S6786",`
`8`	`8`	`rule_name="GraphQL introspection should be disabled in production",`
`9`		`- rule_url="https://rules.sonarsource.com/python/RSPEC-6786/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=DjangoJsonResponseType,`
`7`	`7`	`rule_id="pythonsecurity:S5131",`
`8`	`8`	`rule_name="Endpoints should not be vulnerable to reflected XSS attacks (Django)",`
`9`		`- rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5131/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=DjangoModelWithoutDunderStr,`
`7`	`7`	`rule_id="python:S6554",`
`8`	`8`	`rule_name='Django models should define a "__str__" method',`
`9`		`- rule_url="https://rules.sonarsource.com/python/RSPEC-6554/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=DjangoReceiverOnTop,`
`7`	`7`	`rule_id="python:S6552",`
`8`	`8`	rule_name="Django signal handler functions should have the `@receiver` decorator on top of all other decorators",
`9`		`- rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-6552/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=EnableJinja2Autoescape,`
`7`	`7`	`rule_id="python:S5247",`
`8`	`8`	`rule_name="Disabling auto-escaping in template engines is security-sensitive",`
`9`		`- rule_url="https://rules.sonarsource.com/python/RSPEC-5247/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=ExceptionWithoutRaise,`
`7`	`7`	`rule_id="python:S3984",`
`8`	`8`	`rule_name="Exceptions should not be created without being raised",`
`9`		`- rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-3984/",`
`10`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,4 @@`
`6`	`6`	`other=FixAssertTuple,`
`7`	`7`	`rule_id="python:S5905",`
`8`	`8`	`rule_name="Assert should not be called on a tuple literal",`
`9`		`- rule_url="https://rules.sonarsource.com/python/type/Bug/RSPEC-5905/",`
`10`	`9`	`)`