Added CWE links for several codemods (#964)

* Added CWE information for Sonar and some pixee codemod

* Added CWE informatino for Semgrep, Defectdojo, and some pixee codemods

* Added missing CWE information for pixee codemods

* Changed get to head for url test

* Filtered duplicates from queried urls in test

Author: andrecsilva

integration_tests/test_codemod_urls.py

@@ -10,7 +10,8 @@
 
 async def visit_url(client, url):
     try:
-        response = await client.get(url)
+        response = await client.head(url)
+
         return url, response.status_code
     except httpx.RequestError:
         return url, None
@@ -36,9 +37,15 @@ async def check_accessible_urls(urls):
 
 @pytest.mark.asyncio
 async def test_codemod_reference_urls():
-    urls = [
-        ref.url for codemod in registry.codemods for ref in codemod._metadata.references
-    ]
+    urls = list(
+        set(
+            [
+                ref.url
+                for codemod in registry.codemods
+                for ref in codemod._metadata.references
+            ]
+        )
+    )
     await check_accessible_urls(urls)
 
 

src/core_codemods/add_requests_timeouts.py

@@ -27,6 +27,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/1088"),
         ],
     ),
     detector=SemgrepRuleDetector(

src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py

@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.harden_pickle_load import HardenPickleLoad
 from core_codemods.harden_pyyaml import CodemodProtocol, HardenPyyamlCallMixin
@@ -56,7 +57,9 @@ def leave_Call(
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/502"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(
         AvoidInsecureDeserializationTransformer, HardenPickleLoad

src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py

@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.secure_cookie_mixin import SecureCookieMixin
 
@@ -50,7 +51,9 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer),
     detector=DefectDojoDetector(),

src/core_codemods/disable_graphql_introspection.py

@@ -127,6 +127,12 @@ def _is_introspection_rule_or_starred(
             Reference(
                 url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/200",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/669",
+            ),
         ],
     ),
     transformer=LibcstTransformerPipeline(DisableGraphQLIntrospectionTransform),

src/core_codemods/django_debug_flag_on.py

@@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/489"),
         ],
     )
     change_description = "Flip `Django` debug flag to off."

src/core_codemods/django_json_response_type.py

@@ -53,6 +53,7 @@ def on_result_found(self, _, updated_node):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     transformer=LibcstTransformerPipeline(DjangoJsonResponseTypeTransformer),

src/core_codemods/django_session_cookie_secure_off.py

@@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
     )
     change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing."

src/core_codemods/enable_jinja2_autoescape.py

@@ -30,6 +30,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     detector=SemgrepRuleDetector(

src/core_codemods/file_resource_leak.py

@@ -73,8 +73,8 @@ def line_filter(x):
         summary="Automatically Close Resources",
         review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW,
         references=[
-            Reference(url="https://cwe.mitre.org/data/definitions/772.html"),
-            Reference(url="https://cwe.mitre.org/data/definitions/404.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/404"),
+            Reference(url="https://cwe.mitre.org/data/definitions/772"),
         ],
     ),
     transformer=LibcstTransformerPipeline(FileResourceLeakTransformer),