Added missing CWE information for pixee codemods

andrecsilva · andrecsilva · commit 852bb7bd9eff · 2025-01-08T09:19:41.000-03:00
diff --git a/src/core_codemods/add_requests_timeouts.py b/src/core_codemods/add_requests_timeouts.py
@@ -27,6 +27,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/1088.html"),
         ],
     ),
     detector=SemgrepRuleDetector(
diff --git a/src/core_codemods/django_debug_flag_on.py b/src/core_codemods/django_debug_flag_on.py
@@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/489.html"),
         ],
     )
     change_description = "Flip `Django` debug flag to off."
diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py
@@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/614.html"),
         ],
     )
     change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing."
diff --git a/src/core_codemods/file_resource_leak.py b/src/core_codemods/file_resource_leak.py
@@ -73,8 +73,8 @@ def line_filter(x):
         summary="Automatically Close Resources",
         review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW,
         references=[
-            Reference(url="https://cwe.mitre.org/data/definitions/772.html"),
             Reference(url="https://cwe.mitre.org/data/definitions/404.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/772.html"),
         ],
     ),
     transformer=LibcstTransformerPipeline(FileResourceLeakTransformer),
diff --git a/src/core_codemods/flask_enable_csrf_protection.py b/src/core_codemods/flask_enable_csrf_protection.py
@@ -19,6 +19,7 @@ class FlaskEnableCSRFProtection(
         references=[
             Reference(url="https://owasp.org/www-community/attacks/csrf"),
             Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"),
+            Reference(url="https://cwe.mitre.org/data/definitions/352.html"),
         ],
     )
 
diff --git a/src/core_codemods/harden_pickle_load.py b/src/core_codemods/harden_pickle_load.py
@@ -21,6 +21,9 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod):
             Reference(
                 url="https://github.com/trailofbits/fickling",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/502.html",
+            ),
         ],
     )
 
diff --git a/src/core_codemods/harden_ruamel.py b/src/core_codemods/harden_ruamel.py
@@ -11,6 +11,7 @@ class HardenRuamel(SimpleCodemod):
             Reference(
                 url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/502.html"),
         ],
     )
     change_description = (
diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py
@@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod):
             Reference(
                 url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/319.html"),
         ],
     )
 
diff --git a/src/core_codemods/lxml_safe_parser_defaults.py b/src/core_codemods/lxml_safe_parser_defaults.py
@@ -17,6 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/611.html"),
         ],
     )
     change_description = "Replace `lxml` parser parameters with safe defaults."
diff --git a/src/core_codemods/lxml_safe_parsing.py b/src/core_codemods/lxml_safe_parsing.py
@@ -17,6 +17,7 @@ class LxmlSafeParsing(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/611.html"),
         ],
     )
     change_description = (
diff --git a/src/core_codemods/replace_flask_send_file.py b/src/core_codemods/replace_flask_send_file.py
@@ -18,6 +18,7 @@ class ReplaceFlaskSendFile(SimpleCodemod, NameAndAncestorResolutionMixin):
                 url="https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory"
             ),
             Reference(url="https://owasp.org/www-community/attacks/Path_Traversal"),
+            Reference(url="https://cwe.mitre.org/data/definitions/35.html"),
         ],
     )
 
diff --git a/src/core_codemods/requests_verify.py b/src/core_codemods/requests_verify.py
@@ -13,6 +13,7 @@ class RequestsVerify(SimpleCodemod):
             Reference(
                 url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/295.html"),
         ],
     )
     change_description = (
diff --git a/src/core_codemods/secure_flask_cookie.py b/src/core_codemods/secure_flask_cookie.py
@@ -14,6 +14,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
             Reference(
                 url="https://owasp.org/www-community/controls/SecureCookieAttribute"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/614.html"),
         ],
     )
     change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
diff --git a/src/core_codemods/secure_flask_session_config.py b/src/core_codemods/secure_flask_session_config.py
@@ -23,6 +23,9 @@ class SecureFlaskSessionConfig(SimpleCodemod, Codemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/319.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/352.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/614.html"),
         ],
     )
     change_description = "Flip Flask session configuration if defined as insecure."
diff --git a/src/core_codemods/upgrade_sslcontext_minimum_version.py b/src/core_codemods/upgrade_sslcontext_minimum_version.py
@@ -13,6 +13,7 @@ class UpgradeSSLContextMinimumVersion(SimpleCodemod, NameResolutionMixin):
             ),
             Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
             Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
+            Reference(url="https://cwe.mitre.org/data/definitions/326.html"),
         ],
     )
     change_description = "Replaces minimum SSL/TLS version for SSLContext."
diff --git a/src/core_codemods/upgrade_sslcontext_tls.py b/src/core_codemods/upgrade_sslcontext_tls.py
@@ -13,6 +13,7 @@ class UpgradeSSLContextTLS(SimpleCodemod):
             ),
             Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
             Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
+            Reference(url="https://cwe.mitre.org/data/definitions/326.html"),
         ],
     )
     change_description = "Replaces known insecure TLS/SSL protocol versions in SSLContext with secure ones."

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod):`
`16`	`16`	`Reference(`
`17`	`17`	`url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG"`
`18`	`18`	`),`
	`19`	`+ Reference(url="https://cwe.mitre.org/data/definitions/489.html"),`
`19`	`20`	`],`
`20`	`21`	`)`
`21`	`22`	change_description = "Flip `Django` debug flag to off."
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod):`
`16`	`16`	`Reference(`
`17`	`17`	`url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure"`
`18`	`18`	`),`
	`19`	`+ Reference(url="https://cwe.mitre.org/data/definitions/614.html"),`
`19`	`20`	`],`
`20`	`21`	`)`
`21`	`22`	change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing."
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ class FlaskEnableCSRFProtection(`
`19`	`19`	`references=[`
`20`	`20`	`Reference(url="https://owasp.org/www-community/attacks/csrf"),`
`21`	`21`	`Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"),`
	`22`	`+ Reference(url="https://cwe.mitre.org/data/definitions/352.html"),`
`22`	`23`	`],`
`23`	`24`	`)`
`24`	`25`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod):`
`21`	`21`	`Reference(`
`22`	`22`	`url="https://github.com/trailofbits/fickling",`
`23`	`23`	`),`
	`24`	`+ Reference(`
	`25`	`+ url="https://cwe.mitre.org/data/definitions/502.html",`
	`26`	`+ ),`
`24`	`27`	`],`
`25`	`28`	`)`
`26`	`29`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ class HardenRuamel(SimpleCodemod):`
`11`	`11`	`Reference(`
`12`	`12`	`url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data"`
`13`	`13`	`),`
	`14`	`+ Reference(url="https://cwe.mitre.org/data/definitions/502.html"),`
`14`	`15`	`],`
`15`	`16`	`)`
`16`	`17`	`change_description = (`
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod):`
`59`	`59`	`Reference(`
`60`	`60`	`url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool"`
`61`	`61`	`),`
	`62`	`+ Reference(url="https://cwe.mitre.org/data/definitions/319.html"),`
`62`	`63`	`],`
`63`	`64`	`)`
`64`	`65`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod):`
`17`	`17`	`Reference(`
`18`	`18`	`url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"`
`19`	`19`	`),`
	`20`	`+ Reference(url="https://cwe.mitre.org/data/definitions/611.html"),`
`20`	`21`	`],`
`21`	`22`	`)`
`22`	`23`	change_description = "Replace `lxml` parser parameters with safe defaults."
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ class LxmlSafeParsing(SimpleCodemod):`
`17`	`17`	`Reference(`
`18`	`18`	`url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"`
`19`	`19`	`),`
	`20`	`+ Reference(url="https://cwe.mitre.org/data/definitions/611.html"),`
`20`	`21`	`],`
`21`	`22`	`)`
`22`	`23`	`change_description = (`