Added CWE information for Sonar and some pixee codemod

Author: andrecsilva

src/core_codemods/disable_graphql_introspection.py

@@ -127,6 +127,12 @@ def _is_introspection_rule_or_starred(
             Reference(
                 url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/200.html",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/669.html",
+            ),
         ],
     ),
     transformer=LibcstTransformerPipeline(DisableGraphQLIntrospectionTransform),

src/core_codemods/django_json_response_type.py

@@ -53,6 +53,7 @@ def on_result_found(self, _, updated_node):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     transformer=LibcstTransformerPipeline(DjangoJsonResponseTypeTransformer),

src/core_codemods/enable_jinja2_autoescape.py

@@ -30,6 +30,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     detector=SemgrepRuleDetector(

src/core_codemods/flask_json_response_type.py

@@ -281,6 +281,7 @@ def _fix_json_dumps(self, node: cst.BaseExpression) -> cst.Tuple:
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     transformer=LibcstTransformerPipeline(FlaskJsonResponseTypeTransformer),

src/core_codemods/jwt_decode_verify.py

@@ -109,6 +109,7 @@ def is_verify_keyword(element: cst.DictElement) -> bool:
             Reference(
                 url="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/347"),
         ],
     ),
     transformer=LibcstTransformerPipeline(JwtDecodeVerifyTransformer),

src/core_codemods/process_creation_sandbox.py

@@ -16,6 +16,8 @@ class ProcessSandbox(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
+            Reference(url="https://cwe.mitre.org/data/definitions/78"),
         ],
     )
     change_description = (

src/core_codemods/secure_random.py

@@ -33,6 +33,18 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://docs.python.org/3/library/random.html",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/338",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/330",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/326",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/1241",
+            ),
         ],
     ),
     detector=SemgrepRuleDetector(

src/core_codemods/sql_parameterization.py

@@ -369,6 +369,7 @@ def _remove_literal_and_gather_extra(
         summary="Parameterize SQL Queries",
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
         references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
             Reference(url="https://cwe.mitre.org/data/definitions/89.html"),
             Reference(url="https://owasp.org/www-community/attacks/SQL_Injection"),
         ],

src/core_codemods/tempfile_mktemp.py

@@ -169,6 +169,8 @@ def _mktemp_is_sink(
             Reference(
                 url="https://docs.python.org/3/library/tempfile.html#tempfile.mktemp"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/377"),
+            Reference(url="https://cwe.mitre.org/data/definitions/379"),
         ],
     ),
     transformer=LibcstTransformerPipeline(TempfileMktempTransformer),

src/core_codemods/url_sandbox.py

@@ -40,6 +40,8 @@ def dependency(self) -> Dependency:
                 url="https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/"
             ),
             Reference(url="https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/"),
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
+            Reference(url="https://cwe.mitre.org/data/definitions/918"),
         ],
     ),
     detector=SemgrepRuleDetector(