Added CWE informatino for Semgrep, Defectdojo, and some pixee codemods

andrecsilva · andrecsilva · commit efe85645ce0b · 2025-01-08T08:41:58.000-03:00
diff --git a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py
@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.harden_pickle_load import HardenPickleLoad
 from core_codemods.harden_pyyaml import CodemodProtocol, HardenPyyamlCallMixin
@@ -56,7 +57,9 @@ def leave_Call(
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/502.html"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(
         AvoidInsecureDeserializationTransformer, HardenPickleLoad
diff --git a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py
@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.secure_cookie_mixin import SecureCookieMixin
 
@@ -50,7 +51,9 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/614.html"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer),
     detector=DefectDojoDetector(),
diff --git a/src/core_codemods/harden_pyyaml.py b/src/core_codemods/harden_pyyaml.py
@@ -126,6 +126,7 @@ def _update_bases(
             Reference(
                 url="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/502.html"),
         ],
     ),
     detector=SemgrepRuleDetector(
diff --git a/src/core_codemods/semgrep/semgrep_nan_injection.py b/src/core_codemods/semgrep/semgrep_nan_injection.py
@@ -15,6 +15,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.codetf import Reference
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
 
@@ -124,7 +125,9 @@ def visit_Call(self, node: cst.Call) -> None:
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/704.html"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(NanInjectionTransformer),
     detector=SemgrepSarifFileDetector(),
diff --git a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py
@@ -12,6 +12,7 @@
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
 
@@ -53,7 +54,9 @@ def leave_Decorator(
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/352.html"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer),
     detector=SemgrepSarifFileDetector(),
diff --git a/src/core_codemods/semgrep/semgrep_rsa_key_size.py b/src/core_codemods/semgrep/semgrep_rsa_key_size.py
@@ -12,6 +12,7 @@
     NewArg,
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.codetf import Reference
 from codemodder.result import fuzzy_column_match, same_line
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
@@ -74,7 +75,9 @@ def match_location(self, pos, result):
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/326.html"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(RsaKeySizeTransformer),
     detector=SemgrepSarifFileDetector(),
diff --git a/src/core_codemods/subprocess_shell_false.py b/src/core_codemods/subprocess_shell_false.py
@@ -79,6 +79,7 @@ def first_arg_is_not_string(self, original_node: cst.Call) -> bool:
                 url="https://en.wikipedia.org/wiki/Code_injection#Shell_injection"
             ),
             Reference(url="https://stackoverflow.com/a/3172488"),
+            Reference(url="https://cwe.mitre.org/data/definitions/78.html"),
         ],
     ),
     transformer=LibcstTransformerPipeline(SubprocessShellFalseTransformer),
diff --git a/src/core_codemods/use_defused_xml.py b/src/core_codemods/use_defused_xml.py
@@ -51,6 +51,7 @@ def dependency(self) -> Dependency:
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/611.html"),
         ],
     ),
     transformer=LibcstTransformerPipeline(UseDefusedXmlTransformer),
