Implement prototype codemods for DefectDojo remediation (#438)

* First steps towards defectdojo codemod

* Implement initial DefectDojo (semgrep) codemod

* Implement semgrep:avoid-insecure-deserialization for DefectDojo

Author: drdavella

integration_tests/test_harden_pyyaml.py

@@ -1,7 +1,7 @@
 import yaml
 
 from codemodder.codemods.test import BaseIntegrationTest
-from core_codemods.harden_pyyaml import HardenPyyaml
+from core_codemods.harden_pyyaml import HardenPyyaml, HardenPyyamlTransformer
 
 
 class TestHardenPyyaml(BaseIntegrationTest):
@@ -17,6 +17,6 @@ class TestHardenPyyaml(BaseIntegrationTest):
     ]
     expected_diff = '--- \n+++ \n@@ -1,4 +1,4 @@\n import yaml\n \n data = b"!!python/object/apply:subprocess.Popen \\\\n- ls"\n-deserialized_data = yaml.load(data, Loader=yaml.Loader)\n+deserialized_data = yaml.load(data, Loader=yaml.SafeLoader)\n'
     expected_line_change = "4"
-    change_description = HardenPyyaml.change_description
+    change_description = HardenPyyamlTransformer.change_description
     # expected exception because the yaml.SafeLoader protects against unsafe code
     allowed_exceptions = (yaml.constructor.ConstructorError,)

pyproject.toml

@@ -81,6 +81,7 @@ all = [
 [project.entry-points.codemods]
 core = "core_codemods:registry"
 sonar = "core_codemods:sonar_registry"
+defectdojo = "core_codemods:defectdojo_registry"
 
 [tool.setuptools]
 

src/codemodder/codemodder.py

@@ -156,22 +156,13 @@ def run(original_args) -> int:
     logger.info("codemodder: python/%s", __version__)
     logger.info("command: %s %s", Path(sys.argv[0]).name, " ".join(original_args))
 
-    # TODO: sonar files should be _parsed_ here as well
     # TODO: this should be dict[str, list[Path]]
-
     tool_result_files_map: DefaultDict[str, list[str]] = detect_sarif_tools(
         [Path(name) for name in argv.sarif or []]
     )
-    (
-        tool_result_files_map["sonar"].extend(argv.sonar_issues_json)
-        if argv.sonar_issues_json
-        else None
-    )
-    (
-        tool_result_files_map["sonar"].extend(argv.sonar_hotspots_json)
-        if argv.sonar_hotspots_json
-        else None
-    )
+    tool_result_files_map["sonar"].extend(argv.sonar_issues_json or [])
+    tool_result_files_map["sonar"].extend(argv.sonar_hotspots_json or [])
+    tool_result_files_map["defectdojo"] = argv.defectdojo_findings_json or []
 
     repo_manager = PythonRepoManager(Path(argv.directory))
     context = CodemodExecutionContext(

src/codemodder/codemods/libcst_transformer.py

@@ -118,10 +118,13 @@ def lineno_for_node(self, node):
     def add_dependency(self, dependency: Dependency):
         self.file_context.add_dependency(dependency)
 
-    def report_change(self, original_node):
+    def report_change(self, original_node, description: str | None = None):
         line_number = self.lineno_for_node(original_node)
         self.file_context.codemod_changes.append(
-            Change(lineNumber=line_number, description=self.change_description)
+            Change(
+                lineNumber=line_number,
+                description=description or self.change_description,
+            )
         )
 
     def remove_unused_import(self, original_node):

src/codemodder/codemods/test/utils.py

@@ -146,9 +146,7 @@ def run_and_assert(
         tmp_file_path.write_text(dedent(input_code))
 
         tmp_results_file_path = Path(tmpdir) / "sast_results"
-
-        with open(tmp_results_file_path, "w", encoding="utf-8") as results_file:
-            results_file.write(results)
+        tmp_results_file_path.write_text(results)
 
         files_to_check = files or [tmp_file_path]
 

src/codemodder/result.py

@@ -16,8 +16,8 @@
 @dataclass
 class LineInfo:
     line: int
-    column: int
-    snippet: str | None
+    column: int = -1
+    snippet: str | None = None
 
 
 @dataclass

src/codemodder/scripts/generate_docs.py

@@ -329,6 +329,16 @@ class DocMetadata:
         guidance_explained=CORE_METADATA["enable-jinja2-autoescape"].guidance_explained,
         need_sarif="Yes (Sonar)",
     ),
+    "django-secure-set-cookie": DocMetadata(
+        importance="Medium",
+        guidance_explained="Our change provides the most secure way to create cookies in Django. However, it's possible you have configured your Django application configurations to use secure cookies. In these cases, using the default parameters for `set_cookie` is safe.",
+        need_sarif="Yes (DefectDojo)",
+    ),
+    "avoid-insecure-deserialization": DocMetadata(
+        importance="High",
+        guidance_explained="This change is generally safe and will prevent deserialization vulnerabilities.",
+        need_sarif="Yes (DefectDojo)",
+    ),
 }
 
 

src/codemodder/sonar_results.py

@@ -1,5 +1,6 @@
 import json
 from dataclasses import replace
+from functools import cache
 from pathlib import Path
 
 import libcst as cst
@@ -45,6 +46,7 @@ def match_location(self, pos, node):
 
 class SonarResultSet(ResultSet):
     @classmethod
+    @cache
     def from_json(cls, json_file: str | Path) -> Self:
         try:
             with open(json_file, "r", encoding="utf-8") as file:

src/core_codemods/__init__.py

@@ -2,6 +2,10 @@
 
 from .add_requests_timeouts import AddRequestsTimeouts
 from .combine_startswith_endswith import CombineStartswithEndswith
+from .defectdojo.semgrep.avoid_insecure_deserialization import (
+    AvoidInsecureDeserialization,
+)
+from .defectdojo.semgrep.django_secure_set_cookie import DjangoSecureSetCookie
 from .django_debug_flag_on import DjangoDebugFlagOn
 from .django_json_response_type import DjangoJsonResponseType
 from .django_model_without_dunder_str import DjangoModelWithoutDunderStr
@@ -154,3 +158,11 @@
         SonarEnableJinja2Autoescape,
     ],
 )
+
+defectdojo_registry = CodemodCollection(
+    origin="defectdojo",
+    codemods=[
+        AvoidInsecureDeserialization,
+        DjangoSecureSetCookie,
+    ],
+)

src/core_codemods/api/__init__.py

@@ -1,4 +1,4 @@
 # ruff: noqa: F401
 from codemodder.codemods.api import Metadata, Reference, ReviewGuidance
 
-from .core_codemod import CoreCodemod, ImportModifierCodemod, SimpleCodemod
+from .core_codemod import CoreCodemod, ImportModifierCodemod, SASTCodemod, SimpleCodemod