From c54c9d7497af7c551113a82d2e87dd5dbb30a764 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Wed, 8 Jan 2025 08:24:52 -0300 Subject: [PATCH 1/5] Added CWE information for Sonar and some pixee codemod --- src/core_codemods/disable_graphql_introspection.py | 6 ++++++ src/core_codemods/django_json_response_type.py | 1 + src/core_codemods/enable_jinja2_autoescape.py | 1 + src/core_codemods/flask_json_response_type.py | 1 + src/core_codemods/jwt_decode_verify.py | 1 + src/core_codemods/process_creation_sandbox.py | 2 ++ src/core_codemods/secure_random.py | 12 ++++++++++++ src/core_codemods/sql_parameterization.py | 1 + src/core_codemods/tempfile_mktemp.py | 2 ++ src/core_codemods/url_sandbox.py | 2 ++ 10 files changed, 29 insertions(+) diff --git a/src/core_codemods/disable_graphql_introspection.py b/src/core_codemods/disable_graphql_introspection.py index ae4d249e..484a6973 100644 --- a/src/core_codemods/disable_graphql_introspection.py +++ b/src/core_codemods/disable_graphql_introspection.py @@ -127,6 +127,12 @@ def _is_introspection_rule_or_starred( Reference( url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries", ), + Reference( + url="https://cwe.mitre.org/data/definitions/200.html", + ), + Reference( + url="https://cwe.mitre.org/data/definitions/669.html", + ), ], ), transformer=LibcstTransformerPipeline(DisableGraphQLIntrospectionTransform), diff --git a/src/core_codemods/django_json_response_type.py b/src/core_codemods/django_json_response_type.py index 085c6d32..50ce1fd1 100644 --- a/src/core_codemods/django_json_response_type.py +++ b/src/core_codemods/django_json_response_type.py @@ -53,6 +53,7 @@ def on_result_found(self, _, updated_node): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts" ), + Reference(url="https://cwe.mitre.org/data/definitions/79"), ], ), transformer=LibcstTransformerPipeline(DjangoJsonResponseTypeTransformer), diff --git a/src/core_codemods/enable_jinja2_autoescape.py b/src/core_codemods/enable_jinja2_autoescape.py index 4cfed19a..525f1504 100644 --- a/src/core_codemods/enable_jinja2_autoescape.py +++ b/src/core_codemods/enable_jinja2_autoescape.py @@ -30,6 +30,7 @@ def on_result_found(self, original_node, updated_node): Reference( url="https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping" ), + Reference(url="https://cwe.mitre.org/data/definitions/79"), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/flask_json_response_type.py b/src/core_codemods/flask_json_response_type.py index 4194fcd8..f74d6b0b 100644 --- a/src/core_codemods/flask_json_response_type.py +++ b/src/core_codemods/flask_json_response_type.py @@ -281,6 +281,7 @@ def _fix_json_dumps(self, node: cst.BaseExpression) -> cst.Tuple: Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts" ), + Reference(url="https://cwe.mitre.org/data/definitions/79"), ], ), transformer=LibcstTransformerPipeline(FlaskJsonResponseTypeTransformer), diff --git a/src/core_codemods/jwt_decode_verify.py b/src/core_codemods/jwt_decode_verify.py index 90139958..4391245f 100644 --- a/src/core_codemods/jwt_decode_verify.py +++ b/src/core_codemods/jwt_decode_verify.py @@ -109,6 +109,7 @@ def is_verify_keyword(element: cst.DictElement) -> bool: Reference( url="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens" ), + Reference(url="https://cwe.mitre.org/data/definitions/347"), ], ), transformer=LibcstTransformerPipeline(JwtDecodeVerifyTransformer), diff --git a/src/core_codemods/process_creation_sandbox.py b/src/core_codemods/process_creation_sandbox.py index f7b53d68..c244910a 100644 --- a/src/core_codemods/process_creation_sandbox.py +++ b/src/core_codemods/process_creation_sandbox.py @@ -16,6 +16,8 @@ class ProcessSandbox(SimpleCodemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html" ), + Reference(url="https://cwe.mitre.org/data/definitions/20"), + Reference(url="https://cwe.mitre.org/data/definitions/78"), ], ) change_description = ( diff --git a/src/core_codemods/secure_random.py b/src/core_codemods/secure_random.py index 7d4a48e7..97f8c89d 100644 --- a/src/core_codemods/secure_random.py +++ b/src/core_codemods/secure_random.py @@ -33,6 +33,18 @@ def on_result_found(self, original_node, updated_node): Reference( url="https://docs.python.org/3/library/random.html", ), + Reference( + url="https://cwe.mitre.org/data/definitions/338", + ), + Reference( + url="https://cwe.mitre.org/data/definitions/330", + ), + Reference( + url="https://cwe.mitre.org/data/definitions/326", + ), + Reference( + url="https://cwe.mitre.org/data/definitions/1241", + ), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/sql_parameterization.py b/src/core_codemods/sql_parameterization.py index df83f4a4..096d833a 100644 --- a/src/core_codemods/sql_parameterization.py +++ b/src/core_codemods/sql_parameterization.py @@ -369,6 +369,7 @@ def _remove_literal_and_gather_extra( summary="Parameterize SQL Queries", review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW, references=[ + Reference(url="https://cwe.mitre.org/data/definitions/20"), Reference(url="https://cwe.mitre.org/data/definitions/89.html"), Reference(url="https://owasp.org/www-community/attacks/SQL_Injection"), ], diff --git a/src/core_codemods/tempfile_mktemp.py b/src/core_codemods/tempfile_mktemp.py index ca55f588..27eacbe9 100644 --- a/src/core_codemods/tempfile_mktemp.py +++ b/src/core_codemods/tempfile_mktemp.py @@ -169,6 +169,8 @@ def _mktemp_is_sink( Reference( url="https://docs.python.org/3/library/tempfile.html#tempfile.mktemp" ), + Reference(url="https://cwe.mitre.org/data/definitions/377"), + Reference(url="https://cwe.mitre.org/data/definitions/379"), ], ), transformer=LibcstTransformerPipeline(TempfileMktempTransformer), diff --git a/src/core_codemods/url_sandbox.py b/src/core_codemods/url_sandbox.py index 36e2a002..85bbe14f 100644 --- a/src/core_codemods/url_sandbox.py +++ b/src/core_codemods/url_sandbox.py @@ -40,6 +40,8 @@ def dependency(self) -> Dependency: url="https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/" ), Reference(url="https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/"), + Reference(url="https://cwe.mitre.org/data/definitions/20"), + Reference(url="https://cwe.mitre.org/data/definitions/918"), ], ), detector=SemgrepRuleDetector( From efe85645ce0b0fcb4b4a647e140a68191b117424 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Wed, 8 Jan 2025 08:41:58 -0300 Subject: [PATCH 2/5] Added CWE informatino for Semgrep, Defectdojo, and some pixee codemods --- .../defectdojo/semgrep/avoid_insecure_deserialization.py | 5 ++++- .../defectdojo/semgrep/django_secure_set_cookie.py | 5 ++++- src/core_codemods/harden_pyyaml.py | 1 + src/core_codemods/semgrep/semgrep_nan_injection.py | 5 ++++- src/core_codemods/semgrep/semgrep_no_csrf_exempt.py | 5 ++++- src/core_codemods/semgrep/semgrep_rsa_key_size.py | 5 ++++- src/core_codemods/subprocess_shell_false.py | 1 + src/core_codemods/use_defused_xml.py | 1 + 8 files changed, 23 insertions(+), 5 deletions(-) diff --git a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py index 4a22631b..0c9c6b36 100644 --- a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py +++ b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py @@ -6,6 +6,7 @@ LibcstTransformerPipeline, ) from codemodder.codemods.utils_mixin import NameResolutionMixin +from codemodder.codetf import Reference from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector from core_codemods.harden_pickle_load import HardenPickleLoad from core_codemods.harden_pyyaml import CodemodProtocol, HardenPyyamlCallMixin @@ -56,7 +57,9 @@ def leave_Call( ) ], ), - references=[], + references=[ + Reference(url="https://cwe.mitre.org/data/definitions/502.html"), + ], ), transformer=LibcstTransformerPipeline( AvoidInsecureDeserializationTransformer, HardenPickleLoad diff --git a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py index 46c1d9bc..e622cf8e 100644 --- a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py +++ b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py @@ -6,6 +6,7 @@ LibcstTransformerPipeline, ) from codemodder.codemods.utils_mixin import NameResolutionMixin +from codemodder.codetf import Reference from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector from core_codemods.secure_cookie_mixin import SecureCookieMixin @@ -50,7 +51,9 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal ) ], ), - references=[], + references=[ + Reference(url="https://cwe.mitre.org/data/definitions/614.html"), + ], ), transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer), detector=DefectDojoDetector(), diff --git a/src/core_codemods/harden_pyyaml.py b/src/core_codemods/harden_pyyaml.py index 5fe57b20..19f97544 100644 --- a/src/core_codemods/harden_pyyaml.py +++ b/src/core_codemods/harden_pyyaml.py @@ -126,6 +126,7 @@ def _update_bases( Reference( url="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation" ), + Reference(url="https://cwe.mitre.org/data/definitions/502.html"), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/semgrep/semgrep_nan_injection.py b/src/core_codemods/semgrep/semgrep_nan_injection.py index 3e5ef38c..295b28a7 100644 --- a/src/core_codemods/semgrep/semgrep_nan_injection.py +++ b/src/core_codemods/semgrep/semgrep_nan_injection.py @@ -15,6 +15,7 @@ LibcstTransformerPipeline, ) from codemodder.codemods.semgrep import SemgrepSarifFileDetector +from codemodder.codetf import Reference from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id @@ -124,7 +125,9 @@ def visit_Call(self, node: cst.Call) -> None: ) ], ), - references=[], + references=[ + Reference(url="https://cwe.mitre.org/data/definitions/704.html"), + ], ), transformer=LibcstTransformerPipeline(NanInjectionTransformer), detector=SemgrepSarifFileDetector(), diff --git a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py index c92f60bf..6fa90e5a 100644 --- a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py +++ b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py @@ -12,6 +12,7 @@ ) from codemodder.codemods.semgrep import SemgrepSarifFileDetector from codemodder.codemods.utils_mixin import NameResolutionMixin +from codemodder.codetf import Reference from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id @@ -53,7 +54,9 @@ def leave_Decorator( ) ], ), - references=[], + references=[ + Reference(url="https://cwe.mitre.org/data/definitions/352.html"), + ], ), transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer), detector=SemgrepSarifFileDetector(), diff --git a/src/core_codemods/semgrep/semgrep_rsa_key_size.py b/src/core_codemods/semgrep/semgrep_rsa_key_size.py index 822b43fb..97fbf2f4 100644 --- a/src/core_codemods/semgrep/semgrep_rsa_key_size.py +++ b/src/core_codemods/semgrep/semgrep_rsa_key_size.py @@ -12,6 +12,7 @@ NewArg, ) from codemodder.codemods.semgrep import SemgrepSarifFileDetector +from codemodder.codetf import Reference from codemodder.result import fuzzy_column_match, same_line from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id @@ -74,7 +75,9 @@ def match_location(self, pos, result): ) ], ), - references=[], + references=[ + Reference(url="https://cwe.mitre.org/data/definitions/326.html"), + ], ), transformer=LibcstTransformerPipeline(RsaKeySizeTransformer), detector=SemgrepSarifFileDetector(), diff --git a/src/core_codemods/subprocess_shell_false.py b/src/core_codemods/subprocess_shell_false.py index 79d30607..aa58bbe9 100644 --- a/src/core_codemods/subprocess_shell_false.py +++ b/src/core_codemods/subprocess_shell_false.py @@ -79,6 +79,7 @@ def first_arg_is_not_string(self, original_node: cst.Call) -> bool: url="https://en.wikipedia.org/wiki/Code_injection#Shell_injection" ), Reference(url="https://stackoverflow.com/a/3172488"), + Reference(url="https://cwe.mitre.org/data/definitions/78.html"), ], ), transformer=LibcstTransformerPipeline(SubprocessShellFalseTransformer), diff --git a/src/core_codemods/use_defused_xml.py b/src/core_codemods/use_defused_xml.py index c0d20b9c..0732081e 100644 --- a/src/core_codemods/use_defused_xml.py +++ b/src/core_codemods/use_defused_xml.py @@ -51,6 +51,7 @@ def dependency(self) -> Dependency: Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), + Reference(url="https://cwe.mitre.org/data/definitions/611.html"), ], ), transformer=LibcstTransformerPipeline(UseDefusedXmlTransformer), From 852bb7bd9eff6d2b346b8d60e0fee471ed1e2ceb Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Wed, 8 Jan 2025 09:19:41 -0300 Subject: [PATCH 3/5] Added missing CWE information for pixee codemods --- src/core_codemods/add_requests_timeouts.py | 1 + src/core_codemods/django_debug_flag_on.py | 1 + src/core_codemods/django_session_cookie_secure_off.py | 1 + src/core_codemods/file_resource_leak.py | 2 +- src/core_codemods/flask_enable_csrf_protection.py | 1 + src/core_codemods/harden_pickle_load.py | 3 +++ src/core_codemods/harden_ruamel.py | 1 + src/core_codemods/https_connection.py | 1 + src/core_codemods/lxml_safe_parser_defaults.py | 1 + src/core_codemods/lxml_safe_parsing.py | 1 + src/core_codemods/replace_flask_send_file.py | 1 + src/core_codemods/requests_verify.py | 1 + src/core_codemods/secure_flask_cookie.py | 1 + src/core_codemods/secure_flask_session_config.py | 3 +++ src/core_codemods/upgrade_sslcontext_minimum_version.py | 1 + src/core_codemods/upgrade_sslcontext_tls.py | 1 + 16 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/core_codemods/add_requests_timeouts.py b/src/core_codemods/add_requests_timeouts.py index 6d15bbf7..c1716ac7 100644 --- a/src/core_codemods/add_requests_timeouts.py +++ b/src/core_codemods/add_requests_timeouts.py @@ -27,6 +27,7 @@ def on_result_found(self, original_node, updated_node): Reference( url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts" ), + Reference(url="https://cwe.mitre.org/data/definitions/1088.html"), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/django_debug_flag_on.py b/src/core_codemods/django_debug_flag_on.py index c9192ee6..63bc86fd 100644 --- a/src/core_codemods/django_debug_flag_on.py +++ b/src/core_codemods/django_debug_flag_on.py @@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod): Reference( url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG" ), + Reference(url="https://cwe.mitre.org/data/definitions/489.html"), ], ) change_description = "Flip `Django` debug flag to off." diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py index b72f6ad4..327e54a0 100644 --- a/src/core_codemods/django_session_cookie_secure_off.py +++ b/src/core_codemods/django_session_cookie_secure_off.py @@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod): Reference( url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure" ), + Reference(url="https://cwe.mitre.org/data/definitions/614.html"), ], ) change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing." diff --git a/src/core_codemods/file_resource_leak.py b/src/core_codemods/file_resource_leak.py index 8ce6c3e0..47db96d2 100644 --- a/src/core_codemods/file_resource_leak.py +++ b/src/core_codemods/file_resource_leak.py @@ -73,8 +73,8 @@ def line_filter(x): summary="Automatically Close Resources", review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW, references=[ - Reference(url="https://cwe.mitre.org/data/definitions/772.html"), Reference(url="https://cwe.mitre.org/data/definitions/404.html"), + Reference(url="https://cwe.mitre.org/data/definitions/772.html"), ], ), transformer=LibcstTransformerPipeline(FileResourceLeakTransformer), diff --git a/src/core_codemods/flask_enable_csrf_protection.py b/src/core_codemods/flask_enable_csrf_protection.py index fbc27ed6..04f70911 100644 --- a/src/core_codemods/flask_enable_csrf_protection.py +++ b/src/core_codemods/flask_enable_csrf_protection.py @@ -19,6 +19,7 @@ class FlaskEnableCSRFProtection( references=[ Reference(url="https://owasp.org/www-community/attacks/csrf"), Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"), + Reference(url="https://cwe.mitre.org/data/definitions/352.html"), ], ) diff --git a/src/core_codemods/harden_pickle_load.py b/src/core_codemods/harden_pickle_load.py index 8cf99c5c..f94974df 100644 --- a/src/core_codemods/harden_pickle_load.py +++ b/src/core_codemods/harden_pickle_load.py @@ -21,6 +21,9 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod): Reference( url="https://github.com/trailofbits/fickling", ), + Reference( + url="https://cwe.mitre.org/data/definitions/502.html", + ), ], ) diff --git a/src/core_codemods/harden_ruamel.py b/src/core_codemods/harden_ruamel.py index 97026e9e..17f56e4c 100644 --- a/src/core_codemods/harden_ruamel.py +++ b/src/core_codemods/harden_ruamel.py @@ -11,6 +11,7 @@ class HardenRuamel(SimpleCodemod): Reference( url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data" ), + Reference(url="https://cwe.mitre.org/data/definitions/502.html"), ], ) change_description = ( diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py index 7ffe9045..81bf3cf6 100644 --- a/src/core_codemods/https_connection.py +++ b/src/core_codemods/https_connection.py @@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod): Reference( url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool" ), + Reference(url="https://cwe.mitre.org/data/definitions/319.html"), ], ) diff --git a/src/core_codemods/lxml_safe_parser_defaults.py b/src/core_codemods/lxml_safe_parser_defaults.py index 6ac59cc0..68491e0a 100644 --- a/src/core_codemods/lxml_safe_parser_defaults.py +++ b/src/core_codemods/lxml_safe_parser_defaults.py @@ -17,6 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), + Reference(url="https://cwe.mitre.org/data/definitions/611.html"), ], ) change_description = "Replace `lxml` parser parameters with safe defaults." diff --git a/src/core_codemods/lxml_safe_parsing.py b/src/core_codemods/lxml_safe_parsing.py index 755567ab..9398b18b 100644 --- a/src/core_codemods/lxml_safe_parsing.py +++ b/src/core_codemods/lxml_safe_parsing.py @@ -17,6 +17,7 @@ class LxmlSafeParsing(SimpleCodemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), + Reference(url="https://cwe.mitre.org/data/definitions/611.html"), ], ) change_description = ( diff --git a/src/core_codemods/replace_flask_send_file.py b/src/core_codemods/replace_flask_send_file.py index 3d3f237a..d2e8bf68 100644 --- a/src/core_codemods/replace_flask_send_file.py +++ b/src/core_codemods/replace_flask_send_file.py @@ -18,6 +18,7 @@ class ReplaceFlaskSendFile(SimpleCodemod, NameAndAncestorResolutionMixin): url="https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory" ), Reference(url="https://owasp.org/www-community/attacks/Path_Traversal"), + Reference(url="https://cwe.mitre.org/data/definitions/35.html"), ], ) diff --git a/src/core_codemods/requests_verify.py b/src/core_codemods/requests_verify.py index 0a5c22cc..da859045 100644 --- a/src/core_codemods/requests_verify.py +++ b/src/core_codemods/requests_verify.py @@ -13,6 +13,7 @@ class RequestsVerify(SimpleCodemod): Reference( url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack" ), + Reference(url="https://cwe.mitre.org/data/definitions/295.html"), ], ) change_description = ( diff --git a/src/core_codemods/secure_flask_cookie.py b/src/core_codemods/secure_flask_cookie.py index 53bfe956..0302dbeb 100644 --- a/src/core_codemods/secure_flask_cookie.py +++ b/src/core_codemods/secure_flask_cookie.py @@ -14,6 +14,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin): Reference( url="https://owasp.org/www-community/controls/SecureCookieAttribute" ), + Reference(url="https://cwe.mitre.org/data/definitions/614.html"), ], ) change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`." diff --git a/src/core_codemods/secure_flask_session_config.py b/src/core_codemods/secure_flask_session_config.py index fea58347..fb5ed0d9 100644 --- a/src/core_codemods/secure_flask_session_config.py +++ b/src/core_codemods/secure_flask_session_config.py @@ -23,6 +23,9 @@ class SecureFlaskSessionConfig(SimpleCodemod, Codemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html" ), + Reference(url="https://cwe.mitre.org/data/definitions/319.html"), + Reference(url="https://cwe.mitre.org/data/definitions/352.html"), + Reference(url="https://cwe.mitre.org/data/definitions/614.html"), ], ) change_description = "Flip Flask session configuration if defined as insecure." diff --git a/src/core_codemods/upgrade_sslcontext_minimum_version.py b/src/core_codemods/upgrade_sslcontext_minimum_version.py index dd0329e9..3a31d0ca 100644 --- a/src/core_codemods/upgrade_sslcontext_minimum_version.py +++ b/src/core_codemods/upgrade_sslcontext_minimum_version.py @@ -13,6 +13,7 @@ class UpgradeSSLContextMinimumVersion(SimpleCodemod, NameResolutionMixin): ), Reference(url="https://datatracker.ietf.org/doc/rfc8996/"), Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"), + Reference(url="https://cwe.mitre.org/data/definitions/326.html"), ], ) change_description = "Replaces minimum SSL/TLS version for SSLContext." diff --git a/src/core_codemods/upgrade_sslcontext_tls.py b/src/core_codemods/upgrade_sslcontext_tls.py index 26ac4ec3..14ec2695 100644 --- a/src/core_codemods/upgrade_sslcontext_tls.py +++ b/src/core_codemods/upgrade_sslcontext_tls.py @@ -13,6 +13,7 @@ class UpgradeSSLContextTLS(SimpleCodemod): ), Reference(url="https://datatracker.ietf.org/doc/rfc8996/"), Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"), + Reference(url="https://cwe.mitre.org/data/definitions/326.html"), ], ) change_description = "Replaces known insecure TLS/SSL protocol versions in SSLContext with secure ones." From 923e14f46f6971472d4a0cf32171d5160bb986a1 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:51:43 -0300 Subject: [PATCH 4/5] Changed get to head for url test --- integration_tests/test_codemod_urls.py | 3 ++- src/core_codemods/url_sandbox.py | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/integration_tests/test_codemod_urls.py b/integration_tests/test_codemod_urls.py index 959a5c60..640d38b7 100644 --- a/integration_tests/test_codemod_urls.py +++ b/integration_tests/test_codemod_urls.py @@ -10,7 +10,8 @@ async def visit_url(client, url): try: - response = await client.get(url) + response = await client.head(url) + return url, response.status_code except httpx.RequestError: return url, None diff --git a/src/core_codemods/url_sandbox.py b/src/core_codemods/url_sandbox.py index 85bbe14f..e092339c 100644 --- a/src/core_codemods/url_sandbox.py +++ b/src/core_codemods/url_sandbox.py @@ -32,7 +32,6 @@ def dependency(self) -> Dependency: Reference( url="https://github.com/pixee/python-security/blob/main/src/security/safe_requests/api.py" ), - Reference(url="https://portswigger.net/web-security/ssrf"), Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" ), From 0cfe674b220a842735568fef171f9f342d34d9d4 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:27:45 -0300 Subject: [PATCH 5/5] Filtered duplicates from queried urls in test --- integration_tests/test_codemod_urls.py | 12 +++++++++--- src/core_codemods/add_requests_timeouts.py | 2 +- .../semgrep/avoid_insecure_deserialization.py | 2 +- .../defectdojo/semgrep/django_secure_set_cookie.py | 2 +- src/core_codemods/disable_graphql_introspection.py | 4 ++-- src/core_codemods/django_debug_flag_on.py | 2 +- .../django_session_cookie_secure_off.py | 2 +- src/core_codemods/file_resource_leak.py | 4 ++-- src/core_codemods/flask_enable_csrf_protection.py | 2 +- src/core_codemods/harden_pickle_load.py | 2 +- src/core_codemods/harden_pyyaml.py | 2 +- src/core_codemods/harden_ruamel.py | 2 +- src/core_codemods/https_connection.py | 2 +- src/core_codemods/limit_readline.py | 2 +- src/core_codemods/lxml_safe_parser_defaults.py | 2 +- src/core_codemods/lxml_safe_parsing.py | 2 +- src/core_codemods/replace_flask_send_file.py | 2 +- src/core_codemods/requests_verify.py | 2 +- src/core_codemods/secure_flask_cookie.py | 2 +- src/core_codemods/secure_flask_session_config.py | 6 +++--- src/core_codemods/semgrep/semgrep_nan_injection.py | 2 +- src/core_codemods/semgrep/semgrep_no_csrf_exempt.py | 2 +- src/core_codemods/semgrep/semgrep_rsa_key_size.py | 2 +- src/core_codemods/sql_parameterization.py | 2 +- src/core_codemods/subprocess_shell_false.py | 2 +- .../upgrade_sslcontext_minimum_version.py | 2 +- src/core_codemods/upgrade_sslcontext_tls.py | 2 +- src/core_codemods/use_defused_xml.py | 2 +- 28 files changed, 40 insertions(+), 34 deletions(-) diff --git a/integration_tests/test_codemod_urls.py b/integration_tests/test_codemod_urls.py index 640d38b7..4b3470ab 100644 --- a/integration_tests/test_codemod_urls.py +++ b/integration_tests/test_codemod_urls.py @@ -37,9 +37,15 @@ async def check_accessible_urls(urls): @pytest.mark.asyncio async def test_codemod_reference_urls(): - urls = [ - ref.url for codemod in registry.codemods for ref in codemod._metadata.references - ] + urls = list( + set( + [ + ref.url + for codemod in registry.codemods + for ref in codemod._metadata.references + ] + ) + ) await check_accessible_urls(urls) diff --git a/src/core_codemods/add_requests_timeouts.py b/src/core_codemods/add_requests_timeouts.py index c1716ac7..0a45327f 100644 --- a/src/core_codemods/add_requests_timeouts.py +++ b/src/core_codemods/add_requests_timeouts.py @@ -27,7 +27,7 @@ def on_result_found(self, original_node, updated_node): Reference( url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts" ), - Reference(url="https://cwe.mitre.org/data/definitions/1088.html"), + Reference(url="https://cwe.mitre.org/data/definitions/1088"), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py index 0c9c6b36..7cd02ecc 100644 --- a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py +++ b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py @@ -58,7 +58,7 @@ def leave_Call( ], ), references=[ - Reference(url="https://cwe.mitre.org/data/definitions/502.html"), + Reference(url="https://cwe.mitre.org/data/definitions/502"), ], ), transformer=LibcstTransformerPipeline( diff --git a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py index e622cf8e..e26f1679 100644 --- a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py +++ b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py @@ -52,7 +52,7 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal ], ), references=[ - Reference(url="https://cwe.mitre.org/data/definitions/614.html"), + Reference(url="https://cwe.mitre.org/data/definitions/614"), ], ), transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer), diff --git a/src/core_codemods/disable_graphql_introspection.py b/src/core_codemods/disable_graphql_introspection.py index 484a6973..38d0428b 100644 --- a/src/core_codemods/disable_graphql_introspection.py +++ b/src/core_codemods/disable_graphql_introspection.py @@ -128,10 +128,10 @@ def _is_introspection_rule_or_starred( url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries", ), Reference( - url="https://cwe.mitre.org/data/definitions/200.html", + url="https://cwe.mitre.org/data/definitions/200", ), Reference( - url="https://cwe.mitre.org/data/definitions/669.html", + url="https://cwe.mitre.org/data/definitions/669", ), ], ), diff --git a/src/core_codemods/django_debug_flag_on.py b/src/core_codemods/django_debug_flag_on.py index 63bc86fd..48a8b2ec 100644 --- a/src/core_codemods/django_debug_flag_on.py +++ b/src/core_codemods/django_debug_flag_on.py @@ -16,7 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod): Reference( url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG" ), - Reference(url="https://cwe.mitre.org/data/definitions/489.html"), + Reference(url="https://cwe.mitre.org/data/definitions/489"), ], ) change_description = "Flip `Django` debug flag to off." diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py index 327e54a0..abc440e6 100644 --- a/src/core_codemods/django_session_cookie_secure_off.py +++ b/src/core_codemods/django_session_cookie_secure_off.py @@ -16,7 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod): Reference( url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure" ), - Reference(url="https://cwe.mitre.org/data/definitions/614.html"), + Reference(url="https://cwe.mitre.org/data/definitions/614"), ], ) change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing." diff --git a/src/core_codemods/file_resource_leak.py b/src/core_codemods/file_resource_leak.py index 47db96d2..4a7ca5ad 100644 --- a/src/core_codemods/file_resource_leak.py +++ b/src/core_codemods/file_resource_leak.py @@ -73,8 +73,8 @@ def line_filter(x): summary="Automatically Close Resources", review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW, references=[ - Reference(url="https://cwe.mitre.org/data/definitions/404.html"), - Reference(url="https://cwe.mitre.org/data/definitions/772.html"), + Reference(url="https://cwe.mitre.org/data/definitions/404"), + Reference(url="https://cwe.mitre.org/data/definitions/772"), ], ), transformer=LibcstTransformerPipeline(FileResourceLeakTransformer), diff --git a/src/core_codemods/flask_enable_csrf_protection.py b/src/core_codemods/flask_enable_csrf_protection.py index 04f70911..8ef21710 100644 --- a/src/core_codemods/flask_enable_csrf_protection.py +++ b/src/core_codemods/flask_enable_csrf_protection.py @@ -19,7 +19,7 @@ class FlaskEnableCSRFProtection( references=[ Reference(url="https://owasp.org/www-community/attacks/csrf"), Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"), - Reference(url="https://cwe.mitre.org/data/definitions/352.html"), + Reference(url="https://cwe.mitre.org/data/definitions/352"), ], ) diff --git a/src/core_codemods/harden_pickle_load.py b/src/core_codemods/harden_pickle_load.py index f94974df..b050bf5f 100644 --- a/src/core_codemods/harden_pickle_load.py +++ b/src/core_codemods/harden_pickle_load.py @@ -22,7 +22,7 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod): url="https://github.com/trailofbits/fickling", ), Reference( - url="https://cwe.mitre.org/data/definitions/502.html", + url="https://cwe.mitre.org/data/definitions/502", ), ], ) diff --git a/src/core_codemods/harden_pyyaml.py b/src/core_codemods/harden_pyyaml.py index 19f97544..68c21919 100644 --- a/src/core_codemods/harden_pyyaml.py +++ b/src/core_codemods/harden_pyyaml.py @@ -126,7 +126,7 @@ def _update_bases( Reference( url="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation" ), - Reference(url="https://cwe.mitre.org/data/definitions/502.html"), + Reference(url="https://cwe.mitre.org/data/definitions/502"), ], ), detector=SemgrepRuleDetector( diff --git a/src/core_codemods/harden_ruamel.py b/src/core_codemods/harden_ruamel.py index 17f56e4c..389e80ad 100644 --- a/src/core_codemods/harden_ruamel.py +++ b/src/core_codemods/harden_ruamel.py @@ -11,7 +11,7 @@ class HardenRuamel(SimpleCodemod): Reference( url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data" ), - Reference(url="https://cwe.mitre.org/data/definitions/502.html"), + Reference(url="https://cwe.mitre.org/data/definitions/502"), ], ) change_description = ( diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py index 81bf3cf6..a11feac4 100644 --- a/src/core_codemods/https_connection.py +++ b/src/core_codemods/https_connection.py @@ -59,7 +59,7 @@ class HTTPSConnection(SimpleCodemod): Reference( url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool" ), - Reference(url="https://cwe.mitre.org/data/definitions/319.html"), + Reference(url="https://cwe.mitre.org/data/definitions/319"), ], ) diff --git a/src/core_codemods/limit_readline.py b/src/core_codemods/limit_readline.py index 81c888f2..45834b93 100644 --- a/src/core_codemods/limit_readline.py +++ b/src/core_codemods/limit_readline.py @@ -11,7 +11,7 @@ class LimitReadline(SimpleCodemod): summary="Limit readline()", review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW, references=[ - Reference(url="https://cwe.mitre.org/data/definitions/400.html"), + Reference(url="https://cwe.mitre.org/data/definitions/400"), ], ) change_description = "Adds a size limit argument to readline() calls." diff --git a/src/core_codemods/lxml_safe_parser_defaults.py b/src/core_codemods/lxml_safe_parser_defaults.py index 68491e0a..6870fce0 100644 --- a/src/core_codemods/lxml_safe_parser_defaults.py +++ b/src/core_codemods/lxml_safe_parser_defaults.py @@ -17,7 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), - Reference(url="https://cwe.mitre.org/data/definitions/611.html"), + Reference(url="https://cwe.mitre.org/data/definitions/611"), ], ) change_description = "Replace `lxml` parser parameters with safe defaults." diff --git a/src/core_codemods/lxml_safe_parsing.py b/src/core_codemods/lxml_safe_parsing.py index 9398b18b..34a4833c 100644 --- a/src/core_codemods/lxml_safe_parsing.py +++ b/src/core_codemods/lxml_safe_parsing.py @@ -17,7 +17,7 @@ class LxmlSafeParsing(SimpleCodemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), - Reference(url="https://cwe.mitre.org/data/definitions/611.html"), + Reference(url="https://cwe.mitre.org/data/definitions/611"), ], ) change_description = ( diff --git a/src/core_codemods/replace_flask_send_file.py b/src/core_codemods/replace_flask_send_file.py index d2e8bf68..560a5ae9 100644 --- a/src/core_codemods/replace_flask_send_file.py +++ b/src/core_codemods/replace_flask_send_file.py @@ -18,7 +18,7 @@ class ReplaceFlaskSendFile(SimpleCodemod, NameAndAncestorResolutionMixin): url="https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory" ), Reference(url="https://owasp.org/www-community/attacks/Path_Traversal"), - Reference(url="https://cwe.mitre.org/data/definitions/35.html"), + Reference(url="https://cwe.mitre.org/data/definitions/35"), ], ) diff --git a/src/core_codemods/requests_verify.py b/src/core_codemods/requests_verify.py index da859045..90e84057 100644 --- a/src/core_codemods/requests_verify.py +++ b/src/core_codemods/requests_verify.py @@ -13,7 +13,7 @@ class RequestsVerify(SimpleCodemod): Reference( url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack" ), - Reference(url="https://cwe.mitre.org/data/definitions/295.html"), + Reference(url="https://cwe.mitre.org/data/definitions/295"), ], ) change_description = ( diff --git a/src/core_codemods/secure_flask_cookie.py b/src/core_codemods/secure_flask_cookie.py index 0302dbeb..41f5445f 100644 --- a/src/core_codemods/secure_flask_cookie.py +++ b/src/core_codemods/secure_flask_cookie.py @@ -14,7 +14,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin): Reference( url="https://owasp.org/www-community/controls/SecureCookieAttribute" ), - Reference(url="https://cwe.mitre.org/data/definitions/614.html"), + Reference(url="https://cwe.mitre.org/data/definitions/614"), ], ) change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`." diff --git a/src/core_codemods/secure_flask_session_config.py b/src/core_codemods/secure_flask_session_config.py index fb5ed0d9..5a9a752e 100644 --- a/src/core_codemods/secure_flask_session_config.py +++ b/src/core_codemods/secure_flask_session_config.py @@ -23,9 +23,9 @@ class SecureFlaskSessionConfig(SimpleCodemod, Codemod): Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html" ), - Reference(url="https://cwe.mitre.org/data/definitions/319.html"), - Reference(url="https://cwe.mitre.org/data/definitions/352.html"), - Reference(url="https://cwe.mitre.org/data/definitions/614.html"), + Reference(url="https://cwe.mitre.org/data/definitions/319"), + Reference(url="https://cwe.mitre.org/data/definitions/352"), + Reference(url="https://cwe.mitre.org/data/definitions/614"), ], ) change_description = "Flip Flask session configuration if defined as insecure." diff --git a/src/core_codemods/semgrep/semgrep_nan_injection.py b/src/core_codemods/semgrep/semgrep_nan_injection.py index 295b28a7..81c9a9c7 100644 --- a/src/core_codemods/semgrep/semgrep_nan_injection.py +++ b/src/core_codemods/semgrep/semgrep_nan_injection.py @@ -126,7 +126,7 @@ def visit_Call(self, node: cst.Call) -> None: ], ), references=[ - Reference(url="https://cwe.mitre.org/data/definitions/704.html"), + Reference(url="https://cwe.mitre.org/data/definitions/704"), ], ), transformer=LibcstTransformerPipeline(NanInjectionTransformer), diff --git a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py index 6fa90e5a..5e03891c 100644 --- a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py +++ b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py @@ -55,7 +55,7 @@ def leave_Decorator( ], ), references=[ - Reference(url="https://cwe.mitre.org/data/definitions/352.html"), + Reference(url="https://cwe.mitre.org/data/definitions/352"), ], ), transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer), diff --git a/src/core_codemods/semgrep/semgrep_rsa_key_size.py b/src/core_codemods/semgrep/semgrep_rsa_key_size.py index 97fbf2f4..f6c1fe4e 100644 --- a/src/core_codemods/semgrep/semgrep_rsa_key_size.py +++ b/src/core_codemods/semgrep/semgrep_rsa_key_size.py @@ -76,7 +76,7 @@ def match_location(self, pos, result): ], ), references=[ - Reference(url="https://cwe.mitre.org/data/definitions/326.html"), + Reference(url="https://cwe.mitre.org/data/definitions/326"), ], ), transformer=LibcstTransformerPipeline(RsaKeySizeTransformer), diff --git a/src/core_codemods/sql_parameterization.py b/src/core_codemods/sql_parameterization.py index 096d833a..1f20663d 100644 --- a/src/core_codemods/sql_parameterization.py +++ b/src/core_codemods/sql_parameterization.py @@ -370,7 +370,7 @@ def _remove_literal_and_gather_extra( review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW, references=[ Reference(url="https://cwe.mitre.org/data/definitions/20"), - Reference(url="https://cwe.mitre.org/data/definitions/89.html"), + Reference(url="https://cwe.mitre.org/data/definitions/89"), Reference(url="https://owasp.org/www-community/attacks/SQL_Injection"), ], ), diff --git a/src/core_codemods/subprocess_shell_false.py b/src/core_codemods/subprocess_shell_false.py index aa58bbe9..282592e6 100644 --- a/src/core_codemods/subprocess_shell_false.py +++ b/src/core_codemods/subprocess_shell_false.py @@ -79,7 +79,7 @@ def first_arg_is_not_string(self, original_node: cst.Call) -> bool: url="https://en.wikipedia.org/wiki/Code_injection#Shell_injection" ), Reference(url="https://stackoverflow.com/a/3172488"), - Reference(url="https://cwe.mitre.org/data/definitions/78.html"), + Reference(url="https://cwe.mitre.org/data/definitions/78"), ], ), transformer=LibcstTransformerPipeline(SubprocessShellFalseTransformer), diff --git a/src/core_codemods/upgrade_sslcontext_minimum_version.py b/src/core_codemods/upgrade_sslcontext_minimum_version.py index 3a31d0ca..ec516bee 100644 --- a/src/core_codemods/upgrade_sslcontext_minimum_version.py +++ b/src/core_codemods/upgrade_sslcontext_minimum_version.py @@ -13,7 +13,7 @@ class UpgradeSSLContextMinimumVersion(SimpleCodemod, NameResolutionMixin): ), Reference(url="https://datatracker.ietf.org/doc/rfc8996/"), Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"), - Reference(url="https://cwe.mitre.org/data/definitions/326.html"), + Reference(url="https://cwe.mitre.org/data/definitions/326"), ], ) change_description = "Replaces minimum SSL/TLS version for SSLContext." diff --git a/src/core_codemods/upgrade_sslcontext_tls.py b/src/core_codemods/upgrade_sslcontext_tls.py index 14ec2695..1e8c7b87 100644 --- a/src/core_codemods/upgrade_sslcontext_tls.py +++ b/src/core_codemods/upgrade_sslcontext_tls.py @@ -13,7 +13,7 @@ class UpgradeSSLContextTLS(SimpleCodemod): ), Reference(url="https://datatracker.ietf.org/doc/rfc8996/"), Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"), - Reference(url="https://cwe.mitre.org/data/definitions/326.html"), + Reference(url="https://cwe.mitre.org/data/definitions/326"), ], ) change_description = "Replaces known insecure TLS/SSL protocol versions in SSLContext with secure ones." diff --git a/src/core_codemods/use_defused_xml.py b/src/core_codemods/use_defused_xml.py index 0732081e..b2702d2c 100644 --- a/src/core_codemods/use_defused_xml.py +++ b/src/core_codemods/use_defused_xml.py @@ -51,7 +51,7 @@ def dependency(self) -> Dependency: Reference( url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" ), - Reference(url="https://cwe.mitre.org/data/definitions/611.html"), + Reference(url="https://cwe.mitre.org/data/definitions/611"), ], ), transformer=LibcstTransformerPipeline(UseDefusedXmlTransformer),