-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New rules, first implemented in CodeQL (#483)
This change introduces new remediation logic for weak crypto algorithms, and log injection, two unexciting vulnerability classes for different reasons, but for completeness, should be present.
- Loading branch information
Showing
23 changed files
with
307,611 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemod.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package io.codemodder.codemods.codeql; | ||
|
||
import com.contrastsecurity.sarif.Result; | ||
import com.github.javaparser.ast.CompilationUnit; | ||
import io.codemodder.*; | ||
import io.codemodder.codetf.DetectorRule; | ||
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan; | ||
import io.codemodder.remediation.GenericRemediationMetadata; | ||
import io.codemodder.remediation.Remediator; | ||
import io.codemodder.remediation.loginjection.LogInjectionRemediator; | ||
import java.util.Optional; | ||
import javax.inject.Inject; | ||
|
||
/** A codemod for automatically fixing Log Injection from CodeQL. */ | ||
@Codemod( | ||
id = "codeql:java/log-injection", | ||
reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW, | ||
importance = Importance.HIGH, | ||
executionPriority = CodemodExecutionPriority.HIGH) | ||
public final class CodeQLLogInjectionCodemod extends CodeQLRemediationCodemod { | ||
|
||
private final Remediator<Result> remediator; | ||
|
||
@Inject | ||
public CodeQLLogInjectionCodemod( | ||
@ProvidedCodeQLScan(ruleId = "java/log-injection") final RuleSarif sarif) { | ||
super(GenericRemediationMetadata.LOG_INJECTION.reporter(), sarif); | ||
this.remediator = new LogInjectionRemediator<>(); | ||
} | ||
|
||
@Override | ||
public DetectorRule detectorRule() { | ||
return new DetectorRule( | ||
"log-injection", | ||
"Log Injection", | ||
"https://codeql.github.com/codeql-query-help/java/java-log-injection/"); | ||
} | ||
|
||
@Override | ||
public CodemodFileScanningResult visit( | ||
final CodemodInvocationContext context, final CompilationUnit cu) { | ||
return remediator.remediateAll( | ||
cu, | ||
context.path().toString(), | ||
detectorRule(), | ||
ruleSarif.getResultsByLocationPath(context.path()), | ||
SarifFindingKeyUtil::buildFindingId, | ||
r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(), | ||
r -> | ||
Optional.ofNullable( | ||
r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()), | ||
r -> Optional.empty()); | ||
} | ||
} |
55 changes: 55 additions & 0 deletions
55
...ain/java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package io.codemodder.codemods.codeql; | ||
|
||
import com.contrastsecurity.sarif.Result; | ||
import com.github.javaparser.ast.CompilationUnit; | ||
import io.codemodder.*; | ||
import io.codemodder.codetf.DetectorRule; | ||
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan; | ||
import io.codemodder.remediation.GenericRemediationMetadata; | ||
import io.codemodder.remediation.Remediator; | ||
import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator; | ||
import java.util.Optional; | ||
import javax.inject.Inject; | ||
|
||
/** A codemod for automatically fixing weak crypto algorithms. */ | ||
@Codemod( | ||
id = "codeql:java/potentially-weak-cryptographic-algorithm", | ||
reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW, | ||
importance = Importance.HIGH, | ||
executionPriority = CodemodExecutionPriority.HIGH) | ||
public final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod extends CodeQLRemediationCodemod { | ||
|
||
private final Remediator<Result> remediator; | ||
|
||
@Inject | ||
public CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod( | ||
@ProvidedCodeQLScan(ruleId = "java/potentially-weak-cryptographic-algorithm") | ||
final RuleSarif sarif) { | ||
super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), sarif); | ||
this.remediator = new WeakCryptoAlgorithmRemediator<>(); | ||
} | ||
|
||
@Override | ||
public DetectorRule detectorRule() { | ||
return new DetectorRule( | ||
"potentially-weak-cryptographic-algorithm", | ||
"Use of a potentially broken or risky cryptographic algorithm", | ||
"https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/"); | ||
} | ||
|
||
@Override | ||
public CodemodFileScanningResult visit( | ||
final CodemodInvocationContext context, final CompilationUnit cu) { | ||
return remediator.remediateAll( | ||
cu, | ||
context.path().toString(), | ||
detectorRule(), | ||
ruleSarif.getResultsByLocationPath(context.path()), | ||
SarifFindingKeyUtil::buildFindingId, | ||
r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(), | ||
r -> | ||
Optional.ofNullable( | ||
r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()), | ||
r -> Optional.empty()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemodTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package io.codemodder.codemods.codeql; | ||
|
||
import io.codemodder.testutils.CodemodTestMixin; | ||
import io.codemodder.testutils.Metadata; | ||
|
||
@Metadata( | ||
codemodType = CodeQLLogInjectionCodemod.class, | ||
testResourceDir = "codeql-log-injection", | ||
renameTestFile = | ||
"app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Templates.java", | ||
doRetransformTest = false, | ||
expectingFixesAtLines = {124}, | ||
dependencies = {}) | ||
final class CodeQLLogInjectionCodemodTest implements CodemodTestMixin {} |
13 changes: 13 additions & 0 deletions
13
...java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package io.codemodder.codemods.codeql; | ||
|
||
import io.codemodder.testutils.CodemodTestMixin; | ||
import io.codemodder.testutils.Metadata; | ||
|
||
@Metadata( | ||
codemodType = CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class, | ||
testResourceDir = "codeql-potentially-unsafe-crypto-algorithm", | ||
renameTestFile = "app/src/main/java/org/apache/roller/weblogger/util/WSSEUtilities.java", | ||
expectingFixesAtLines = {38}, | ||
doRetransformTest = false, | ||
dependencies = {}) | ||
final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest implements CodemodTestMixin {} |
Oops, something went wrong.