-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add more tests and remove codemod we're not ready for (#459)
* Moves remediators that were for some reason in core-codemods to the framework * Removes a codemod we're not ready to do yet (CodeQL reports vulnerabilities at odds locations in comparison to other tools) * Made tests harder to pass * Styling cleanup
- Loading branch information
Showing
26 changed files
with
222 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 0 additions & 48 deletions
48
...codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLInsecureRandomnessCodemod.java
This file was deleted.
Oops, something went wrong.
56 changes: 56 additions & 0 deletions
56
core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLPredictableSeedCodemod.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
package io.codemodder.codemods.codeql; | ||
|
||
import com.contrastsecurity.sarif.Result; | ||
import com.github.javaparser.ast.CompilationUnit; | ||
import io.codemodder.*; | ||
import io.codemodder.codetf.DetectorRule; | ||
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan; | ||
import io.codemodder.remediation.GenericRemediationMetadata; | ||
import io.codemodder.remediation.Remediator; | ||
import io.codemodder.remediation.predictableseed.PredictableSeedRemediator; | ||
import java.util.Optional; | ||
import javax.inject.Inject; | ||
|
||
/** A codemod for automatically fixing predictable seeds reported by CodeQL. */ | ||
@Codemod( | ||
id = "codeql:java/predictable-seed", | ||
reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW, | ||
importance = Importance.MEDIUM, | ||
executionPriority = CodemodExecutionPriority.HIGH) | ||
public final class CodeQLPredictableSeedCodemod extends CodeQLRemediationCodemod { | ||
|
||
private final Remediator<Result> remediator; | ||
|
||
@Inject | ||
public CodeQLPredictableSeedCodemod( | ||
@ProvidedCodeQLScan(ruleId = "java/predictable-seed") final RuleSarif sarif) { | ||
super(GenericRemediationMetadata.PREDICTABLE_SEED.reporter(), sarif); | ||
this.remediator = new PredictableSeedRemediator<>(); | ||
} | ||
|
||
@Override | ||
public DetectorRule detectorRule() { | ||
return new DetectorRule( | ||
"predictable-seed", | ||
"Use of a predictable seed in a secure random number generator", | ||
"https://codeql.github.com/codeql-query-help/java/java-predictable-seed/"); | ||
} | ||
|
||
@Override | ||
public CodemodFileScanningResult visit( | ||
final CodemodInvocationContext context, final CompilationUnit cu) { | ||
return remediator.remediateAll( | ||
cu, | ||
context.path().toString(), | ||
detectorRule(), | ||
ruleSarif.getResultsByLocationPath(context.path()), | ||
SarifFindingKeyUtil::buildFindingId, | ||
result -> result.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(), | ||
result -> | ||
Optional.ofNullable( | ||
result.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()), | ||
result -> | ||
Optional.ofNullable( | ||
result.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn())); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
...se/src/main/java/io/codemodder/remediation/predictableseed/PredictableSeedRemediator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package io.codemodder.remediation.predictableseed; | ||
|
||
import com.github.javaparser.ast.CompilationUnit; | ||
import com.github.javaparser.ast.NodeList; | ||
import com.github.javaparser.ast.expr.Expression; | ||
import com.github.javaparser.ast.expr.LiteralExpr; | ||
import com.github.javaparser.ast.expr.MethodCallExpr; | ||
import com.github.javaparser.ast.expr.NameExpr; | ||
import io.codemodder.CodemodChange; | ||
import io.codemodder.CodemodFileScanningResult; | ||
import io.codemodder.codetf.DetectorRule; | ||
import io.codemodder.codetf.FixedFinding; | ||
import io.codemodder.remediation.*; | ||
import java.util.ArrayList; | ||
import java.util.Collection; | ||
import java.util.List; | ||
import java.util.Optional; | ||
import java.util.function.Function; | ||
|
||
/** Remediator for predictable seed weaknesses. */ | ||
public final class PredictableSeedRemediator<T> implements Remediator<T> { | ||
|
||
@Override | ||
public CodemodFileScanningResult remediateAll( | ||
final CompilationUnit cu, | ||
final String path, | ||
final DetectorRule detectorRule, | ||
final Collection<T> findingsForPath, | ||
final Function<T, String> findingIdExtractor, | ||
final Function<T, Integer> findingStartLineExtractor, | ||
final Function<T, Optional<Integer>> findingEndLineExtractor, | ||
final Function<T, Optional<Integer>> findingStartColumnExtractor) { | ||
|
||
FixCandidateSearcher<T> searcher = | ||
new FixCandidateSearcher.Builder<T>() | ||
.withMatcher( | ||
n -> | ||
Optional.of(n) | ||
.map(MethodOrConstructor::new) | ||
.filter(mce -> mce.isMethodCallWithName("setSeed")) | ||
.filter(mce -> mce.asNode().hasScope()) | ||
.filter(mce -> mce.getArguments().size() == 1) | ||
// technically, we don't need this, just to prevent a silly tool from | ||
// reporting on hardcoded data | ||
.filter(mce -> !(mce.getArguments().get(0) instanceof LiteralExpr)) | ||
.isPresent()) | ||
.build(); | ||
|
||
FixCandidateSearchResults<T> candidateSearchResults = | ||
searcher.search( | ||
cu, | ||
path, | ||
detectorRule, | ||
List.copyOf(findingsForPath), | ||
findingIdExtractor, | ||
findingStartLineExtractor, | ||
findingEndLineExtractor, | ||
findingStartColumnExtractor); | ||
|
||
List<CodemodChange> changes = new ArrayList<>(); | ||
for (FixCandidate<T> fixCandidate : candidateSearchResults.fixCandidates()) { | ||
MethodCallExpr setSeedCall = (MethodCallExpr) fixCandidate.node(); | ||
MethodCallExpr safeExpression = | ||
new MethodCallExpr(new NameExpr(System.class.getSimpleName()), "currentTimeMillis"); | ||
NodeList<Expression> arguments = setSeedCall.getArguments(); | ||
arguments.set(0, safeExpression); | ||
|
||
// should only ever be one, but just in case | ||
List<FixedFinding> fixedFindings = | ||
fixCandidate.issues().stream() | ||
.map(issue -> new FixedFinding(findingIdExtractor.apply(issue), detectorRule)) | ||
.toList(); | ||
|
||
int reportedLine = setSeedCall.getRange().get().begin.line; | ||
changes.add(CodemodChange.from(reportedLine, List.of(), fixedFindings)); | ||
} | ||
|
||
return CodemodFileScanningResult.from(changes, candidateSearchResults.unfixableFindings()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...mediators/ssrf/DefaultSSRFRemediator.java → ...mediation/ssrf/DefaultSSRFRemediator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...mods/remediators/ssrf/SSRFRemediator.java → ...dder/remediation/ssrf/SSRFRemediator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...akrandom/DefaultWeakRandomRemediator.java → ...akrandom/DefaultWeakRandomRemediator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...tors/weakrandom/WeakRandomRemediator.java → ...tion/weakrandom/WeakRandomRemediator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.