Report new remediation data in CodeTF

core-codemods/src/main/java/io/codemodder/codemods/AddMissingOverrideCodemod.java

@@ -29,7 +29,7 @@ public AddMissingOverrideCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1161",
         "`@Override` should be used on overriding and implementing methods",

core-codemods/src/main/java/io/codemodder/codemods/AvoidImplicitPublicConstructorCodemod.java

@@ -33,7 +33,8 @@ public AvoidImplicitPublicConstructorCodemod(
     super(issues, SimpleName.class);
   }
 
-  protected DetectorRule getDetectorRule() {
+  @Override
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1118",
         "Utility classes should not have public constructors",

core-codemods/src/main/java/io/codemodder/codemods/DeclareVariableOnSeparateLineCodemod.java

@@ -31,7 +31,7 @@ public DeclareVariableOnSeparateLineCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1659",
         "Multiple variables should not be declared on the same line",

core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java

@@ -3,9 +3,9 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
-import io.codemodder.codetf.DetectionTool;
-import io.codemodder.codetf.DetectorFinding;
 import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import io.codemodder.codetf.UnfixedFinding;
 import io.codemodder.javaparser.JavaParserChanger;
 import io.codemodder.providers.defectdojo.DefectDojoScan;
 import io.codemodder.providers.defectdojo.Finding;
@@ -34,13 +34,16 @@ public DefectDojoSqlInjectionCodemod(
   }
 
   @Override
-  public DetectionTool getDetectionTool() {
-    DetectorRule semgrepSqliRule =
-        new DetectorRule(
-            "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
-            "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
-            null);
-    return new DetectionTool("DefectDojo", semgrepSqliRule, List.of());
+  public String vendorName() {
+    return "DefectDojo / Semgrep";
+  }
+
+  @Override
+  public DetectorRule getDetectorRule() {
+    return new DetectorRule(
+        "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
+        "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
+        "https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli");
   }
 
   @Override
@@ -54,16 +57,17 @@ public CodemodFileScanningResult visit(
       return CodemodFileScanningResult.none();
     }
 
-    List<DetectorFinding> allFindings = new ArrayList<>();
+    List<UnfixedFinding> unfixedFindings = new ArrayList<>();
 
     List<CodemodChange> changes = new ArrayList<>();
     for (Finding finding : findingsForThisPath) {
       String id = String.valueOf(finding.getId());
       Integer line = finding.getLine();
       if (line == null) {
-        DetectorFinding unfixableFinding =
-            new DetectorFinding(id, false, "No line number provided");
-        allFindings.add(unfixableFinding);
+        UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id, getDetectorRule(), context.path().toString(), null, "No line number provided");
+        unfixedFindings.add(unfixableFinding);
         continue;
       }
 
@@ -74,33 +78,45 @@ public CodemodFileScanningResult visit(
               .toList();
 
       if (supportedSqlMethodCallsOnThatLine.isEmpty()) {
-        DetectorFinding unfixableFinding =
-            new DetectorFinding(id, false, "No supported SQL methods found on the given line");
-        allFindings.add(unfixableFinding);
+        UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                getDetectorRule(),
+                context.path().toString(),
+                line,
+                "No supported SQL methods found on the given line");
+        unfixedFindings.add(unfixableFinding);
         continue;
       }
 
       if (supportedSqlMethodCallsOnThatLine.size() > 1) {
-        DetectorFinding unfixableFinding =
-            new DetectorFinding(
-                id, false, "Multiple supported SQL methods found on the given line");
-        allFindings.add(unfixableFinding);
+        UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                getDetectorRule(),
+                context.path().toString(),
+                line,
+                "Multiple supported SQL methods found on the given line");
+        unfixedFindings.add(unfixableFinding);
         continue;
       }
 
       MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
-
       if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
-        DetectorFinding fixedFinding = new DetectorFinding(id, true, null);
-        allFindings.add(fixedFinding);
-        changes.add(CodemodChange.from(line, "Fixes issue " + id + " by parameterizing SQL"));
+        FixedFinding fixedFinding = new FixedFinding(id, getDetectorRule());
+        changes.add(CodemodChange.from(line, fixedFinding));
       } else {
-        DetectorFinding unfixableFinding =
-            new DetectorFinding(id, false, "Fixing may have side effects");
-        allFindings.add(unfixableFinding);
+        UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                getDetectorRule(),
+                context.path().toString(),
+                line,
+                "State changing effects possible or unrecognized code shape");
+        unfixedFindings.add(unfixableFinding);
       }
     }
 
-    return CodemodFileScanningResult.from(changes, allFindings);
+    return CodemodFileScanningResult.from(changes, unfixedFindings);
   }
 }

core-codemods/src/main/java/io/codemodder/codemods/DefineConstantForLiteralCodemod.java

@@ -27,7 +27,7 @@ public DefineConstantForLiteralCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1192",
         "String literals should not be duplicated",

core-codemods/src/main/java/io/codemodder/codemods/FixRedundantStaticOnEnumCodemod.java

@@ -27,7 +27,7 @@ public FixRedundantStaticOnEnumCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S2786",
         "Nested `enum`s should not be declared static",

core-codemods/src/main/java/io/codemodder/codemods/HardenStringParseToPrimitivesCodemod.java

@@ -63,7 +63,7 @@ public HardenParseForConstructorChanger(
     }
 
     @Override
-    protected DetectorRule getDetectorRule() {
+    public DetectorRule getDetectorRule() {
       return new DetectorRule(
           "java:S2130",
           "Parsing should be used to convert `String`s to primitives",
@@ -125,7 +125,7 @@ public HardenParseForValueOfChanger(
     }
 
     @Override
-    protected DetectorRule getDetectorRule() {
+    public DetectorRule getDetectorRule() {
       return new DetectorRule(
           "java:S2130",
           "Parsing should be used to convert `String`s to primitives",

core-codemods/src/main/java/io/codemodder/codemods/OverridesMatchParentSynchronizationCodemod.java

@@ -33,7 +33,7 @@ public OverridesMatchParentSynchronizationCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S3551",
         "Overrides should match their parent class methods in synchronization",

core-codemods/src/main/java/io/codemodder/codemods/RemoveCommentedCodeCodemod.java

@@ -42,7 +42,7 @@ public RemoveCommentedCodeCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S125",
         "Sections of code should not be commented out",

core-codemods/src/main/java/io/codemodder/codemods/RemoveRedundantVariableCreationCodemod.java

@@ -29,7 +29,7 @@ public RemoveRedundantVariableCreationCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1488",
         "Local variables should not be declared and then immediately returned or thrown",

core-codemods/src/main/java/io/codemodder/codemods/RemoveUnusedImportCodemod.java

@@ -42,7 +42,7 @@ public RemoveUnusedImportCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1128",
         "Unnecessary imports should be removed",

core-codemods/src/main/java/io/codemodder/codemods/RemoveUnusedLocalVariableCodemod.java

@@ -39,7 +39,7 @@ public RemoveUnusedLocalVariableCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1481",
         "Unused local variables should be removed",

core-codemods/src/main/java/io/codemodder/codemods/RemoveUnusedPrivateMethodCodemod.java

@@ -30,7 +30,7 @@ public RemoveUnusedPrivateMethodCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1144",
         "Unused private methods should be removed",

core-codemods/src/main/java/io/codemodder/codemods/RemoveUselessParenthesesCodemod.java

@@ -28,7 +28,7 @@ public RemoveUselessParenthesesCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S1110",
         "Redundant pairs of parentheses should be removed",

core-codemods/src/main/java/io/codemodder/codemods/ReplaceStreamCollectorsToListCodemod.java

@@ -30,7 +30,7 @@ public ReplaceStreamCollectorsToListCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S6204",
         "`Stream.toList()` should be used instead of `collectors`",

core-codemods/src/main/java/io/codemodder/codemods/SimplifyRestControllerAnnotationsCodemod.java

@@ -37,7 +37,7 @@ public SimplifyRestControllerAnnotationsCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S6833",
         "`@Controller` should be replaced with `@RestController`",

core-codemods/src/main/java/io/codemodder/codemods/SubstituteReplaceAllCodemod.java

@@ -26,7 +26,7 @@ public SubstituteReplaceAllCodemod(
   }
 
   @Override
-  protected DetectorRule getDetectorRule() {
+  public DetectorRule getDetectorRule() {
     return new DetectorRule(
         "java:S5361",
         "`String#replace` should be preferred to `String#replaceAll`",

core-codemods/src/test/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemodTest.java

@@ -10,17 +10,21 @@ final class DefectDojoSqlInjectionCodemodTest {
   @Metadata(
       codemodType = DefectDojoSqlInjectionCodemod.class,
       testResourceDir = "defectdojo-sql-injection/SqlInjectionChallenge",
+      doRetransformTest = false,
       renameTestFile =
           "src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java",
-      dependencies = {})
+      dependencies = {},
+      expectingFixesAtLines = {69})
   final class WebGoatSqlInjectionChallengeTest implements CodemodTestMixin {}
 
   @Nested
   @Metadata(
       codemodType = DefectDojoSqlInjectionCodemod.class,
       testResourceDir = "defectdojo-sql-injection/SqlInjectionLesson8",
+      doRetransformTest = false,
       renameTestFile =
           "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
-      dependencies = {})
+      dependencies = {},
+      expectingFixesAtLines = {78, 158})
   final class WebGoatSqlInjectionLesson8Test implements CodemodTestMixin {}
 }

framework/codemodder-base/build.gradle.kts

@@ -21,7 +21,7 @@ dependencies {
     api(libs.java.security.toolkit)
     api(libs.commons.lang3)
 
-    api("io.codemodder:codetf-java:3.2.1")
+    api("io.codemodder:codetf-java:4.0.0")
     api(libs.slf4j.api)
     api(libs.javaparser.core)
     api(libs.javaparser.symbolsolver.core)

framework/codemodder-base/src/main/java/io/codemodder/CodemodChange.java

@@ -1,6 +1,7 @@
 package io.codemodder;
 
 import io.codemodder.codetf.CodeTFParameter;
+import io.codemodder.codetf.FixedFinding;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
@@ -15,6 +16,9 @@ public final class CodemodChange {
   /** Represents the dependencies required by the new code we introduced in this weave. */
   private final List<DependencyGAV> dependenciesNeeded;
 
+  /** The fixed finding that was addressed by this change. */
+  private final List<FixedFinding> fixedFindings;
+
   /**
    * Represents the parameters that were used to generate the new code we introduced in this weave.
    */
@@ -28,13 +32,23 @@ private CodemodChange(final int lineNumber, final List<DependencyGAV> dependenci
     this.dependenciesNeeded = Objects.requireNonNull(dependenciesNeeded, "dependenciesNeeded");
     this.parameters = List.of();
     this.description = null;
+    this.fixedFindings = List.of();
+  }
+
+  private CodemodChange(final int lineNumber, final FixedFinding finding) {
+    this.lineNumber = lineNumber;
+    this.dependenciesNeeded = List.of();
+    this.parameters = List.of();
+    this.description = null;
+    this.fixedFindings = List.of(Objects.requireNonNull(finding));
   }
 
   private CodemodChange(final int lineNumber, final String description) {
     this.lineNumber = lineNumber;
     this.dependenciesNeeded = List.of();
     this.parameters = List.of();
     this.description = Objects.requireNonNull(description);
+    this.fixedFindings = List.of();
   }
 
   private CodemodChange(final int lineNumber, final Parameter parameter, final String valueUsed) {
@@ -49,6 +63,7 @@ private CodemodChange(final int lineNumber, final Parameter parameter, final Str
             valueUsed);
     this.parameters = List.of(codeTFParameter);
     this.description = null;
+    this.fixedFindings = List.of();
   }
 
   @Override
@@ -93,6 +108,11 @@ public Optional<String> getDescription() {
     return Optional.ofNullable(description);
   }
 
+  /** The fixed finding that was addressed by this change. */
+  public List<FixedFinding> getFixedFindings() {
+    return fixedFindings;
+  }
+
   /** Builds a weave. */
   public static CodemodChange from(final int line, final List<DependencyGAV> dependenciesNeeded) {
     return new CodemodChange(line, dependenciesNeeded);
@@ -114,6 +134,11 @@ public static CodemodChange from(final int line) {
     return new CodemodChange(line, List.of());
   }
 
+  public static CodemodChange from(final int line, final FixedFinding finding) {
+    return new CodemodChange(line, finding);
+  }
+
+  /** A {@link } */
   public static CodemodChange from(
       final int line, final Parameter parameter, final String valueUsed) {
     return new CodemodChange(line, parameter, valueUsed);