Populate detectionTool metadata for Sonar codemods

[carlosu7]

add finding to sonar codemods and add assertion to check if FixOnlyCodeChanger has findings

Issue #337

[nahsra]

It's not the rule ID we want, but the finding ID (or "issue" ID in Sonar's parlance. Maybe this isn't clear, I would check the JavaDoc for this method and make sure it's good.

[carlosu7]

the sonar issue ID is set correctly at SonarPluginJavaParserChanger.java line 85

this is for the sarif plugin

right now SemgrepSarifJavaParserChanger extends from SarifPluginFixOnlyCodeChanger that extends from SarifPluginJavaParserChanger

when runing the only rule Semgrep codemod: SemgrepOverlyPermissiveFilePermissionsCodemod, the semgrep provided rule id is: "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission" which is the same as result.RuleId

[nahsra]

We don' want the rule ID. We want the finding ID.

[carlosu7]

@nahsra

taking the DefectDojo codemod as reference:

the finding ID is taken from the RuleFindings findings argument of the injected constructor

in the case of the semgrep codemod, i see that the argument type of the injected constructor is RuleSarif sarif. I'm not sure if the Result::guid would be the desired value.

RuleSarif sarif has a method called getResultsByLocationPath which returns a List, and the javadoc for this method says: "Get all the SARIF results with the matching path for the first location field"

And Result class has the guid field that says: "A stable, unique identifer for the result in the form of a GUID."

So what I'm trying to understand is if this Result::guid for the Sarif codemods is similar to the Finding::id for the defect dojo codemods given the fact that the Finding class javadoc says: "Represents a finding in DefectDojo."

[nahsra]

Yes, it's usually either guid or correlationGuid. However, the DefectDojo ID, not the underlying Semgrep ID, is the one that's valuable, because that's where we need to link the user to see the result.

This logic being here is wrong because SarifPluginJavaParserChanger isn't necessarily a FixOnlyChanger, so it has no idea where to find the finding ID, and thus, maybe it doesn't know how to make a CodemodChange for all subtypes. This inheritance isn't working, so we should favor composition. The first thought to me is to create a new interface CodemodChangeFactory, and have have the subclasses inject one into the constructor if they want a different behavior.

[carlosu7]

@nahsra should core-codemods/src/test/resources/semgrep-overly-permissive-file-permission/out.sarif file have the tool vendor's ID property ?

[nahsra]

OOF -- it doesn't have one. I did not see that coming. I don't even know what to do in that scenario.

I think we have two options:

• make our own "composite ID", maybe rule ID + location + line
• match fingerprint ID

I feel like either is fine, because both are temporary. I'd prefer match fingerprint ID.

[nahsra]

Yes, it's usually either guid or correlationGuid. However, the DefectDojo ID, not the underlying Semgrep ID, is the one that's valuable, because that's where we need to link the user to see the result.

This logic being here is wrong because SarifPluginJavaParserChanger isn't necessarily a FixOnlyChanger, so it has no idea where to find the finding ID, and thus, maybe it doesn't know how to make a CodemodChange for all subtypes. This inheritance isn't working, so we should favor composition. The first thought to me is to create a new interface CodemodChangeFactory, and have have the subclasses inject one into the constructor if they want a different behavior.

[carlosu7]

@nahsra would this be OK since fingerprints is basically a map of strings or do you prefer the other way you suggested: make our own "composite ID", maybe rule ID + location + line ?

[nahsra]

Yuck, I hate both. Let's use the fingerprint, but what you've got here doesn't look like it will be the string fingerprint value, it looks like it is a toString() of the array.

[carlosu7]

@nahsra fingerprint is basically a Map<String, String> which represent a set of strings each of which individually defines a stable, unique identity for the result, do you want the string value of that map?

[nahsra]

I'd rather just get the first value in the map (not the key, the value.)

[nahsra]

Needs a lot more design love. Don't rush to get another revision. Take your time, draw it out.

[nahsra]

JavaDoc

[nahsra]

The scope of this type is very strange. It's primarily a model, but it also looks like a Factory type -- except the Factory looks like it's just a utility that won't be very different.

I think you've now got a much better idea of what information needs to be where, but these patterns are not working for me.

[nahsra]

Yuck, I hate both. Let's use the fingerprint, but what you've got here doesn't look like it will be the string fingerprint value, it looks like it is a toString() of the array.

[nahsra]

Minor nitpick -- please fix then we're good to go.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud