-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Populate detectionTool metadata for Sonar codemods #346
Merged
Merged
Changes from 2 commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
f564cc6
add finding to sonar codemods and add assertion to check if fixonlych…
carlosu7 cf03790
remove get changers, rename builFixedFinding
carlosu7 e36e899
delete SarifPluginFixOnlyCodeChanger file
carlosu7 4f59bd9
refactor fix only code changer
carlosu7 db94024
Merge remote-tracking branch 'origin/main' into sonar-detectiontool-m…
carlosu7 3e4192f
refactor to record
carlosu7 20f701c
remove vendor name
carlosu7 44d0e1b
update refactor design
carlosu7 9075f15
Merge remote-tracking branch 'origin/main' into sonar-detectiontool-m…
carlosu7 3425894
fix compilation error
carlosu7 3f3f29e
fix tests
carlosu7 21f6d28
remove default fix only code changer
carlosu7 297281d
remove finding factory
carlosu7 dadea1e
javadoc and rename
carlosu7 3466b58
update key
carlosu7 21eb4f5
key changes
carlosu7 3bf99cf
final feedback
carlosu7 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not the rule ID we want, but the finding ID (or "issue" ID in Sonar's parlance. Maybe this isn't clear, I would check the JavaDoc for this method and make sure it's good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the sonar issue ID is set correctly at SonarPluginJavaParserChanger.java line 85
this is for the sarif plugin
right now SemgrepSarifJavaParserChanger extends from SarifPluginFixOnlyCodeChanger that extends from SarifPluginJavaParserChanger
when runing the only rule Semgrep codemod: SemgrepOverlyPermissiveFilePermissionsCodemod, the semgrep provided rule id is: "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission" which is the same as result.RuleId
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don' want the rule ID. We want the finding ID.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nahsra
taking the DefectDojo codemod as reference:
the finding ID is taken from the
RuleFindings findingsargument of the injected constructorin the case of the semgrep codemod, i see that the argument type of the injected constructor is
RuleSarif sarif. I'm not sure if the Result::guid would be the desired value.RuleSarif sarif has a method called getResultsByLocationPath which returns a List, and the javadoc for this method says: "Get all the SARIF results with the matching path for the first location field"
And
Resultclass has theguidfield that says: "A stable, unique identifer for the result in the form of a GUID."So what I'm trying to understand is if this Result::guid for the Sarif codemods is similar to the Finding::id for the defect dojo codemods given the fact that the Finding class javadoc says: "Represents a finding in DefectDojo."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it's usually either
guidorcorrelationGuid. However, the DefectDojo ID, not the underlying Semgrep ID, is the one that's valuable, because that's where we need to link the user to see the result.This logic being here is wrong because
SarifPluginJavaParserChangerisn't necessarily aFixOnlyChanger, so it has no idea where to find the finding ID, and thus, maybe it doesn't know how to make aCodemodChangefor all subtypes. This inheritance isn't working, so we should favor composition. The first thought to me is to create a new interfaceCodemodChangeFactory, and have have the subclasses inject one into the constructor if they want a different behavior.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nahsra should
core-codemods/src/test/resources/semgrep-overly-permissive-file-permission/out.sariffile have the tool vendor's ID property ?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OOF -- it doesn't have one. I did not see that coming. I don't even know what to do in that scenario.
I think we have two options:
I feel like either is fine, because both are temporary. I'd prefer match fingerprint ID.