Added CWE links for several codemods (#964)

* Added CWE information for Sonar and some pixee codemod * Added CWE informatino for Semgrep, Defectdojo, and some pixee codemods * Added missing CWE information for pixee codemods * Changed get to head for url test * Filtered duplicates from queried urls in test
pixee · Jan 8, 2025 · 47680c3 · 47680c3
1 parent 7b2d930
commit 47680c3
Show file tree

Hide file tree

Showing 36 changed files with 86 additions and 14 deletions.
diff --git a/integration_tests/test_codemod_urls.py b/integration_tests/test_codemod_urls.py
@@ -10,7 +10,8 @@
 
 async def visit_url(client, url):
     try:
-        response = await client.get(url)
+        response = await client.head(url)
+
         return url, response.status_code
     except httpx.RequestError:
         return url, None
@@ -36,9 +37,15 @@ async def check_accessible_urls(urls):
 
 @pytest.mark.asyncio
 async def test_codemod_reference_urls():
-    urls = [
-        ref.url for codemod in registry.codemods for ref in codemod._metadata.references
-    ]
+    urls = list(
+        set(
+            [
+                ref.url
+                for codemod in registry.codemods
+                for ref in codemod._metadata.references
+            ]
+        )
+    )
     await check_accessible_urls(urls)
 
 

diff --git a/src/core_codemods/add_requests_timeouts.py b/src/core_codemods/add_requests_timeouts.py
@@ -27,6 +27,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/1088"),
         ],
     ),
     detector=SemgrepRuleDetector(

diff --git a/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py b/src/core_codemods/defectdojo/semgrep/avoid_insecure_deserialization.py
@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.harden_pickle_load import HardenPickleLoad
 from core_codemods.harden_pyyaml import CodemodProtocol, HardenPyyamlCallMixin
@@ -56,7 +57,9 @@ def leave_Call(
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/502"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(
         AvoidInsecureDeserializationTransformer, HardenPickleLoad

diff --git a/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py b/src/core_codemods/defectdojo/semgrep/django_secure_set_cookie.py
@@ -6,6 +6,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
 from core_codemods.secure_cookie_mixin import SecureCookieMixin
 
@@ -50,7 +51,9 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer),
     detector=DefectDojoDetector(),

diff --git a/src/core_codemods/disable_graphql_introspection.py b/src/core_codemods/disable_graphql_introspection.py
@@ -127,6 +127,12 @@ def _is_introspection_rule_or_starred(
             Reference(
                 url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/200",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/669",
+            ),
         ],
     ),
     transformer=LibcstTransformerPipeline(DisableGraphQLIntrospectionTransform),

diff --git a/src/core_codemods/django_debug_flag_on.py b/src/core_codemods/django_debug_flag_on.py
@@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/489"),
         ],
     )
     change_description = "Flip `Django` debug flag to off."

diff --git a/src/core_codemods/django_json_response_type.py b/src/core_codemods/django_json_response_type.py
@@ -53,6 +53,7 @@ def on_result_found(self, _, updated_node):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     transformer=LibcstTransformerPipeline(DjangoJsonResponseTypeTransformer),

diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py
@@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod):
             Reference(
                 url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
     )
     change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing."

diff --git a/src/core_codemods/enable_jinja2_autoescape.py b/src/core_codemods/enable_jinja2_autoescape.py
@@ -30,6 +30,7 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     detector=SemgrepRuleDetector(

diff --git a/src/core_codemods/file_resource_leak.py b/src/core_codemods/file_resource_leak.py
@@ -73,8 +73,8 @@ def line_filter(x):
         summary="Automatically Close Resources",
         review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW,
         references=[
-            Reference(url="https://cwe.mitre.org/data/definitions/772.html"),
-            Reference(url="https://cwe.mitre.org/data/definitions/404.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/404"),
+            Reference(url="https://cwe.mitre.org/data/definitions/772"),
         ],
     ),
     transformer=LibcstTransformerPipeline(FileResourceLeakTransformer),

diff --git a/src/core_codemods/flask_enable_csrf_protection.py b/src/core_codemods/flask_enable_csrf_protection.py
@@ -19,6 +19,7 @@ class FlaskEnableCSRFProtection(
         references=[
             Reference(url="https://owasp.org/www-community/attacks/csrf"),
             Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"),
+            Reference(url="https://cwe.mitre.org/data/definitions/352"),
         ],
     )
 

diff --git a/src/core_codemods/flask_json_response_type.py b/src/core_codemods/flask_json_response_type.py
@@ -281,6 +281,7 @@ def _fix_json_dumps(self, node: cst.BaseExpression) -> cst.Tuple:
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/79"),
         ],
     ),
     transformer=LibcstTransformerPipeline(FlaskJsonResponseTypeTransformer),

diff --git a/src/core_codemods/harden_pickle_load.py b/src/core_codemods/harden_pickle_load.py
@@ -21,6 +21,9 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod):
             Reference(
                 url="https://github.com/trailofbits/fickling",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/502",
+            ),
         ],
     )
 

diff --git a/src/core_codemods/harden_pyyaml.py b/src/core_codemods/harden_pyyaml.py
@@ -126,6 +126,7 @@ def _update_bases(
             Reference(
                 url="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/502"),
         ],
     ),
     detector=SemgrepRuleDetector(

diff --git a/src/core_codemods/harden_ruamel.py b/src/core_codemods/harden_ruamel.py
@@ -11,6 +11,7 @@ class HardenRuamel(SimpleCodemod):
             Reference(
                 url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/502"),
         ],
     )
     change_description = (

diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py
@@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod):
             Reference(
                 url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/319"),
         ],
     )
 

diff --git a/src/core_codemods/jwt_decode_verify.py b/src/core_codemods/jwt_decode_verify.py
@@ -109,6 +109,7 @@ def is_verify_keyword(element: cst.DictElement) -> bool:
             Reference(
                 url="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/347"),
         ],
     ),
     transformer=LibcstTransformerPipeline(JwtDecodeVerifyTransformer),

diff --git a/src/core_codemods/limit_readline.py b/src/core_codemods/limit_readline.py
@@ -11,7 +11,7 @@ class LimitReadline(SimpleCodemod):
         summary="Limit readline()",
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
         references=[
-            Reference(url="https://cwe.mitre.org/data/definitions/400.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/400"),
         ],
     )
     change_description = "Adds a size limit argument to readline() calls."

diff --git a/src/core_codemods/lxml_safe_parser_defaults.py b/src/core_codemods/lxml_safe_parser_defaults.py
@@ -17,6 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/611"),
         ],
     )
     change_description = "Replace `lxml` parser parameters with safe defaults."

diff --git a/src/core_codemods/lxml_safe_parsing.py b/src/core_codemods/lxml_safe_parsing.py
@@ -17,6 +17,7 @@ class LxmlSafeParsing(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/611"),
         ],
     )
     change_description = (

diff --git a/src/core_codemods/process_creation_sandbox.py b/src/core_codemods/process_creation_sandbox.py
@@ -16,6 +16,8 @@ class ProcessSandbox(SimpleCodemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
+            Reference(url="https://cwe.mitre.org/data/definitions/78"),
         ],
     )
     change_description = (

diff --git a/src/core_codemods/replace_flask_send_file.py b/src/core_codemods/replace_flask_send_file.py
@@ -18,6 +18,7 @@ class ReplaceFlaskSendFile(SimpleCodemod, NameAndAncestorResolutionMixin):
                 url="https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory"
             ),
             Reference(url="https://owasp.org/www-community/attacks/Path_Traversal"),
+            Reference(url="https://cwe.mitre.org/data/definitions/35"),
         ],
     )
 

diff --git a/src/core_codemods/requests_verify.py b/src/core_codemods/requests_verify.py
@@ -13,6 +13,7 @@ class RequestsVerify(SimpleCodemod):
             Reference(
                 url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/295"),
         ],
     )
     change_description = (

diff --git a/src/core_codemods/secure_flask_cookie.py b/src/core_codemods/secure_flask_cookie.py
@@ -14,6 +14,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
             Reference(
                 url="https://owasp.org/www-community/controls/SecureCookieAttribute"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
     )
     change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."

diff --git a/src/core_codemods/secure_flask_session_config.py b/src/core_codemods/secure_flask_session_config.py
@@ -23,6 +23,9 @@ class SecureFlaskSessionConfig(SimpleCodemod, Codemod):
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/319"),
+            Reference(url="https://cwe.mitre.org/data/definitions/352"),
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
     )
     change_description = "Flip Flask session configuration if defined as insecure."

diff --git a/src/core_codemods/secure_random.py b/src/core_codemods/secure_random.py
@@ -33,6 +33,18 @@ def on_result_found(self, original_node, updated_node):
             Reference(
                 url="https://docs.python.org/3/library/random.html",
             ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/338",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/330",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/326",
+            ),
+            Reference(
+                url="https://cwe.mitre.org/data/definitions/1241",
+            ),
         ],
     ),
     detector=SemgrepRuleDetector(

diff --git a/src/core_codemods/semgrep/semgrep_nan_injection.py b/src/core_codemods/semgrep/semgrep_nan_injection.py
@@ -15,6 +15,7 @@
     LibcstTransformerPipeline,
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.codetf import Reference
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
 
@@ -124,7 +125,9 @@ def visit_Call(self, node: cst.Call) -> None:
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/704"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(NanInjectionTransformer),
     detector=SemgrepSarifFileDetector(),

diff --git a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py
@@ -12,6 +12,7 @@
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
 from codemodder.codemods.utils_mixin import NameResolutionMixin
+from codemodder.codetf import Reference
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
 
@@ -53,7 +54,9 @@ def leave_Decorator(
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/352"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer),
     detector=SemgrepSarifFileDetector(),

diff --git a/src/core_codemods/semgrep/semgrep_rsa_key_size.py b/src/core_codemods/semgrep/semgrep_rsa_key_size.py
@@ -12,6 +12,7 @@
     NewArg,
 )
 from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.codetf import Reference
 from codemodder.result import fuzzy_column_match, same_line
 from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
 
@@ -74,7 +75,9 @@ def match_location(self, pos, result):
                 )
             ],
         ),
-        references=[],
+        references=[
+            Reference(url="https://cwe.mitre.org/data/definitions/326"),
+        ],
     ),
     transformer=LibcstTransformerPipeline(RsaKeySizeTransformer),
     detector=SemgrepSarifFileDetector(),

diff --git a/src/core_codemods/sql_parameterization.py b/src/core_codemods/sql_parameterization.py
@@ -369,7 +369,8 @@ def _remove_literal_and_gather_extra(
         summary="Parameterize SQL Queries",
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
         references=[
-            Reference(url="https://cwe.mitre.org/data/definitions/89.html"),
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
+            Reference(url="https://cwe.mitre.org/data/definitions/89"),
             Reference(url="https://owasp.org/www-community/attacks/SQL_Injection"),
         ],
     ),

diff --git a/src/core_codemods/subprocess_shell_false.py b/src/core_codemods/subprocess_shell_false.py
@@ -79,6 +79,7 @@ def first_arg_is_not_string(self, original_node: cst.Call) -> bool:
                 url="https://en.wikipedia.org/wiki/Code_injection#Shell_injection"
             ),
             Reference(url="https://stackoverflow.com/a/3172488"),
+            Reference(url="https://cwe.mitre.org/data/definitions/78"),
         ],
     ),
     transformer=LibcstTransformerPipeline(SubprocessShellFalseTransformer),

diff --git a/src/core_codemods/tempfile_mktemp.py b/src/core_codemods/tempfile_mktemp.py
@@ -169,6 +169,8 @@ def _mktemp_is_sink(
             Reference(
                 url="https://docs.python.org/3/library/tempfile.html#tempfile.mktemp"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/377"),
+            Reference(url="https://cwe.mitre.org/data/definitions/379"),
         ],
     ),
     transformer=LibcstTransformerPipeline(TempfileMktempTransformer),

diff --git a/src/core_codemods/upgrade_sslcontext_minimum_version.py b/src/core_codemods/upgrade_sslcontext_minimum_version.py
@@ -13,6 +13,7 @@ class UpgradeSSLContextMinimumVersion(SimpleCodemod, NameResolutionMixin):
             ),
             Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
             Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
+            Reference(url="https://cwe.mitre.org/data/definitions/326"),
         ],
     )
     change_description = "Replaces minimum SSL/TLS version for SSLContext."

diff --git a/src/core_codemods/upgrade_sslcontext_tls.py b/src/core_codemods/upgrade_sslcontext_tls.py
@@ -13,6 +13,7 @@ class UpgradeSSLContextTLS(SimpleCodemod):
             ),
             Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
             Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
+            Reference(url="https://cwe.mitre.org/data/definitions/326"),
         ],
     )
     change_description = "Replaces known insecure TLS/SSL protocol versions in SSLContext with secure ones."

diff --git a/src/core_codemods/url_sandbox.py b/src/core_codemods/url_sandbox.py
@@ -32,14 +32,15 @@ def dependency(self) -> Dependency:
             Reference(
                 url="https://github.com/pixee/python-security/blob/main/src/security/safe_requests/api.py"
             ),
-            Reference(url="https://portswigger.net/web-security/ssrf"),
             Reference(
                 url="https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
             ),
             Reference(
                 url="https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/"
             ),
             Reference(url="https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/"),
+            Reference(url="https://cwe.mitre.org/data/definitions/20"),
+            Reference(url="https://cwe.mitre.org/data/definitions/918"),
         ],
     ),
     detector=SemgrepRuleDetector(
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod): @@
                 Reference(
                     url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool"
                 ),
+                Reference(url="https://cwe.mitre.org/data/definitions/319"),
             ],
         )
@@ Expand Down @@