New rules, first implemented in CodeQL (#483)

This change introduces new remediation logic for weak crypto algorithms,
and log injection, two unexciting vulnerability classes for different
reasons, but for completeness, should be present.

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -34,8 +34,10 @@ public static List<Class<? extends CodeChanger>> asList() {
         CodeQLJDBCResourceLeakCodemod.class,
         CodeQLJEXLInjectionCodemod.class,
         CodeQLJNDIInjectionCodemod.class,
+        CodeQLLogInjectionCodemod.class,
         CodeQLMavenSecureURLCodemod.class,
         CodeQLOutputResourceLeakCodemod.class,
+        CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
         CodeQLPredictableSeedCodemod.class,
         CodeQLRegexInjectionCodemod.class,
         CodeQLSQLInjectionCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemod.java

@@ -0,0 +1,54 @@
+package io.codemodder.codemods.codeql;
+
+import com.contrastsecurity.sarif.Result;
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.loginjection.LogInjectionRemediator;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for automatically fixing Log Injection from CodeQL. */
+@Codemod(
+    id = "codeql:java/log-injection",
+    reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class CodeQLLogInjectionCodemod extends CodeQLRemediationCodemod {
+
+  private final Remediator<Result> remediator;
+
+  @Inject
+  public CodeQLLogInjectionCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/log-injection") final RuleSarif sarif) {
+    super(GenericRemediationMetadata.LOG_INJECTION.reporter(), sarif);
+    this.remediator = new LogInjectionRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "log-injection",
+        "Log Injection",
+        "https://codeql.github.com/codeql-query-help/java/java-log-injection/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r -> Optional.empty());
+  }
+}

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.java

@@ -0,0 +1,55 @@
+package io.codemodder.codemods.codeql;
+
+import com.contrastsecurity.sarif.Result;
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for automatically fixing weak crypto algorithms. */
+@Codemod(
+    id = "codeql:java/potentially-weak-cryptographic-algorithm",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod extends CodeQLRemediationCodemod {
+
+  private final Remediator<Result> remediator;
+
+  @Inject
+  public CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/potentially-weak-cryptographic-algorithm")
+          final RuleSarif sarif) {
+    super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), sarif);
+    this.remediator = new WeakCryptoAlgorithmRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "potentially-weak-cryptographic-algorithm",
+        "Use of a potentially broken or risky cryptographic algorithm",
+        "https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r -> Optional.empty());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLJEXLInjectionCodemodTest.java

@@ -6,5 +6,6 @@
 @Metadata(
     codemodType = CodeQLJEXLInjectionCodemod.class,
     testResourceDir = "jexl-expression-injection",
+    doRetransformTest = false,
     dependencies = {})
 final class CodeQLJEXLInjectionCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemodTest.java

@@ -0,0 +1,14 @@
+package io.codemodder.codemods.codeql;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = CodeQLLogInjectionCodemod.class,
+    testResourceDir = "codeql-log-injection",
+    renameTestFile =
+        "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Templates.java",
+    doRetransformTest = false,
+    expectingFixesAtLines = {124},
+    dependencies = {})
+final class CodeQLLogInjectionCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest.java

@@ -0,0 +1,13 @@
+package io.codemodder.codemods.codeql;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
+    testResourceDir = "codeql-potentially-unsafe-crypto-algorithm",
+    renameTestFile = "app/src/main/java/org/apache/roller/weblogger/util/WSSEUtilities.java",
+    expectingFixesAtLines = {38},
+    doRetransformTest = false,
+    dependencies = {})
+final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest implements CodemodTestMixin {}