update codemod metadata

pixee · Oct 16, 2023 · cef43e0 · cef43e0
1 parent 9223fb5
commit cef43e0
Show file tree

Hide file tree

Showing 9 changed files with 27 additions and 31 deletions.
diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py
@@ -17,7 +17,7 @@ class DjangoSessionCookieSecureOff(SemgrepCodemod, Codemod):
     METADATA = CodemodMetadata(
         DESCRIPTION=("Sets Django's `SESSION_COOKIE_SECURE` Flag if Off or Missing."),
         NAME="django-session-cookie-secure-off",
-        REVIEW_GUIDANCE=ReviewGuidance.MERGE_AFTER_REVIEW,
+        REVIEW_GUIDANCE=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
         REFERENCES=[
             {
                 "url": "https://owasp.org/www-community/controls/SecureCookieAttribute",
@@ -29,7 +29,7 @@ class DjangoSessionCookieSecureOff(SemgrepCodemod, Codemod):
             },
         ],
     )
-    SUMMARY = "Secure setting for Django `SESSION_COOKIE_SECURE` flag"
+    SUMMARY = "Secure Setting for Django `SESSION_COOKIE_SECURE` flag"
     CHANGE_DESCRIPTION = METADATA.DESCRIPTION
     YAML_FILES = [
         "detect-django-settings.yaml",

diff --git a/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md b/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md
@@ -1,6 +1,6 @@
 This codemod enables autoescaping of HTML content in `jinja2`. Unfortunately, the jinja2
 default behavior is to not autoescape when rendering templates, which makes your applications
-vulnerable to Cross-Site Scripting (XSS) attacks.
+potentially vulnerable to Cross-Site Scripting (XSS) attacks.
 
 Our codemod checks if you forgot to enable autoescape or if you explicitly disabled it. The change looks as follows:
 

diff --git a/src/core_codemods/docs/pixee_python_jwt-decode-verify.md b/src/core_codemods/docs/pixee_python_jwt-decode-verify.md
@@ -9,10 +9,8 @@ Our change looks as follows:
 - decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=False)
 + decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=True)
   ...
-- decoded_payload = jwt.decode(
-    encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False, "verify_exp": False})
-+ decoded_payload = jwt.decode(
-    encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True, "verify_exp": True})
+- decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False, "verify_exp": False})
++ decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True, "verify_exp": True})
 ```
 
-Any `verify` parameter not listed relies on the secure `True` default value.
+Any `verify` parameter not listed relies on the secure `True` default value.
diff --git a/src/core_codemods/docs/pixee_python_unused-imports.md b/src/core_codemods/docs/pixee_python_unused-imports.md
@@ -6,5 +6,3 @@ import b
 
 b.function()
 ```
-
-If you have feedback on this codemod, [please let us know](mailto:[email protected])!
diff --git a/src/core_codemods/enable_jinja2_autoescape.py b/src/core_codemods/enable_jinja2_autoescape.py
@@ -5,7 +5,7 @@
 
 class EnableJinja2Autoescape(SemgrepCodemod):
     NAME = "enable-jinja2-autoescape"
-    REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW
+    REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW
     SUMMARY = "Enable Jinja2 Autoescape"
     DESCRIPTION = "Sets the `autoescape` parameter in jinja2.Environment to `True`."
     REFERENCES = [

diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py
@@ -37,7 +37,7 @@ class HTTPSConnection(BaseCodemod, Codemod):
         ],
     )
     CHANGE_DESCRIPTION = METADATA.DESCRIPTION
-    SUMMARY = "Changes HTTPConnectionPool to HTTPSConnectionPool to enforce secure connection."
+    SUMMARY = "Changes HTTPConnectionPool to HTTPSConnectionPool to Enforce Secure Connection"
 
     METADATA_DEPENDENCIES = (PositionProvider,)
 

diff --git a/src/core_codemods/process_creation_sandbox.py b/src/core_codemods/process_creation_sandbox.py
@@ -5,7 +5,7 @@
 
 class ProcessSandbox(SemgrepCodemod):
     NAME = "sandbox-process-creation"
-    REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW
+    REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW
     SUMMARY = "Sandbox Process Creation"
     DESCRIPTION = (
         "Replaces subprocess.{func} with more secure safe_command library functions."

diff --git a/src/core_codemods/secure_random.py b/src/core_codemods/secure_random.py
@@ -4,7 +4,7 @@
 
 class SecureRandom(SemgrepCodemod):
     NAME = "secure-random"
-    REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW
+    REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW
     SUMMARY = "Secure Source of Randomness"
     DESCRIPTION = "Replaces random.{func} with more secure secrets library functions."
     REFERENCES = [

diff --git a/src/scripts/generate_docs.py b/src/scripts/generate_docs.py
@@ -44,7 +44,7 @@ class DocMetadata:
         guidance_explained="Support for HTTPS is widespread which, save in some legacy applications, makes this change safe.",
     ),
     "jwt-decode-verify": DocMetadata(
-        importance="SOMETHING", guidance_explained="SOMETHING"
+        importance="High", guidance_explained="This codemod ensures your code uses all available validations when calling `jwt.decode`. We believe this replacement is safe and should not result in any issues."
     ),
     "limit-readline": DocMetadata(
         importance="Medium",
@@ -58,10 +58,10 @@ class DocMetadata:
         importance="High",
         guidance_explained="We believe this change is safe, effective, and protects your code against very serious security attacks.",
     ),
-    # "order-imports": DocMetadata(
-    #     importance="Low",
-    #     guidance_explained="",
-    # ),
+    "order-imports": DocMetadata(
+        importance="Low",
+        guidance_explained="TODO SKIP FOR NOW",
+    ),
     "sandbox-process-creation": DocMetadata(
         importance="High",
         guidance_explained="We believe this change is safe and effective. The behavior of sandboxing `subprocess.run` and `subprocess.call` calls will only throw `SecurityException` if they see behavior involved in malicious code execution, which is extremely unlikely to happen in normal operation.",
@@ -87,7 +87,7 @@ class DocMetadata:
         guidance_explained="We believe this codemod is safe and will cause no unexpected errors.",
     ),
     "upgrade-sslcontext-minimum-version": DocMetadata(
-        importance="SOMETHING", guidance_explained="SOMETHING"
+        importance="High", guidance_explained="This codemod updates the minimum supported version of TLS. Since this is an important security fix and since all modern servers offer TLSv1.2, we believe this change can be safely merged without review."
     ),
     "upgrade-sslcontext-tls": DocMetadata(
         importance="High",
@@ -112,9 +112,9 @@ class DocMetadata:
         importance="Low",
         guidance_explained="We believe that using the walrus operator is an improvement in terms of clarity and readability. However, this change is only compatible with codebases that support Python 3.8 and later, so it requires quick validation before merging.",
     ),
-    # "bad-lock-with-statement": DocMetadata(
-    #     importance="Low", guidance_explained="TODO AFTER PR MERGE"
-    # ),
+    "bad-lock-with-statement": DocMetadata(
+        importance="Low", guidance_explained="TODO AFTER PR MERGE"
+    ),
 }
 
 
@@ -124,19 +124,21 @@ def generate_docs(codemod):
     except KeyError as exc:
         raise KeyError(f"Must add {codemod.name} to METADATA") from exc
 
+    formatted_references = [f"* [{ref['description']}]({ref['url']})" for ref in codemod.references]
+    markdown_references = "\n".join(formatted_references) or "N/A"
+
     output = f"""---
 title: {codemod.summary}
 sidebar_position: 1
 ---
 
 ## {codemod.id}
 
-| Importance | Review Guidance      | Requires SARIF Tool |
-|------------|----------------------|---------------------|
- | {codemod_data.importance}       | {codemod.review_guidance} | {codemod_data.need_sarif}                  |
+| Importance | Review Guidance            | Requires SARIF Tool |
+|------------|----------------------------|---------------------|
+| {codemod_data.importance}       | {codemod.review_guidance} | {codemod_data.need_sarif}                  |
 
 {codemod.description}
-
 If you have feedback on this codemod, [please let us know](mailto:[email protected])!
 
 ## F.A.Q.
@@ -150,10 +152,8 @@ def generate_docs(codemod):
 N/A
 
 ## References
-* [https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser](https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser)
-* [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)
-* [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
-#codemod.references
+
+{markdown_references}
 """
     return output
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,5 +6,3 @@ import b

		b.function()
		```

		If you have feedback on this codemod, [please let us know](mailto:[email protected])!