Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sonar tmpfile codemod #393

Merged
merged 4 commits into from
Apr 2, 2024
Merged

Sonar tmpfile codemod #393

merged 4 commits into from
Apr 2, 2024

Conversation

clavedeluna
Copy link
Contributor

@clavedeluna clavedeluna commented Mar 19, 2024

Overview

Added a sonar codemod for secure-tempfile

Description

  • I also added an enforcement mechanism via assertions to ensure sonar_issues.json is updated for every new integration test. This will fail until Correct node position for FuncDef nodes and fix sonar codemods #423 is merged since that PR fixes one codemod that had not updated this file. This demonstrates how it works.
  • This particular codemod already had an entry in sonar_issues.json (I had forgotten to delete it when removing most of the files under tests/samples) so I just used that.

Closes #371

@@ -0,0 +1,3 @@
import tempfile

tempfile.mktemp()

Check failure

Code scanning / SonarCloud

Insecure temporary file creation methods should not be used

<!--SONAR_ISSUE_KEY:AY5XQPcqmQvQ0611j65v-->'tempfile.mktemp' is insecure. Use 'tempfile.TemporaryFile' instead <p>See more on <a href="https://sonarcloud.io/project/issues?id=pixee_codemodder-python&issues=AY5XQPcqmQvQ0611j65v&open=AY5XQPcqmQvQ0611j65v&pullRequest=393">SonarCloud</a></p>
@clavedeluna clavedeluna changed the title tmp testing sonar reporting Sonar tmpfile codemod Apr 1, 2024
@clavedeluna clavedeluna marked this pull request as ready for review April 1, 2024 12:35
Copy link
Contributor

@andrecsilva andrecsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending the test failures, this looks good to me.

Copy link

sonarqubecloud bot commented Apr 2, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@@ -314,6 +314,11 @@ class DocMetadata:
guidance_explained=CORE_METADATA["fix-missing-self-or-cls"].guidance_explained,
need_sarif="Yes (Sonar)",
),
"secure-tempfile-S5445": DocMetadata(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessarily for this PR but we should be able to rewrite this whole section in terms of a dict comprehension and avoid a lot of duplication.

@clavedeluna clavedeluna added this pull request to the merge queue Apr 2, 2024
Merged via the queue into main with commit 9aa6fb2 Apr 2, 2024
12 checks passed
@clavedeluna clavedeluna deleted the sonar-tempfile-371 branch April 2, 2024 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Sonar: fix insecure temporary file creation with secure-tempfile
3 participants