Added missing CWE links for several codemods

core-codemods/src/main/resources/io/codemodder/codemods/DisableAutomaticDirContextDeserializationCodemod/report.json

@@ -2,5 +2,5 @@
   "summary" : "Hardened LDAP call against deserialization attacks",
   "change" : "Made the `retobj` field true so LDAP API responses won't be deserialized",
   "reviewGuidanceIJustification" : "The protection works by denying deserialization during processing of an LDAP query which we're confident is intentional in a vanishingly small percentage of usage.",
-  "references" : ["https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"]
+  "references" : ["https://cwe.mitre.org/data/definitions/502","https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenJavaDeserializationCodemod/report.json

@@ -2,7 +2,7 @@
   "summary" : "Introduced protections against deserialization attacks",
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ObjectInputFilters.java",
   "change" : "Hardened the deserialization call by introducing a filter that prevents known malicious gadgets from executing arbitrary code",
-  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"],
+  "references" : ["https://cwe.mitre.org/data/definitions/502","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"],
   "faqs" :  [
     {
       "question" : "Why does this codemod require a Pixee dependency?",

core-codemods/src/main/resources/io/codemodder/codemods/HardenProcessCreationCodemod/report.json

@@ -5,6 +5,7 @@
   "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `Runtime#exec()` calls will only throw `SecurityException` if they see behavior involved in malicious code execution, which is extremely unlikely to happen in normal operation.",
   "references": [
     "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html",
-    "https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method"
+    "https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method",
+    "https://cwe.mitre.org/data/definitions/78.html"
   ]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLDecoderCodemod/report.json

@@ -4,6 +4,7 @@
   "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLDecoder` instances will only throw `SecurityException` if they see types being deserialized are involved in code execution, which is extremely unlikely to in normal operation.",
   "references": [
     "https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/web/java-XMLDecoder-RCE.md",
-    "http://diniscruz.blogspot.com/2013/08/using-xmldecoder-to-execute-server-side.html"
+    "http://diniscruz.blogspot.com/2013/08/using-xmldecoder-to-execute-server-side.html",
+    "https://cwe.mitre.org/data/definitions/502"
   ]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLInputFactoryCodemod/report.json

@@ -3,5 +3,5 @@
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/XMLDecoderSecurity.java",
   "change" : "Hardened the XML processor to prevent external entities from being resolved, which can prevent data exfiltration and arbitrary code execution",
   "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLInputFactory` instances will only be different if the XML they process uses external entities, which is exceptionally rare (and, as demonstrated, quite unsafe anyway.)",
-  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"]
+  "references" : ["https://cwe.mitre.org/data/definitions/611","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLReaderCodemod/report.json

@@ -2,5 +2,5 @@
   "summary" : "Introduced protections against XXE attacks in XMLReader",
   "change" : "Hardened the XMLReader to prevent external entities from being resolved, which can prevent data exfiltration and arbitrary code execution",
   "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLReader` instances will only be different if the XML they process uses external entities, which is exceptionally rare (and, as demonstrated, quite unsafe anyway.)",
-  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"]
+  "references" : ["https://cwe.mitre.org/data/definitions/611","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenXStreamCodemod/report.json

@@ -6,6 +6,7 @@
     "https://x-stream.github.io/security.html",
     "http://diniscruz.blogspot.com/2013/12/xstream-remote-code-execution-exploit.html",
     "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream",
-    "https://x-stream.github.io/CVE-2013-7285.html"
+    "https://x-stream.github.io/CVE-2013-7285.html",
+    "https://cwe.mitre.org/data/definitions/502.html"
   ]
 }

core-codemods/src/main/resources/io/codemodder/codemods/HardenZipEntryPathsCodemod/report.json

@@ -3,5 +3,5 @@
   "change" : "Created a hardened `java.io.ZipInputStream` wrapper type that prevents files from being written that escape the target directory",
   "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `ZipInputStream` instances will only be different if malicious zip entries are encountered.",
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ZipSecurity.java",
-  "references": ["https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"]
+  "references": ["https://cwe.mitre.org/data/definitions/23","https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/report.json

@@ -3,5 +3,5 @@
   "change" : "Inserted an HTML encoding call around the user input that will render HTML control characters insert and prevent code execution -- other protections may offer better functionality, depending on where in the HTTP response and HTML document the input occurs",
   "reviewGuidanceJustification" : "This change is safe and effective in almost all situations. However, depending on the context in which the scriptlet is rendered (e.g., inside an HTML tag, in JavaScript, unquoted contexts, etc.), you may need to use another encoding method. Check out the [OWASP XSS Prevention CheatSheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to learn more about these cases and other controls you may need in exceptional cases. The security control introduced from OWASP used has `forHtml()` variants for all situations (e.g., `forJavaScript()`, `forCssString()`).",
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/HtmlEncoder.java",
-  "references" : ["https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"]
+  "references" : ["https://cwe.mitre.org/data/definitions/79","https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/OptimizeJacksonStringUsageCodemod/report.json

@@ -1,5 +1,5 @@
 {
   "summary" : "Optimized out unnecessary JSON deserialization step",
   "change" : "Removed the stream-to-string deserialization step",
-  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"]
+  "references" : ["https://cwe.mitre.org/data/definitions/502.html","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json

@@ -6,6 +6,7 @@
   "reviewGuidanceJustification" : "By default, the protection only weaves in 2 checks, which we believe will not cause any issues with the vast majority of code:\n* The given URL must be HTTP/HTTPS.\n* The given URL must not point to a \"well-known infrastructure target\", which includes things like AWS Metadata Service endpoints, and internal routers (e.g., 192.168.1.1) which are common targets of attacks.\n\nHowever, on rare occasions an application may use a URL protocol like \"file://\" or \"classpath://\" in backend or middleware code.\n\nIf you want to allow those protocols, change the incoming PR to look more like this and get the best security possible:\n\n```\n-URL u = new URL(url);\n+Set<UrlProtocol> fileProtocols = Set.of(UrlProtocol.FILE, UrlProtocol.CLASSPATH);\n+URL u = Urls.create(url, fileProtocols);\n```",
 
   "references": [
+    "https://cwe.mitre.org/data/definitions/918.html",
     "https://www.hacksplaining.com/prevention/ssrf",
     "https://portswigger.net/web-security/ssrf",
     "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",

core-codemods/src/main/resources/io/codemodder/codemods/SanitizeApacheMultipartFilenameCodemod/report.json

@@ -4,6 +4,7 @@
   "change": "Wrapped the file name with a sanitizer call that takes out path escaping characters",
   "reviewGuidanceJustification" : "This change presents effectively no risk. However, we believe a human should review the change.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/434.html",
     "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload",
     "https://portswigger.net/web-security/file-upload"
   ]

core-codemods/src/main/resources/io/codemodder/codemods/SanitizeHttpHeaderCodemod/report.json

@@ -3,5 +3,5 @@
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Newlines.java",
   "change" : "Added a call to replace any newlines that are present in the variable",
   "reviewGuidanceJustification" : "This codemod cleanly enforces the boundaries in the HTTP protocol, and we believe it presents no risk.",
-  "references" : ["https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"]
+  "references" : ["https://cwe.mitre.org/data/definitions/113","https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"]
 }

core-codemods/src/main/resources/io/codemodder/codemods/SanitizeSpringMultipartFilenameCodemod/report.json

@@ -4,6 +4,7 @@
   "change": "Wrapped the file name with a sanitizer call that takes out path escaping characters",
   "reviewGuidanceJustification" : "This change presents effectively no risk. However, we believe a human should review the change.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/434.html",
     "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload",
     "https://portswigger.net/web-security/file-upload",
     "https://github.com/spring-projects/spring-framework/blob/c989470f94926ee5c7474bead278b00e9aaac787/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java#L68"

core-codemods/src/main/resources/io/codemodder/codemods/UnsafeReflectionRemediationCodemod/report.json

@@ -3,6 +3,7 @@
   "change": "Replaced unsafe usages of `Class.forName` with hardened alternative `Reflection.loadAndVerify`",
   "reviewGuidanceJustification": "Reflection.loadAndVerify disallows the loading of classes that are well-known to be dangerous paths to remote code execution. Pathological cases aside, the use of Reflection.loadAndVerify will not disrupt the typical operations of an application.",
   "references": [
+    "https://cwe.mitre.org/data/definitions/470",
     "https://rules.sonarsource.com/java/RSPEC-2658/"
   ]
 }

core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLContextTLSCodemod/report.json

@@ -3,6 +3,7 @@
   "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe",
   "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/326",
     "https://datatracker.ietf.org/doc/rfc8996/",
     "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"
   ]

core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json

@@ -3,6 +3,7 @@
   "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe",
   "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/326",
     "https://datatracker.ietf.org/doc/rfc8996/",
     "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"
   ]

core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLParametersTLSCodemod/report.json

@@ -3,6 +3,7 @@
   "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe",
   "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/326",
     "https://datatracker.ietf.org/doc/rfc8996/",
     "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"
   ]

core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json

@@ -3,6 +3,7 @@
   "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe",
   "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/326",
     "https://datatracker.ietf.org/doc/rfc8996/",
     "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"
   ]

core-codemods/src/main/resources/io/codemodder/codemods/ValidateJakartaForwardPathCodemod/report.json

@@ -4,6 +4,7 @@
   "control" : "https://github.com/pixee/java-code-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Jakarta.java",
   "reviewGuidanceJustification" : "There is no reason an application should be forwarding to inner resources like `/WEB-INF/web.xml`.",
   "references" : [
+    "https://cwe.mitre.org/data/definitions/201",
     "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-forward-example"
   ]
 }

core-codemods/src/main/resources/io/codemodder/codemods/VerbTamperingCodemod/report.json

@@ -2,5 +2,5 @@
   "summary" : "Introduced protections against verb tampering attacks (authN/authZ bypass)",
   "change" : "Removed <http-methods> from the <security-constraint> definition which paradoxically remove the authentication from endpoints with any methods not listed",
   "reviewGuidanceJustification" : "This is an incredibly unintuitive situation and in our professional experience have never seen any time developers intended to grant access to \"all other\" HTTP methods by specifically listing others.",
-  "references": ["https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf","https://vulncat.fortify.com/en/detail?id=desc.config.java.http_verb_tampering", "https://capec.mitre.org/data/definitions/274.html"]
+  "references": ["https://cwe.mitre.org/data/definitions/302","https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf","https://vulncat.fortify.com/en/detail?id=desc.config.java.http_verb_tampering", "https://capec.mitre.org/data/definitions/274.html"]
 }

framework/codemodder-base/src/main/resources/generic-remediation-reports/header-injection/report.json

@@ -2,5 +2,5 @@
   "summary" : "Introduced protections against HTTP header injection / smuggling attacks",
   "change" : "Added a call to replace any newlines that are present in the variable",
   "reviewGuidanceJustification" : "This codemod cleanly enforces the boundaries in the HTTP protocol, and we believe it presents no risk.",
-  "references" : ["https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"]
+  "references" : ["https://cwe.mitre.org/data/definitions/113","https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"]
 }

framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json

@@ -2,7 +2,7 @@
   "summary" : "Introduced protections against deserialization attacks",
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ObjectInputFilters.java",
   "change" : "Hardened the deserialization call by introducing a filter that prevents known malicious gadgets from executing arbitrary code",
-  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"],
+  "references" : ["https://cwe.mitre.org/data/definitions/502","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"],
   "faqs" :  [
     {
       "question" : "Why does this codemod require a Pixee dependency?",

framework/codemodder-base/src/main/resources/generic-remediation-reports/jndi-injection/report.json

@@ -2,5 +2,5 @@
   "summary" : "Introduced validation to prevent JNDI Injection",
   "change" : "Added validation to JNDI lookup calls",
   "reviewGuidanceIJustification" : "We believe this change is effective, and it will not break applications unless they are currently allowing users to specify arbitrary URLs that get passed to the lookup API.",
-  "references" : ["https://www.veracode.com/blog/research/exploiting-jndi-injections-java", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf"]
+  "references" : ["https://cwe.mitre.org/data/definitions/74.html","https://cwe.mitre.org/data/definitions/426","https://www.veracode.com/blog/research/exploiting-jndi-injections-java", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf"]
 }

framework/codemodder-base/src/main/resources/generic-remediation-reports/ssrf/report.json

@@ -10,6 +10,7 @@
     "https://portswigger.net/web-security/ssrf",
     "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
     "https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/",
-    "https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/"
+    "https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/",
+    "https://cwe.mitre.org/data/definitions/918"
   ]
 }