Added Independent Finding Execution Behavior

[andrecsilva]

Overview

Adds independent finding behavior for codemods

Description

Independent finding behavior means that codemods will execute once for each finding (i.e. remediation), as opposed to once for all findings (i.e. hardening). Hardening aims to produce a file with all the changes, while remediation will produce diffs for each finding. Remediation is the default behavior accessible with the codemodder command, while hardening is now accessible as codemodder_hardening.

Additional Details

• Remediation won't write any files as the default behavior, this includes the dependencies.
• While find and fix codemods will still be accessible over the remediation behavior, there is no difference over the hardening behavior. The only exception being codemods that use semgrep scans for findings.
• Most tests with 2+ changes are now being tested for remediation behavior. I've found this gives us a healthy balance of testing for both behaviors while avoiding duplicating each test.

[drdavella]

Overall this looks good. My comments boil down to two basic issues:

• We should preserve the current hardening behavior as the default for now
• I'm not totally convinced that locations are being handled correctly for the hardening case

[drdavella]

Suggested change

	hardening: bool = False,
	hardening: bool = True,

[drdavella]

I think we should preserve the existing behavior of the command line for now.

[drdavella]

Let's keep the existing behavior for now.

[drdavella]

Preserve existing behavior for now.

[drdavella]

I don't think this is necessary. We expect per-finding mode to be accessed exclusively by client library calls for now and we should preserve the existing codemodder behavior as the default in the near term.

[andrecsilva]

We do use the new command line script for integration tests.

[drdavella]

Suggested change

	def _run_cli(original_args, hardening=False) -> int:
	def _run_cli(original_args, hardening=True) -> int:

[drdavella]

I don't think this is necessary; see comments above.

[drdavella]

This if/else feels like each branch should maybe be a separate function. It would probably enable the call to be a one-liner as well.

[drdavella]

I don't think this is correct. We only need to execute each fix per finding. A finding may report multiple locations, but will still result in only a single fix (which itself may touch multiple locations). I think the distinction is subtle but we still execute each codemod only once per finding.

Let me know whether there's something I'm missing or whether maybe the comment isn't quite right.

[andrecsilva]

Two things to note: our transformers are file-based, that is, they execute per file. ChangeSet objects only reports changes to a single file.

This particular piece of code mimics the behavior we had before. If you only had one result with multiple locations, you would run the codemod for each location and produce a changeset object for each location.

What changed is that now each changeset is only associated with a single finding.

[clavedeluna]

a few code comments that seem unnecessarily explaining code (LLM generated likely) that are worth removing

[clavedeluna]

for consistency with other commands, I suggest codemodder-hardening

[clavedeluna]

Suggested change

print(expected_diff_per_change)

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.0% Duplication on New Code

See analysis details on SonarQube Cloud