Removal of the Cwe2 dependency (#499)

This change removes the dependency on Cwe2 and replaces with its own
class.

This seems to improve performance some. Seems to cut about a half second
of time to analyze cpython.

Signed-off-by: Eric Brown <eric.brown@securesauce.dev>

precli/core/cwe.py

@@ -0,0 +1,61 @@
+# Copyright 2024 Secure Sauce LLC
+
+
+class Cwe:
+    def __init__(self, id: int):
+        self._id = id
+
+    @property
+    def id(self) -> int:
+        """CWE ID."""
+        return self._id
+
+    @property
+    def name(self) -> str:
+        """Name of the CWE."""
+        match self._id:
+            case 94:
+                return (
+                    "Improper Control of Generation of Code ('Code Injection')"
+                )
+            case 208:
+                return "Observable Timing Discrepancy"
+            case 214:
+                return (
+                    "Invocation of Process Using Visible Sensitive Information"
+                )
+            case 295:
+                return "Improper Certificate Validation"
+            case 319:
+                return "Cleartext Transmission of Sensitive Information"
+            case 326:
+                return "Inadequate Encryption Strength"
+            case 327:
+                return "Use of a Broken or Risky Cryptographic Algorithm"
+            case 328:
+                return "Use of Weak Hash"
+            case 330:
+                return "Use of Insufficiently Random Values"
+            case 377:
+                return "Insecure Temporary File"
+            case 502:
+                return "Deserialization of Untrusted Data"
+            case 598:
+                return "Use of GET Request Method With Sensitive Query Strings"
+            case 614:
+                return (
+                    "Sensitive Cookie in HTTPS Session Without 'Secure' "
+                    "Attribute"
+                )
+            case 703:
+                return "Improper Check or Handling of Exceptional Conditions"
+            case 1327:
+                return "Binding to an Unrestricted IP Address"
+            case 1333:
+                return "Inefficient Regular Expression Complexity"
+
+        return self._id
+
+    def url(self) -> str:
+        """URL of the CWE."""
+        return f"https://cwe.mitre.org/data/definitions/{self._id}.html"

precli/renderers/json.py

@@ -87,7 +87,7 @@ def create_rule_if_needed(
             properties={
                 "tags": [
                     "security",
-                    f"external/cwe/cwe-{rule.cwe.cwe_id}",
+                    f"external/cwe/cwe-{rule.cwe.id}",
                 ],
                 "security-severity": (rule.default_config.level.to_severity()),
             },

precli/rules/__init__.py

@@ -2,17 +2,14 @@
 from abc import ABC
 from typing import Self
 
-from cwe2.database import Database
-from cwe2.weakness import Weakness
-
 from precli.core.config import Config
+from precli.core.cwe import Cwe
 from precli.core.fix import Fix
 from precli.core.location import Location
 
 
 class Rule(ABC):
     _rules = {}
-    _cwedb = Database()
 
     def __init__(
         self,
@@ -41,7 +38,7 @@ def __init__(
         except ValueError:
             start = 0
         self._full_descr = description[start:]
-        self._cwe = Rule._cwedb.get(cwe_id)
+        self._cwe = Cwe(cwe_id)
         self._message = message
         self._wildcards = wildcards
         self._config = Config() if not config else config
@@ -107,7 +104,7 @@ def enabled(self, enabled):
         self._enabled = enabled
 
     @property
-    def cwe(self) -> Weakness:
+    def cwe(self) -> Cwe:
         """CWE weakness object for this rule."""
         return self._cwe
 

requirements.txt

@@ -1,4 +1,3 @@
-cwe2==2.0.0
 Pygments==2.18.0
 rich==13.7.1
 tree-sitter==0.21.3

tests/unit/rules/go/stdlib/crypto/test_crypto_weak_cipher.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "327"
+        assert rule.cwe.id == 327
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/go/stdlib/crypto/test_crypto_weak_hash.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "328"
+        assert rule.cwe.id == 328
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/go/stdlib/crypto/test_crypto_weak_key.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "326"
+        assert rule.cwe.id == 326
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/java_net/test_insecure_cookie.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "614"
+        assert rule.cwe.id == 614
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/java_security/test_weak_hash.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "328"
+        assert rule.cwe.id == 328
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/java_security/test_weak_key.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "326"
+        assert rule.cwe.id == 326
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/java_security/test_weak_random.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "338"
+        assert rule.cwe.id == 338
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/javax_crypto/test_weak_cipher.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "327"
+        assert rule.cwe.id == 327
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/java/stdlib/javax_servlet_http/test_insecure_cookie.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "614"
+        assert rule.cwe.id == 614
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/argparse/test_argparse_sensitive_info.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "214"
+        assert rule.cwe.id == 214
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/assert/test_assert.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "703"
+        assert rule.cwe.id == 703
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/crypt/test_crypt_weak_hash.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "328"
+        assert rule.cwe.id == 328
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/ftplib/test_ftplib_cleartext.py

@@ -36,7 +36,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "319"
+        assert rule.cwe.id == 319
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/ftplib/test_ftplib_unverified_context.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "295"
+        assert rule.cwe.id == 295
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/hashlib/test_hashlib_improper_prng.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "330"
+        assert rule.cwe.id == 330
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/hashlib/test_hashlib_weak_hash.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "328"
+        assert rule.cwe.id == 328
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/hmac/test_hmac_timing_attack.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "208"
+        assert rule.cwe.id == 208
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/hmac/test_hmac_weak_hash.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "328"
+        assert rule.cwe.id == 328
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/hmac/test_hmac_weak_key.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "326"
+        assert rule.cwe.id == 326
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/http/test_http_server_unrestricted_bind.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "1327"
+        assert rule.cwe.id == 1327
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/http/test_http_url_secret.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "598"
+        assert rule.cwe.id == 598
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/imaplib/test_imaplib_cleartext.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "319"
+        assert rule.cwe.id == 319
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/imaplib/test_imaplib_unverified_context.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "295"
+        assert rule.cwe.id == 295
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/json/test_json_load.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is False
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "502"
+        assert rule.cwe.id == 502
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/logging/test_logging_insecure_listen_config.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "94"
+        assert rule.cwe.id == 94
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/marshal/test_marshal_load.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "502"
+        assert rule.cwe.id == 502
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/nntplib/test_nntplib_cleartext.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "319"
+        assert rule.cwe.id == 319
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/nntplib/test_nntplib_unverified_context.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "295"
+        assert rule.cwe.id == 295
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/pickle/test_pickle_load.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "502"
+        assert rule.cwe.id == 502
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/poplib/test_poplib_cleartext.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.ERROR
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "319"
+        assert rule.cwe.id == 319
 
     @pytest.mark.parametrize(
         "filename",

tests/unit/rules/python/stdlib/poplib/test_poplib_unverified_context.py

@@ -35,7 +35,7 @@ def test_rule_meta(self):
         assert rule.default_config.enabled is True
         assert rule.default_config.level == Level.WARNING
         assert rule.default_config.rank == -1.0
-        assert rule.cwe.cwe_id == "295"
+        assert rule.cwe.id == 295
 
     @pytest.mark.parametrize(
         "filename",