Skip to content

SONARPY-4248 Add support for bandit's # nosec directive #2290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
teemu-rytilahti-sonarsource wants to merge 1 commit into
base: master
Choose a base branch
from
+64 −0
Draft

SONARPY-4248 Add support for bandit's # nosec directive #2290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions ...-commons/src/test/java/org/sonar/plugins/python/nosonar/NoSonarLineInfoCollectorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,24 @@ private static Stream<Arguments> provideCollectorParameters() {
Set.of(1, 2, 3, 4, 5),
"",
""
),
Arguments.of("""
import hashlib
hashlib.md5(b"x").hexdigest() # nosec
""",
Map.of(2, new NoSonarLineInfo(Set.of(), "")),
Set.of(2),
"",
""
),
Arguments.of("""
import hashlib
hashlib.md5(b"x").hexdigest() # nosec B303 legacy hash
""",
Map.of(2, new NoSonarLineInfo(Set.of(), "B303 legacy hash")),
Set.of(2),
"",
""
)
);
}
Expand Down
18 changes: 18 additions & 0 deletions python-frontend/src/main/java/org/sonar/plugins/python/api/nosonar/NoSonarInfoParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,19 @@ public class NoSonarInfoParser {
private static final String NOQA_PATTERN_REGEX = "^#\\s*noqa(?::\\s*(.+))?(?:[\\s;:].*)?";
private static final String NOSONAR_PREFIX_REGEX = "^#\\s*NOSONAR(\\W.*)?";
private static final String NOSONAR_PATTERN_REGEX = "^#\\s*NOSONAR(?:\\s*\\(([^)]*)\\))?($|\\s.*)";
// Bandit `# nosec`. Anything after `nosec` is treated as a free-form description; rule IDs
// are not parsed, so every `# nosec` suppresses all issues on the line.
private static final String NOSEC_PATTERN_REGEX = "(?i)^#\\s*nosec\\b[:\\s]*(.*)";
private static final String RULE_KEY_PATTERN_REGEX = "^[a-zA-Z0-9]+$";

private final Pattern noSonarPattern;
private final Pattern noQaPattern;
private final Pattern noSecPattern;

public NoSonarInfoParser() {
noSonarPattern = Pattern.compile(NOSONAR_PATTERN_REGEX);
noQaPattern = Pattern.compile(NOQA_PATTERN_REGEX);
noSecPattern = Pattern.compile(NOSEC_PATTERN_REGEX);
}

public boolean isInvalidIssueSuppressionComment(String commentsLine) {
Expand Down Expand Up @@ -94,6 +99,10 @@ public static boolean isValidNoQa(String noSonarCommentLine) {
return noSonarCommentLine.matches(NOQA_PATTERN_REGEX);
}

public static boolean isValidNoSec(String commentLine) {
return commentLine.matches(NOSEC_PATTERN_REGEX);
}

public Optional<NoSonarLineInfo> parse(String commentLine) {
var rules = new HashSet<String>();
StringBuilder concatenatedCommentBuilder = new StringBuilder();
Expand Down Expand Up @@ -132,6 +141,9 @@ private NoSonarLineInfo parseComment(String commentLine) {
.filter(Predicate.not(String::isEmpty))
.forEach(rules::add);
comment = parseNoQaComment(commentLine);
} else if (isValidNoSec(commentLine)) {
// `# nosec` always suppresses all rules on the line; we do not parse Bandit IDs.
comment = parseNoSecComment(commentLine);
} else {
return null;
}
Expand Down Expand Up @@ -174,6 +186,12 @@ private String parseNoQaComment(String noSonarCommentLine) {
return getTruncatedCommentString(noQaPattern, noSonarCommentLine).strip();
}

private String parseNoSecComment(String noSecCommentLine) {
var raw = getPatternGroup(1, noSecPattern, noSecCommentLine);
var truncated = raw.length() > MAX_COMMENT_LENGTH ? raw.substring(0, MAX_COMMENT_LENGTH) : raw;
return truncated.strip();
}

private static String getParamsString(Pattern pattern, String noSonarCommentLine) {
return getPatternGroup(1, pattern, noSonarCommentLine);
}
Expand Down
28 changes: 28 additions & 0 deletions ...on-frontend/src/test/java/org/sonar/plugins/python/api/nosonar/NoSonarInfoParserTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,34 @@ private static Stream<Arguments> provideParserParameters() {
Arguments.of(
"# noqa; noqa; noqa; noqa; noqa",
new NoSonarLineInfo(Set.of())
),
Arguments.of(
"# nosec",
new NoSonarLineInfo(Set.of())
),
Arguments.of(
"# nosec B101",
new NoSonarLineInfo(Set.of(), "B101")
),
Arguments.of(
"# nosec B101, B102 reason text",
new NoSonarLineInfo(Set.of(), "B101, B102 reason text")
),
Arguments.of(
"# nosec: it's fine",
new NoSonarLineInfo(Set.of(), "it's fine")
),
Arguments.of(
"# NOSEC",
new NoSonarLineInfo(Set.of())
),
Arguments.of(
"# nosec a very long comment that I don't want to keep that long because there is more than 50 characters",
new NoSonarLineInfo(Set.of(), "a very long comment that I don't want to keep that")
),
Arguments.of(
"# some text # nosec",
new NoSonarLineInfo(Set.of())
)
);
}
Expand Down
Loading