SONARPY-1644 Rule S6890: zoneinfo should be preferred to pytz when using Python 3.9 and later (#1738)

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -301,6 +301,7 @@ public static Iterable<Class> getChecks() {
       PrivilegePolicyCheck.class,
       ProcessSignallingCheck.class,
       PropertyAccessorParameterCountCheck.class,
+      PytzUsageCheck.class,
       IncorrectParameterDatetimeConstructorsCheck.class,
       PseudoRandomCheck.class,
       PublicApiIsSecuritySensitiveCheck.class,

python-checks/src/main/java/org/sonar/python/checks/PytzUsageCheck.java

@@ -0,0 +1,87 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks;
+
+import java.util.Collection;
+import java.util.Optional;
+import java.util.stream.Stream;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.PythonVersionUtils;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.tree.AliasedName;
+import org.sonar.plugins.python.api.tree.DottedName;
+import org.sonar.plugins.python.api.tree.ImportFrom;
+import org.sonar.plugins.python.api.tree.ImportName;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S6890")
+public class PytzUsageCheck extends PythonSubscriptionCheck {
+  private static final PythonVersionUtils.Version REQUIRED_VERSION = PythonVersionUtils.Version.V_39;
+  private static final String MESSAGE = "Don't use `pytz` module with Python 3.9 and later.";
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.IMPORT_FROM, PytzUsageCheck::checkImport);
+    context.registerSyntaxNodeConsumer(Tree.Kind.IMPORT_NAME, PytzUsageCheck::checkImport);
+  }
+
+  private static boolean isRelevantPythonVersion(SubscriptionContext context) {
+    return context.sourcePythonVersions().stream()
+      .allMatch(version -> version.compare(REQUIRED_VERSION.major(), REQUIRED_VERSION.minor()) >= 0);
+  }
+
+  private static void checkImport(SubscriptionContext context) {
+    if (!isRelevantPythonVersion(context)) {
+      return;
+    }
+
+    Stream.of(
+      Optional.of(context.syntaxNode())
+        .flatMap(TreeUtils.toOptionalInstanceOfMapper(ImportFrom.class))
+        .map(ImportFrom::importedNames),
+      Optional.of(context.syntaxNode())
+        .flatMap(TreeUtils.toOptionalInstanceOfMapper(ImportName.class))
+        .map(ImportName::modules))
+      .filter(Optional::isPresent)
+      .map(Optional::get)
+      .flatMap(Collection::stream)
+      .map(AliasedName::dottedName)
+      .map(DottedName::names)
+      .filter(list -> !list.isEmpty())
+      .map(names -> names.get(0))
+      .filter(name -> "pytz".equals(name.name())
+        || Optional.ofNullable(name.symbol())
+          .map(Symbol::fullyQualifiedName)
+          .filter(fqn -> fqn.startsWith("pytz")).isPresent())
+      .forEach(name -> raiseIssue(context, name));
+  }
+
+  private static void raiseIssue(SubscriptionContext context, Tree tree) {
+    if (context.syntaxNode().is(Tree.Kind.IMPORT_FROM)) {
+      ImportFrom importFrom = (ImportFrom) context.syntaxNode();
+      Optional.ofNullable(importFrom.module()).ifPresent(module -> context.addIssue(module, MESSAGE));
+    } else {
+      context.addIssue(tree, MESSAGE);
+    }
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6890.html

@@ -0,0 +1,43 @@
+<p>This rule raises an issue when using the <code>pytz</code> library on a codebase using Python 3.9 or later.</p>
+<h2>Why is this an issue?</h2>
+<p>In Python 3.9 and later, the <code>zoneinfo</code> module is the recommended tool for handling timezones, replacing the <code>pytz</code> library.
+This recommendation is based on several key advantages.</p>
+<p>First, <code>zoneinfo</code> is part of Python’s standard library, making it readily available without needing additional installation, unlike
+<code>pytz</code>.</p>
+<p>Second, <code>zoneinfo</code> integrates seamlessly with Python’s datetime module. You can directly use <code>zoneinfo</code> timezone objects when
+creating <code>datetime</code> objects, making it more intuitive and less error-prone than <code>pytz</code>, which requires a separate localize
+method for this purpose.</p>
+<p>Third, <code>zoneinfo</code> handles historical timezone changes more accurately than <code>pytz</code>. When a <code>pytz</code> timezone object
+is used, it defaults to the earliest known offset, which can lead to unexpected results. <code>zoneinfo</code> does not have this issue.</p>
+<p>Lastly, <code>zoneinfo</code> uses the system’s IANA time zone database when available, ensuring it works with the most up-to-date timezone data.
+In contrast, <code>pytz</code> includes its own copy of the IANA database, which may not be as current.</p>
+<p>In summary, <code>zoneinfo</code> offers a more modern, intuitive, and reliable approach to handling timezones in Python 3.9 and later, making it
+the preferred choice over <code>pytz</code>.</p>
+<h2>How to fix it</h2>
+<p>To fix this is issue use a <code>zoneinfo</code> timezone object when constructing a <code>datetime</code> instead of the <code>pytz</code>
+library.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+from datetime import datetime
+import pytz
+
+dt = pytz.timezone('America/New_York'').localize(datetime(2022, 1, 1))  # Noncompliant: the localize method is needed to avoid bugs (see S6887)
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+from datetime import datetime
+from zoneinfo import ZoneInfo
+
+dt = datetime(2022, 1, 1, tzinfo=ZoneInfo('America/New_York'))  # OK: timezone object can be used safely through the datetime constructor
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> PEP 615 - <a href="https://peps.python.org/pep-0615/">Support for the IANA Time Zone Database in the Standard Library</a> </li>
+</ul>
+<h3>Related rules</h3>
+<ul>
+  <li> {rule:python:S6887} - pytz.timezone should not be passed to the datetime.datetime constructor </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6890.json

@@ -0,0 +1,23 @@
+{
+  "title": "zoneinfo should be preferred to pytz when using Python 3.9 and later",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6890",
+  "sqKey": "S6890",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "HIGH",
+      "RELIABILITY": "MEDIUM",
+      "SECURITY": "LOW"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -228,7 +228,8 @@
     "S6882",
     "S6883",
     "S6887",
-    "S6903",
-    "S6894"
+    "S6890",
+    "S6894",
+    "S6903"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/PytzUsageCheckTest.java

@@ -0,0 +1,45 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks;
+
+import java.util.EnumSet;
+import org.junit.jupiter.api.Test;
+import org.sonar.plugins.python.api.ProjectPythonVersion;
+import org.sonar.plugins.python.api.PythonVersionUtils;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class PytzUsageCheckTest {
+  @Test
+  void test_38() {
+    ProjectPythonVersion.setCurrentVersions(EnumSet.of(PythonVersionUtils.Version.V_38));
+    var issues = PythonCheckVerifier.issues("src/test/resources/checks/pytzUsage.py", new PytzUsageCheck());
+    assertThat(issues)
+      .isEmpty();
+  }
+
+  @Test
+  void test_39_310_311_312() {
+    ProjectPythonVersion
+      .setCurrentVersions(EnumSet.of(PythonVersionUtils.Version.V_39, PythonVersionUtils.Version.V_310, PythonVersionUtils.Version.V_311, PythonVersionUtils.Version.V_312));
+    PythonCheckVerifier.verify("src/test/resources/checks/pytzUsage.py", new PytzUsageCheck());
+  }
+}

python-checks/src/test/resources/checks/pytzUsage.py

@@ -0,0 +1,12 @@
+from datetime import datetime
+
+def on_import():
+    import pytz # Noncompliant {{Don't use `pytz` module with Python 3.9 and later.}}
+          #^^^^
+    from pytz import timezone # Noncompliant {{Don't use `pytz` module with Python 3.9 and later.}}
+        #^^^^
+    import pytz as p # Noncompliant {{Don't use `pytz` module with Python 3.9 and later.}}
+          #^^^^
+    from something.different.pytz import a_function
+    import something.different.pytz as p2
+    import pytz as p3 # Noncompliant {{Don't use `pytz` module with Python 3.9 and later.}}