SONARPY-3110 Rule S6243: AWS clients should be reused across Lambda invocations (#422)

GitOrigin-RevId: cc5fe87a8bfc3507786bcdeb47a8f977aa2d6835

Author: thomas-serre-sonarsource

python-checks/src/main/java/org/sonar/python/checks/AwsLambdaClientInstantiationCheck.java

@@ -0,0 +1,96 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Set;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.checks.utils.AwsLambdaChecksUtils;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S6243")
+public class AwsLambdaClientInstantiationCheck extends PythonSubscriptionCheck {
+
+  private static final String CLIENT_ISSUE_MESSAGE = "Initialize this AWS client outside the Lambda handler function.";
+  private static final String DATABASE_ISSUE_MESSAGE = "Initialize this database connection outside the Lambda handler function.";
+  private static final String ORM_ISSUE_MESSAGE = "Initialize this ORM connection outside the Lambda handler function.";
+
+  private static final Set<String> CLIENT_FQNS = Set.of(
+    "boto3.client",
+    "boto3.resource",
+    "boto3.session.Session"
+  );
+
+  private static final Set<String> DATABASE_FQNS = Set.of(
+    "pymysql.connect",
+    "mysql.connector.connect",
+    "psycopg2.connect",
+    "pymongo.MongoClient",
+    "sqlite3.dbapi2.connect",
+    "redis.Redis",
+    "redis.StrictRedis"
+  );
+
+  private static final Set<String> ORM_FQNS = Set.of(
+    "sqlalchemy.orm.sessionmaker",
+    "peewee.PostgresqlDatabase",
+    "peewee.MySQLDatabase",
+    "peewee.SqliteDatabase",
+    "mongoengine.connect"
+  );
+
+  private final TypeCheckMap<String> isClientOrResourceTypeCheckMap = new TypeCheckMap<>();
+
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::setupTypeChecker);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCall);
+  }
+
+  private void setupTypeChecker(SubscriptionContext ctx) {
+    CLIENT_FQNS.forEach(fqn -> isClientOrResourceTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn), CLIENT_ISSUE_MESSAGE));
+    DATABASE_FQNS.forEach(fqn -> isClientOrResourceTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn), DATABASE_ISSUE_MESSAGE));
+    ORM_FQNS.forEach(fqn -> isClientOrResourceTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn), ORM_ISSUE_MESSAGE));
+  }
+
+  private void checkCall(SubscriptionContext ctx) {
+    CallExpression callExpression = (CallExpression) ctx.syntaxNode();
+
+    if (!isInAWSLambdaFunction(callExpression, ctx)) {
+      return;
+    }
+
+    String message = isClientOrResourceTypeCheckMap.getForType(callExpression.callee().typeV2());
+    if (message != null) {
+      ctx.addIssue(callExpression, message);
+    }
+  }
+
+  private static boolean isInAWSLambdaFunction(CallExpression callExpression, SubscriptionContext ctx) {
+    Tree parentFunctionDef = TreeUtils.firstAncestorOfKind(callExpression.parent(), Tree.Kind.FUNCDEF);
+    if (parentFunctionDef == null) {
+      return false;
+    }
+    return AwsLambdaChecksUtils.isLambdaHandler(ctx, (FunctionDef) parentFunctionDef);
+  }
+}
+
+

python-checks/src/main/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheck.java renamed to python-checks/src/main/java/org/sonar/python/checks/AwsLambdaReservedEnvironmentVariableCheck.java

@@ -35,7 +35,7 @@
 import org.sonar.python.types.v2.TypeCheckBuilder;
 
 @Rule(key = "S7617")
-public class AWSLambdaReservedEnvironmentVariableCheck extends PythonSubscriptionCheck {
+public class AwsLambdaReservedEnvironmentVariableCheck extends PythonSubscriptionCheck {
 
   private static final Set<String> AWS_RESERVED_ENVIRONMENT_VARIABLES = Set.of(
     "_HANDLER",

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -128,8 +128,9 @@ public Stream<Class<?>> getChecks() {
       AsyncAwsLambdaHandlerCheck.class,
       AsyncLongSleepCheck.class,
       AsyncWithContextManagerCheck.class,
+      AwsLambdaClientInstantiationCheck.class,
       AwsLambdaCrossCallCheck.class,
-      AWSLambdaReservedEnvironmentVariableCheck.class,
+      AwsLambdaReservedEnvironmentVariableCheck.class,
       AwsLambdaReturnValueAreSerializableCheck.class,
       BackslashInStringCheck.class,
       BackticksUsageCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6243.html

@@ -0,0 +1,47 @@
+<p>This rule raises an issue when resources are recreated on every Lambda function invocation instead of being reused.</p>
+<h2>Why is this an issue?</h2>
+<p>Resources that can be reused across multiple invocations of the Lambda function should be initialized at module level, outside the handler
+function. When the same Lambda container is reused for multiple function invocations, existing instances including SDK clients and database
+connections can be reused without recreating them. It is a good practice to initialize AWS clients, like boto3, and database connections outside the
+handler function to avoid recreating them on every Lambda invocation. Failing to do so can lead to performance degradation, increased latency, and
+even higher AWS costs.</p>
+<h3>What is the potential impact?</h3>
+<p>Performance degradation is the primary concern, as recreating resources adds significant latency to each Lambda invocation. This can result in
+slower response times and higher costs due to increased execution duration.</p>
+<p>Availability risks may also emerge under high load scenarios, as the additional overhead from resource recreation can cause functions to timeout
+more frequently or hit concurrency limits sooner than necessary.</p>
+<p>Increased API throttling is another potential issue, as recreating resources may lead to more frequent authentication requests and connection
+establishments, potentially triggering rate limits.</p>
+<h3>Exceptions</h3>
+<p>If the resource contains sensitive information that should not be shared across invocations, it may be necessary to initialize it within the
+handler function. However, this should be done cautiously and only when absolutely necessary.</p>
+<h2>How to fix it</h2>
+<p>Move the resource initialization outside the Lambda handler function to the module level. This ensures resources are created once when the Lambda
+environment is initialized and reused across invocations.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import boto3
+
+def lambda_handler(event, context):
+    s3_client = boto3.client('s3')  # Noncompliant: Client created inside handler
+
+    response = s3_client.get_object(Bucket='my-bucket', Key='my-key')
+    return response['Body'].read()
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import boto3
+
+s3_client = boto3.client('s3')  # Compliant
+
+def lambda_handler(event, context):
+    response = s3_client.get_object(Bucket='my-bucket', Key='my-key')
+    return response['Body'].read()
+</pre>
+<h2>Resources</h2>
+<ul>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html#python-handler-best-practices">Python handler
+  best practices</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6243.json

@@ -0,0 +1,23 @@
+{
+  "title": "Reusable resources should be initialized at construction time of Lambda functions",
+  "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "EFFICIENT"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "20min"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6243",
+  "sqKey": "S6243",
+  "scope": "Main",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -168,6 +168,7 @@
     "S6002",
     "S6019",
     "S6035",
+    "S6243",
     "S6246",
     "S6249",
     "S6252",

python-checks/src/test/java/org/sonar/python/checks/AwsLambdaClientInstantiationCheckTest.java

@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class AwsLambdaClientInstantiationCheckTest {
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/awsLambdaClientInstantiation.py", new AwsLambdaClientInstantiationCheck());
+  }
+
+}
+

python-checks/src/test/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheckTest.java renamed to python-checks/src/test/java/org/sonar/python/checks/AwsLambdaReservedEnvironmentVariableCheckTest.java

@@ -19,10 +19,10 @@
 import org.junit.jupiter.api.Test;
 import org.sonar.python.checks.utils.PythonCheckVerifier;
 
-class AWSLambdaReservedEnvironmentVariableCheckTest {
+class AwsLambdaReservedEnvironmentVariableCheckTest {
   @Test
   void test() {
-    PythonCheckVerifier.verify("src/test/resources/checks/awsLambdaReservedEnvironmentVariable.py", new AWSLambdaReservedEnvironmentVariableCheck());
+    PythonCheckVerifier.verify("src/test/resources/checks/awsLambdaReservedEnvironmentVariable.py", new AwsLambdaReservedEnvironmentVariableCheck());
   }
 
 }

python-checks/src/test/resources/checks/awsLambdaClientInstantiation.py

@@ -0,0 +1,62 @@
+import boto3
+
+import pymysql.connect
+import mysql.connector
+import psycopg2
+import sqlite3
+import redis
+import peewee
+import mongoengine
+import pymongo
+
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+
+
+def lambda_handler(event, context):
+    s3_client = boto3.client('s3')  # Noncompliant {{Initialize this AWS client outside the Lambda handler function.}}
+#               ^^^^^^^^^^^^^^^^^^
+
+    s3 = boto3.resource('s3') # FN SONARPY-3224
+    session = boto3.session.Session()  # FN SONARPY-3224
+
+    pymysql_connection = pymysql.connect(host='localhost')  # Noncompliant {{Initialize this database connection outside the Lambda handler function.}}
+    #                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+    mysql_connection = mysql.connector.connect(host="localhost")  # Noncompliant
+    mongo_client = pymongo.MongoClient()  # Noncompliant
+    sqlite3_connection = sqlite3.connect("tutorial.db") # Noncompliant
+    # psycopg2_connection = psycopg2.connect("localhost") # FN SONARPY-3224
+    redis_client = redis.Redis(host='localhost', port=6379, db=0) # FN SONARPY-3224
+    strict_redis_client = redis.StrictRedis(host='localhost', port=6379, db=0) # FN SONARPY-3224
+
+    engine = create_engine("postgresql+psycopg2://scott:tiger@localhost/")
+    sqlalchemy_session = sessionmaker(engine)  # Noncompliant {{Initialize this ORM connection outside the Lambda handler function.}}
+    #                    ^^^^^^^^^^^^^^^^^^^^
+
+    peewee_sqlite_db = peewee.SqliteDatabase('/path/to/app.db', pragmas={'journal_mode': 'wal', 'cache_size': -1024 * 64})  # Noncompliant
+    peewee_mysql_db = peewee.MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)  # Noncompliant
+    peewee_pg_db = peewee.PostgresqlDatabase('my_app', user='postgres', password='secret', host='10.1.0.9', port=5432)  # Noncompliant
+
+    mongoengine_connection = mongoengine.connect('project1')  # Noncompliant
+
+
+s3_client = boto3.client('s3')
+s3 = boto3.resource('s3')
+session = boto3.session.Session()
+pymysql_connection = pymysql.connect(host='localhost')
+mysql_connection = mysql.connector.connect(host="localhost")
+mongo_client = pymongo.MongoClient()
+
+psycopg2_connection = psycopg2.connect("localhost")
+sqlite3_connection = sqlite3.connect("tutorial.db")
+redis_client = redis.Redis(host='localhost', port=6379, db=0)
+strict_redis_client = redis.StrictRedis(host='localhost', port=6379, db=0)
+
+engine = create_engine("postgresql+psycopg2://scott:tiger@localhost/")
+sqlalchemy_session = sessionmaker(engine)
+
+peewee_sqlite_db = peewee.SqliteDatabase('/path/to/app.db', pragmas={'journal_mode': 'wal', 'cache_size': -1024 * 64})
+peewee_mysql_db = peewee.MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)
+peewee_pg_db = peewee.PostgresqlDatabase('my_app', user='postgres', password='secret', host='10.1.0.9', port=5432)
+
+mongoengine_connection = mongoengine.connect('project1')