SONARPY-882 Rule S5850: Alternatives in regular expressions should be grouped when used with anchors (#966)

* SONARPY-882 Rule S5850: Alternatives in regular expressions should be grouped when used with anchors

* Update ruling

Author: nils-werner-sonarsource

its/ruling/src/test/resources/expected/python-S5850.json

@@ -0,0 +1,12 @@
+{
+'project:buildbot-0.8.6p1/buildbot/monkeypatches/sqlalchemy2189.py':[
+38,
+84,
+],
+'project:django-2.2.3/django/db/models/sql/constants.py':[
+19,
+],
+'project:tensorflow/tools/dockerfiles/assembler.py':[
+605,
+],
+}

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -49,6 +49,7 @@
 import org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck;
 import org.sonar.python.checks.hotspots.UnsafeHttpMethodsCheck;
 import org.sonar.python.checks.hotspots.UnverifiedHostnameCheck;
+import org.sonar.python.checks.regex.AnchorPrecedenceCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
 import org.sonar.python.checks.regex.RedundantRegexAlternativesCheck;
@@ -67,6 +68,7 @@ public static Iterable<Class> getChecks() {
     return Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
       AfterJumpStatementCheck.class,
       AllBranchesAreIdenticalCheck.class,
+      AnchorPrecedenceCheck.class,
       ArgumentNumberCheck.class,
       ArgumentTypeCheck.class,
       BackslashInStringCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/AnchorPrecedenceCheck.java

@@ -0,0 +1,34 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.AnchorPrecedenceFinder;
+
+@Rule(key = "S5850")
+public class AnchorPrecedenceCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new AnchorPrecedenceFinder(this::addIssue).visit(regexParseResult);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5850.html

@@ -0,0 +1,24 @@
+<p>In regular expressions, anchors (<code>^</code>, <code>$</code>, <code>\A</code>, <code>\Z</code> and <code>\z</code>) have higher precedence than
+the <code>|</code> operator. So in a regular expression like <code>^alt1|alt2|alt3$</code>, <code>alt1</code> would be anchored to the beginning,
+<code>alt3</code> to the end and <code>alt2</code> wouldn’t be anchored at all. Usually the intended behavior is that all alternatives are anchored at
+both ends. To achieve this, a non-capturing group should be used around the alternatives.</p>
+<p>In cases where it is intended that the anchors only apply to one alternative each, adding (non-capturing) groups around the anchors and the parts
+that they apply to will make it explicit which parts are anchored and avoid readers misunderstanding the precedence or changing it because they
+mistakenly assume the precedence was not intended.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+r"^a|b|c$"
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+r"^(?:a|b|c)$"
+</pre>
+<p>or</p>
+<pre>
+r"^a$|^b$|^c$"
+</pre>
+<p>or, if you do want the anchors to only apply to <code>a</code> and <code>c</code> respectively:</p>
+<pre>
+r"(?:^a)|b|(?:c$)"
+</pre>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5850.json

@@ -0,0 +1,17 @@
+{
+  "title": "Alternatives in regular expressions should be grouped when used with anchors",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-5850",
+  "sqKey": "S5850",
+  "scope": "Main",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -134,6 +134,7 @@
     "S5807",
     "S5828",
     "S5842",
+    "S5850",
     "S5855",
     "S5864",
     "S5886",

python-checks/src/test/java/org/sonar/python/checks/regex/AnchorPrecedenceCheckTest.java

@@ -0,0 +1,31 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class AnchorPrecedenceCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/anchorPrecedenceCheck.py", new AnchorPrecedenceCheck());
+  }
+}

python-checks/src/test/resources/checks/regex/anchorPrecedenceCheck.py

@@ -0,0 +1,37 @@
+import re
+
+
+def noncompliant(input):
+    re.match(r"^a|b|c$", input)  # Noncompliant {{Group parts of the regex together to make the intended operator precedence explicit.}}
+    #          ^^^^^^^
+    re.match(r"^a|b|cd", input)  # Noncompliant
+    re.match(r"(?i)^a|b|cd", input)  # Noncompliant
+    re.match(r"(?i:^a|b|cd)", input)  # Noncompliant
+    re.match(r"a|b|c$", input)  # Noncompliant
+    re.match(r"\Aa|b|c\Z", input)  # Noncompliant
+    re.match(r"\Aa|b|c\z", input)  # Noncompliant
+
+
+def compliant(input):
+    re.match(r"^(?:a|b|c)$", input)
+    re.match(r"(?:^a)|b|(?:c$)", input)
+    re.match(r"^abc$", input)
+    re.match(r"a|b|c", input)
+    re.match(r"^a$|^b$|^c$", input)
+    re.match(r"^a$|b|c", input)
+    re.match(r"a|b|^c$", input)
+    re.match(r"^a|^b$|c$", input)
+    re.match(r"^a|^b|c$", input)
+    re.match(r"^a|b$|c$", input)
+    # Only beginning and end of line/input boundaries are considered - not word boundaries
+    re.match(r"\ba|b|c\b", input)
+    re.match(r"\ba\b|\bb\b|\bc\b", input)
+    # If multiple alternatives are anchored, but not all, that's more likely to be intentional than if only the first
+    # one were anchored, so we won't report an issue for the following line:
+    re.match(r"^a|^b|c", input)
+    re.match(r"aa|bb|cc", input)
+    re.match(r"^", input)
+    re.match(r"^[abc]$", input)
+    re.match(r"|", input)
+    re.match(r"[", input)
+    re.match(r"(?i:^)a|b|c", input)  # False negative; we don't find the anchor if it's hidden inside a sub-expression