SONARPY-3104 Rule S6246 Lambdas should not invoke other lambdas synchronously (#416)

maksim-grebeniuk-sonarsource · sonartech · commit 8681db327dc3 · 2025-07-31T13:14:37.000Z
GitOrigin-RevId: 046700fb84ef20a3d7d69735b0498613ac912ae7
diff --git a/python-checks/src/main/java/org/sonar/python/checks/AwsLambdaCrossCallCheck.java b/python-checks/src/main/java/org/sonar/python/checks/AwsLambdaCrossCallCheck.java
@@ -0,0 +1,69 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.StringLiteral;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.checks.utils.AwsLambdaChecksUtils;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+
+@Rule(key = "S6246")
+public class AwsLambdaCrossCallCheck extends PythonSubscriptionCheck {
+
+  public static final String INVOCATION_TYPE_ARGUMENT_KEYWORD = "InvocationType";
+  public static final String REQUEST_RESPONSE_INVOCATION_TYPE_ARGUMENT_VALUE = "RequestResponse";
+  private TypeCheckBuilder isBoto3ClientCheck;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::initializeCheck);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::check);
+  }
+
+  private void initializeCheck(SubscriptionContext ctx) {
+    isBoto3ClientCheck = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn("botocore.client.BaseClient.invoke");
+  }
+
+  private void check(SubscriptionContext ctx) {
+    var callExpression = (CallExpression) ctx.syntaxNode();
+    if (isBoto3ClientCheck.check(TreeUtils.inferSingleAssignedExpressionType(callExpression.callee())).isTrue()
+        && TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.FUNCDEF) instanceof FunctionDef functionDef
+        && AwsLambdaChecksUtils.isLambdaHandler(ctx, functionDef)
+        && hasInvalidArgumentValue(callExpression)) {
+      ctx.addIssue(callExpression, "Avoid synchronous calls to other lambdas");
+    }
+  }
+
+  private static boolean hasInvalidArgumentValue(CallExpression callExpression) {
+    return Optional.ofNullable(TreeUtils.argumentByKeyword(INVOCATION_TYPE_ARGUMENT_KEYWORD, callExpression.arguments()))
+      .map(RegularArgument::expression)
+      .flatMap(Expressions::ifNameGetSingleAssignedNonNameValue)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(StringLiteral.class))
+      .map(StringLiteral::trimmedQuotesValue)
+      .filter(REQUEST_RESPONSE_INVOCATION_TYPE_ARGUMENT_VALUE::equals)
+      .isPresent();
+  }
+}
diff --git a/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java b/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java
@@ -128,6 +128,7 @@ public Stream<Class<?>> getChecks() {
       AsyncAwsLambdaHandlerCheck.class,
       AsyncLongSleepCheck.class,
       AsyncWithContextManagerCheck.class,
+      AwsLambdaCrossCallCheck.class,
       AWSLambdaReservedEnvironmentVariableCheck.class,
       BackslashInStringCheck.class,
       BackticksUsageCheck.class,
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6246.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6246.html
@@ -0,0 +1,44 @@
+<p>This rule reports an issue when a lambda invokes another lambda synchronously.</p>
+<h2>Why is this an issue?</h2>
+<p>Invoking other Lambdas synchronously from a Lambda is a scalability anti-pattern. Lambdas have a maximum execution time before they timeout (15
+minutes as of June 2025). Having to wait for another Lambda to finish its execution could lead to a timeout.</p>
+<p>A better solution is to generate events that can be consumed asynchronously by other Lambdas.</p>
+<h3>Noncompliant code example</h3>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import boto3
+</pre>
+<p>client = boto3.client('lambda')</p>
+<p>def lambda_handler(event, context): response = client.invoke( FunctionName='target-lambda-function-name', InvocationType='RequestResponse' #
+Noncompliant <code>RequestResponse</code> InvocationType means that the lambda call is synchronous Payload=json.dumps(event) )</p>
+<pre>
+return response['Payload'].read()
+</pre>
+<h3>Compliant code example</h3>
+<pre data-diff-id="1" data-diff-type="compliant">
+import boto3
+</pre>
+<p>client = boto3.client('lambda')</p>
+<p>def lambda_handler(event, context):</p>
+<pre>
+response = client.invoke(
+  FunctionName='target-lambda-function-name',
+  InvocationType='Event' # Compliant `Event` InvocationType means that the lambda call is asynchronous
+  Payload=json.dumps(event)
+)
+</pre>
+<pre>
+return response['Payload'].read()
+</pre>
+<h2>How to fix it in boto3</h2>
+<p>Using the <code>client.invoke()</code> function, the parameter <code>InvocationType</code> should be set to <code>Event</code> to invoke the
+function asynchronously by sending events.</p>
+<h2>Resources</h2>
+<ul>
+  <li> AWS docs - <a href="https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html">Best practices for working with AWS Lambda functions</a>
+  </li>
+  <li> AWS docs - <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtime-environment.html">Understanding the Lambda execution
+  environment lifecycle</a> </li>
+  <li> boto3 - <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda/client/invoke.html">client.invoke()</a>
+  </li>
+</ul>
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6246.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6246.json
@@ -0,0 +1,23 @@
+{
+  "title": "Lambdas should not invoke other lambdas synchronously",
+  "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "LOW"
+    },
+    "attribute": "EFFICIENT"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "3h"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-6246",
+  "sqKey": "S6246",
+  "scope": "Main",
+  "quickfix": "unknown"
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -168,6 +168,7 @@
     "S6002",
     "S6019",
     "S6035",
+    "S6246",
     "S6249",
     "S6252",
     "S6265",
diff --git a/python-checks/src/test/java/org/sonar/python/checks/AwsLambdaCrossCallCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/AwsLambdaCrossCallCheckTest.java
@@ -0,0 +1,28 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class AwsLambdaCrossCallCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/awsLambdaCrossCall.py", new AwsLambdaCrossCallCheck());
+  }
+}
diff --git a/python-checks/src/test/resources/checks/awsLambdaCrossCall.py b/python-checks/src/test/resources/checks/awsLambdaCrossCall.py
@@ -0,0 +1,26 @@
+import boto3
+
+global_client = boto3.client('lambda')
+
+def lambda_handler(event, context):
+    global_client.invoke(InvocationType='RequestResponse') # Noncompliant
+    global_client.invoke(InvocationType='some other value')
+    global_client.invoke(FunctionName='target-lambda-function-name')
+
+    local_client = boto3.client('lambda')
+    local_client.invoke(InvocationType='RequestResponse') # Noncompliant
+    local_client.invoke(InvocationType='some other value')
+    local_client.invoke(FunctionName='target-lambda-function-name')
+
+    other_client = "something else"
+    other_client.invoke(InvocationType='RequestResponse')
+    
+    
+def not_a_lambda():
+    global_client.invoke(InvocationType='RequestResponse') # OK
+    
+    local_client = boto3.client('lambda')
+    local_client.invoke(InvocationType='RequestResponse') # OK
+
+global_client.invoke(InvocationType='RequestResponse') # OK
+
