SONARPY-3114 Rule S7621: AWS waiters should be used instead of custom polling loops (#427)

maksim-grebeniuk-sonarsource · sonartech · commit 9d9f59fc10bd · 2025-08-05T09:17:14.000Z
GitOrigin-RevId: 49d2035805ab3ef579efb5de7505b336ee27cf57
diff --git a/python-checks/src/main/java/org/sonar/python/checks/AwsWaitersInsteadOfCustomPollingCheck.java b/python-checks/src/main/java/org/sonar/python/checks/AwsWaitersInsteadOfCustomPollingCheck.java
@@ -0,0 +1,97 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Set;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.WhileStatement;
+import org.sonar.python.checks.utils.AwsLambdaChecksUtils;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7621")
+public class AwsWaitersInsteadOfCustomPollingCheck extends PythonSubscriptionCheck {
+
+  private static final Set<String> NON_WAITERS_BOTO3_METHODS = Set.of(
+    // EC2
+    "botocore.client.BaseClient.describe_instances",
+    "botocore.client.BaseClient.describe_instance_status",
+    "botocore.client.BaseClient.describe_volumes",
+    "botocore.client.BaseClient.describe_snapshots",
+    "botocore.client.BaseClient.describe_images",
+    "botocore.client.BaseClient.describe_vpcs",
+    "botocore.client.BaseClient.describe_subnets",
+    "botocore.client.BaseClient.describe_nat_gateways",
+    "botocore.client.BaseClient.describe_key_pairs",
+    "botocore.client.BaseClient.get_password_data",
+    // S3
+    "botocore.client.BaseClient.head_bucket",
+    "botocore.client.BaseClient.head_object",
+    // RDS
+    "botocore.client.BaseClient.describe_db_instances",
+    "botocore.client.BaseClient.describe_db_clusters",
+    "botocore.client.BaseClient.describe_db_snapshots",
+    // DynamoDB
+    "botocore.client.BaseClient.describe_table",
+    // ECS
+    "botocore.client.BaseClient.describe_services",
+    "botocore.client.BaseClient.describe_tasks",
+    // EKS
+    "botocore.client.BaseClient.describe_cluster",
+    "botocore.client.BaseClient.describe_nodegroup",
+    // CloudFormation
+    "botocore.client.BaseClient.describe_stacks",
+    "botocore.client.BaseClient.describe_change_set",
+    // Lambda
+    "botocore.client.BaseClient.get_function_configuration",
+    "botocore.client.BaseClient.get_function"
+  );
+
+  private final TypeCheckMap<Boolean> nonWaitersBoto3MethodsTypeCheckMap = new TypeCheckMap<>();
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::initializeCheck);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::check);
+  }
+
+  private void initializeCheck(SubscriptionContext ctx) {
+    NON_WAITERS_BOTO3_METHODS.stream()
+      .map(fqn -> ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn))
+      .forEach(check -> nonWaitersBoto3MethodsTypeCheckMap.put(check, true));
+  }
+
+  private void check(SubscriptionContext ctx) {
+    var callExpression = (CallExpression) ctx.syntaxNode();
+    if (nonWaitersBoto3MethodsTypeCheckMap.containsForType(TreeUtils.inferSingleAssignedExpressionType(callExpression.callee()))
+        && TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.WHILE_STMT) instanceof WhileStatement whileStatement
+        && Expressions.isTruthy(whileStatement.condition())
+        && TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.FUNCDEF) instanceof FunctionDef functionDef
+        && AwsLambdaChecksUtils.isLambdaHandler(ctx, functionDef)
+    ) {
+      ctx.addIssue(callExpression, "Use AWS waiters instead of custom polling loops.");
+    }
+  }
+
+
+}
diff --git a/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java b/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java
@@ -133,6 +133,7 @@ public Stream<Class<?>> getChecks() {
       AwsLambdaReservedEnvironmentVariableCheck.class,
       AwsLambdaReturnValueAreSerializableCheck.class,
       AwsMissingPaginationCheck.class,
+      AwsWaitersInsteadOfCustomPollingCheck.class,
       BackslashInStringCheck.class,
       BackticksUsageCheck.class,
       BareRaiseInFinallyCheck.class,
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7621.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7621.html
@@ -0,0 +1,52 @@
+<p>This rule raises an issue when custom polling loops are used instead of AWS waiters for checking resource states.</p>
+<h2>Why is this an issue?</h2>
+<p>When working with AWS resources that require time to reach a desired state, such as EC2 instances starting up, S3 buckets being created, or
+DynamoDB tables becoming available, developers often implement custom polling loops to check the resource status repeatedly. However, this approach is
+inefficient and error-prone. Custom polling requires manual handling of timing intervals, retry logic, error conditions, and timeout scenarios. It
+also tends to be verbose and duplicates logic that AWS already provides in a more robust form. AWS SDK provides waiters, which are purpose-built
+abstractions specifically designed to poll AWS resources until they reach a desired state. Waiters handle the complexities of polling automatically,
+including appropriate delays, exponential backoff, maximum wait times, and proper error handling.</p>
+<h3>What is the potential impact?</h3>
+<p>Custom polling implementations can lead to inefficient resource usage due to inappropriate polling intervals, increased complexity and maintenance
+overhead, potential race conditions and timing issues, and unreliable error handling that may cause application failures or infinite loops.</p>
+<h2>How to fix it</h2>
+<p>Replace custom polling loops with AWS waiters. Identify the AWS resource you need to wait for, then use the appropriate waiter method from the
+boto3 client. Waiters are available for most AWS services and common state transitions. Use the <code>get_waiter()</code> method on your boto3 client
+to obtain the waiter, then call <code>wait()</code> with the appropriate parameters.</p>
+<h3>Noncompliant code example</h3>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import boto3
+import time
+
+ec2_client = boto3.client('ec2', region_name='us-east-1')
+
+while True:
+  response = ec2_client.describe_instance_status(  # Noncompliant
+    InstanceIds=[instance_id],
+    IncludeAllInstances=True
+  )
+
+  instance_status = response['Statuses'][0]['InstanceStatus']['Status']
+  if instance_status == 'ok':
+    break
+
+  time.sleep(10)
+</pre>
+<h3>Compliant solution</h3>
+<pre data-diff-id="1" data-diff-type="compliant">
+import boto3
+
+ec2_client = boto3.client('ec2', region_name='us-east-1')
+
+ec2_client.get_waiter('instance_status_ok').wait(
+    InstanceIds=[instance_id],
+    IncludeAllInstances=True
+)
+</pre>
+<h2>Resources</h2>
+<ul>
+  <li> boto3 Documentation - <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/guide/clients.html#waiters">Waiters</a> </li>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html#python-handler-best-practices">AWS Lambda Python
+  Handler Best Practices</a> </li>
+</ul>
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7621.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7621.json
@@ -0,0 +1,24 @@
+{
+  "title": "AWS waiters should be used instead of custom polling loops",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-S7621",
+  "sqKey": "S7621",
+  "scope": "Main",
+  "quickfix": "infeasible",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "LOW",
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "EFFICIENT"
+  }
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -290,8 +290,9 @@
     "S7516",
     "S7517",
     "S7519",
-    "S7617",
     "S7613",
+    "S7617",
+    "S7621",
     "S7622",
     "S7632"
   ]
diff --git a/python-checks/src/test/java/org/sonar/python/checks/AwsWaitersInsteadOfCustomPollingCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/AwsWaitersInsteadOfCustomPollingCheckTest.java
@@ -0,0 +1,28 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class AwsWaitersInsteadOfCustomPollingCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/awsWaitersInsteadOfCustomPolling.py", new AwsWaitersInsteadOfCustomPollingCheck());
+  }
+}
diff --git a/python-checks/src/test/resources/checks/awsWaitersInsteadOfCustomPolling.py b/python-checks/src/test/resources/checks/awsWaitersInsteadOfCustomPolling.py
@@ -0,0 +1,22 @@
+import boto3
+
+client = boto3.client('s3')
+
+def lambda_handler(event, context):
+    while True:
+        response = client.describe_instances()  # Noncompliant
+
+    while context:
+        response = client.describe_instances()  # OK
+
+    response = client.describe_instances()  # OK
+
+
+def not_a_lambda():
+    while True:
+        response = client.describe_instances()  # OK
+
+    response = client.describe_instances()  # OK
+
+while a:
+    response = client.describe_instances()  # OK
diff --git a/python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/botocore.client.protobuf b/python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/botocore.client.protobuf
diff --git a/python-frontend/typeshed_serializer/checksum b/python-frontend/typeshed_serializer/checksum
diff --git a/python-frontend/typeshed_serializer/resources/custom/botocore/client.pyi b/python-frontend/typeshed_serializer/resources/custom/botocore/client.pyi
