SONARPY-264 : Rule S1135 : Track uses of 'TODO' tags (#1088)

* SONARPY-264 : Rule S1135 : Track uses of 'TODO' tags

* SONARPY-264: Update rule description

Author: marco-bearzi-sonarsource

its/ruling/src/test/resources/expected/python-S1135.json

@@ -225,6 +225,7 @@ public static Iterable<Class> getChecks() {
       StringReplaceCheck.class,
       StrongCryptographicKeysCheck.class,
       TempFileCreationCheck.class,
+      ToDoCommentCheck.class,
       TooManyLinesInFileCheck.class,
       TooManyParametersCheck.class,
       TooManyReturnsCheck.class,

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -0,0 +1,49 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks;
+
+import java.util.regex.Pattern;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionCheck;
+import org.sonar.plugins.python.api.tree.Token;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.Trivia;
+
+@Rule(key = "S1135")
+public class ToDoCommentCheck extends PythonSubscriptionCheck {
+
+  private static final String TODO_COMMENT_PATTERN = "^#[ ]*TODO.*";
+  private static final String MESSAGE = "Complete the task associated to this \"TODO\" comment.";
+
+  @Override
+  public void initialize(SubscriptionCheck.Context context) {
+    Pattern pattern = Pattern.compile(TODO_COMMENT_PATTERN, Pattern.CASE_INSENSITIVE);
+    context.registerSyntaxNodeConsumer(Tree.Kind.TOKEN, ctx -> {
+      Token token = (Token) ctx.syntaxNode();
+      for (Trivia trivia : token.trivia()) {
+        String comment = trivia.value();
+        if (pattern.matcher(comment).matches()) {
+          ctx.addIssue(trivia.token(), MESSAGE);
+        }
+      }
+    });
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/ToDoCommentCheck.java

@@ -0,0 +1,13 @@
+<p><code>TODO</code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.</p>
+<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.</p>
+<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+def doSomething:
+  # TODO : Complete function
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://cwe.mitre.org/data/definitions/546.html">MITRE, CWE-546</a> - Suspicious Comment </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1135.html

@@ -0,0 +1,22 @@
+{
+  "title": "Track uses of \"TODO\" tags",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "0min"
+  },
+  "tags": [
+    "cwe"
+  ],
+  "defaultSeverity": "Info",
+  "ruleSpecification": "RSPEC-1135",
+  "sqKey": "S1135",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      546
+    ]
+  },
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1135.json

@@ -20,6 +20,7 @@
     "S1066",
     "S1110",
     "S1134",
+    "S1135",
     "S1143",
     "S1144",
     "S1186",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -0,0 +1,32 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class ToDoCommentCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/todoComment.py", new ToDoCommentCheck());
+  }
+
+}

python-checks/src/test/java/org/sonar/python/checks/ToDoCommentCheckTest.java

@@ -0,0 +1,23 @@
+def divide(numerator, denominator):
+# Noncompliant@+1 {{Complete the task associated to this "TODO" comment.}}
+    return numerator / denominator              # TODO denominator value might be 0
+#                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# Noncompliant@+1
+#TODO
+
+# this is not TODO
+
+# Noncompliant@+1
+# todo in lower case
+
+for d in lib_dirs:
+    # TODO: some TODO
+    # Noncompliant@-1
+    pass
+
+if True:
+    print("a")
+    # Noncompliant@+1
+    # TODO: something
+    for d in lib_dirs:
+        pass