SONARPY-978 Rule S6397: Character classes in regular expressions shou… (#1105)

Author: marco-bearzi-sonarsource

its/ruling/src/test/resources/expected/python-S6397.json

@@ -0,0 +1,77 @@
+{
+'project:biopython/Bio/motifs/pfm.py':[
+338,
+],
+'project:buildbot-0.8.6p1/buildbot/steps/package/rpm/rpmspec.py':[
+31,
+32,
+],
+'project:buildbot-0.8.6p1/buildbot/steps/shell.py':[
+382,
+],
+'project:buildbot-slave-0.8.6p1/buildslave/scripts/runner.py':[
+160,
+],
+'project:mypy-0.782/test-data/stdlib-samples/3.2/base64.py':[
+236,
+],
+'project:numpy-1.16.4/numpy/distutils/conv_template.py':[
+144,
+],
+'project:numpy-1.16.4/numpy/distutils/fcompiler/ibm.py':[
+82,
+],
+'project:numpy-1.16.4/numpy/f2py/capi_maps.py':[
+307,
+307,
+],
+'project:numpy-1.16.4/numpy/f2py/crackfortran.py':[
+640,
+2938,
+],
+'project:numpy-1.16.4/numpy/f2py/f2py2e.py':[
+509,
+509,
+509,
+516,
+516,
+516,
+516,
+516,
+516,
+534,
+534,
+534,
+534,
+538,
+538,
+538,
+567,
+567,
+],
+'project:numpy-1.16.4/numpy/random/mtrand/generate_mtrand_c.py':[
+27,
+],
+'project:tornado-2.3/demos/appengine/markdown.py':[
+628,
+628,
+628,
+629,
+629,
+629,
+630,
+630,
+630,
+],
+'project:tornado-2.3/demos/blog/markdown.py':[
+628,
+628,
+628,
+629,
+629,
+629,
+630,
+630,
+630,
+],
+}

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -62,6 +62,7 @@
 import org.sonar.python.checks.regex.RegexLookaheadCheck;
 import org.sonar.python.checks.regex.ReluctantQuantifierCheck;
 import org.sonar.python.checks.regex.ReluctantQuantifierWithEmptyContinuationCheck;
+import org.sonar.python.checks.regex.SingleCharCharacterClassCheck;
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
 import org.sonar.python.checks.regex.StringReplaceCheck;
 import org.sonar.python.checks.regex.UnquantifiedNonCapturingGroupCheck;
@@ -228,6 +229,7 @@ public static Iterable<Class> getChecks() {
       SillyEqualityCheck.class,
       SillyIdentityCheck.class,
       SingleCharacterAlternationCheck.class,
+      SingleCharCharacterClassCheck.class,
       SpecialMethodParamListCheck.class,
       SQLQueriesCheck.class,
       StandardInputCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/SingleCharCharacterClassCheck.java

@@ -0,0 +1,40 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import java.util.Optional;
+import java.util.regex.Pattern;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.SingleCharCharacterClassFinder;
+
+@Rule(key = "S6397")
+public class SingleCharCharacterClassCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    Optional.ofNullable(regexFunctionCall.calleeSymbol())
+      .flatMap(symbol -> Optional.ofNullable(symbol.fullyQualifiedName()))
+      .filter(fqn -> lookedUpFunctions().containsKey(fqn))
+      .filter(fqn -> !regexParseResult.getResult().activeFlags().contains(Pattern.COMMENTS))
+      .ifPresent(fqn -> new SingleCharCharacterClassFinder(this::addIssue).visit(regexParseResult));
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6397.html

@@ -0,0 +1,16 @@
+<p>Character classes in regular expressions are a convenient way to match one of several possible characters by listing the allowed characters or
+ranges of characters. If a character class contains only one character, the effect is the same as just writing the character without a character
+class.</p>
+<p>Thus, having only one character in a character class is usually a simple oversight that remained after removing other characters of the class.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+r"a[b]c"
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+r"abc"
+</pre>
+<h2>Exceptions</h2>
+<p>This rule does not raise when the character inside the class is a metacharacter. This notation is sometimes used to avoid escaping (e.g.,
+<code>[.]{3}</code> to match three dots).</p>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6397.json

@@ -0,0 +1,17 @@
+{
+  "title": "Character classes in regular expressions should not contain only one character",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6397",
+  "sqKey": "S6397",
+  "scope": "All",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -155,6 +155,7 @@
     "S6331",
     "S6035",
     "S6395",
-    "S6396"
+    "S6396",
+    "S6397"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/regex/SingleCharCharacterClassCheckTest.java

@@ -0,0 +1,32 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class SingleCharCharacterClassCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/singleCharCharacterClassCheck.py", new SingleCharCharacterClassCheck());
+  }
+  
+}

python-checks/src/test/resources/checks/regex/singleCharCharacterClassCheck.py

@@ -0,0 +1,59 @@
+import re
+
+
+def non_compliant():
+    input = "Bob is a Bird... Bob is a Plane... Bob is Superman!"
+    changed = re.match(r"[0]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+
+    changed = re.match(r"[B]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+    changed = re.match(r"[ ]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+    changed = re.match(r"[:]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+    changed = re.match(r"([)])", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                      ^
+    changed = re.match(r"[:]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+    changed = re.match(r"[]]", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                     ^
+    changed = re.match(r"([\[])", input)  # Noncompliant {{Replace this character class by the character itself.}}
+    #                      ^^
+    changed = re.match(r'[b][c]', input, re.M) # Noncompliant 2
+
+
+def compliant():
+    input = "abcdefghijklmnopqa"
+    changed = re.match(re.escape("test"), input)
+    changed = re.match(r"[abc]", input)
+    changed = re.match(r"[a-c]", input)
+    changed = re.match(r"ab|cd", input)
+    changed = re.match(r"^|$", input)
+    changed = re.match(r"|", input)
+    changed = re.match(r"[\[a\]]", input)
+    # # Special characters do not raise warning
+    changed = re.match(r"a[.]a", input)
+    changed = re.match(r"a[*]a", input)
+    changed = re.match(r"a[+]a", input)
+    changed = re.match(r"a[^]a", input)
+    changed = re.match(r"a[{m}]a", input)
+    changed = re.match(r"a[\d]a", input)
+    changed = re.match(r"a[\w]a", input)
+    changed = re.match(r"a[?]a", input)
+    changed = re.match(r"a[|]a", input)
+    changed = re.match(r"a[\W]a", input)
+    changed = re.match(r"a[\]a", input)
+    changed = re.match(r"a a", input)
+
+    changed = re.compile(r'[ \t # comment]', re.X)
+
+    changed = re.compile(r'[ \t  ]', re.X)
+    changed = re.compile(r'[ \t]', re.X)
+    changed = re.match(r'[ \t]', input, re.X)
+
+    # TODO : False Negatives. We deactivated the SingleCharCharacterClassFinder whenever the flag X or VERBOSE is set.
+    # see https://github.com/SonarSource/sonar-analyzer-commons/issues/217
+    changed = re.compile(r'[\t]', re.X)
+    changed = re.compile(r'[a]', re.VERBOSE)
+    changed = re.match(r'[b][c]', input, re.M | re.X)