DBD-200 Add Dataflow Bug Detection rules to the default quality profiley (#1144)

Author: guillaume-dequenne

sonar-python-plugin/src/main/java/org/sonar/plugins/python/PythonProfile.java

@@ -41,40 +41,42 @@ public class PythonProfile implements BuiltInQualityProfilesDefinition {
   static final String PROFILE_LOCATION = RESOURCE_FOLDER + "/Sonar_way_profile.json";
   static final String SECURITY_RULES_CLASS_NAME = "com.sonar.plugins.security.api.PythonRules";
   static final String SECURITY_RULE_KEYS_METHOD_NAME = "getRuleKeys";
-  static final String SECURITY_RULE_REPO_METHOD_NAME = "getRepositoryKey";
+  static final String DBD_RULES_CLASS_NAME = "com.sonarsource.plugins.dbd.api.PythonRules";
+  static final String DBD_RULE_KEYS_METHOD_NAME = "getDataflowBugDetectionRuleKeys";
+  static final String GET_REPOSITORY_KEY = "getRepositoryKey";
+
 
   @Override
   public void define(Context context) {
     NewBuiltInQualityProfile profile = context.createBuiltInQualityProfile(PROFILE_NAME, Python.KEY);
     BuiltInQualityProfileJsonLoader.load(profile, CheckList.REPOSITORY_KEY, PROFILE_LOCATION);
-    getSecurityRuleKeys(SECURITY_RULES_CLASS_NAME, SECURITY_RULE_KEYS_METHOD_NAME, SECURITY_RULE_REPO_METHOD_NAME)
+    getSecurityRuleKeys()
+      .forEach(key -> profile.activateRule(key.repository(), key.rule()));
+    getDataflowBugDetectionRuleKeys()
       .forEach(key -> profile.activateRule(key.repository(), key.rule()));
     profile.done();
   }
 
-  // Visible for testing
-  static Set<RuleKey> getSecurityRuleKeys(String className, String ruleKeysMethodName, String ruleRepoMethodName) {
-    try {
+  static Set<RuleKey> getSecurityRuleKeys() {
+    return getExternalRuleKeys(SECURITY_RULES_CLASS_NAME, SECURITY_RULE_KEYS_METHOD_NAME, "security");
+  }
+
+  static Set<RuleKey> getDataflowBugDetectionRuleKeys() {
+    return getExternalRuleKeys(DBD_RULES_CLASS_NAME, DBD_RULE_KEYS_METHOD_NAME, "dataflow bug detection");
+  }
 
+  @SuppressWarnings("unchecked")
+  static Set<RuleKey> getExternalRuleKeys(String className, String ruleKeysMethodName, String rulesCategory) {
+    try {
       Class<?> rulesClass = Class.forName(className);
       Method getRuleKeysMethod = rulesClass.getMethod(ruleKeysMethodName);
       Set<String> ruleKeys = (Set<String>) getRuleKeysMethod.invoke(null);
-      Method getRepositoryKeyMethod = rulesClass.getMethod(ruleRepoMethodName);
+      Method getRepositoryKeyMethod = rulesClass.getMethod(GET_REPOSITORY_KEY);
       String repositoryKey = (String) getRepositoryKeyMethod.invoke(null);
       return ruleKeys.stream().map(k -> RuleKey.of(repositoryKey, k)).collect(Collectors.toSet());
-
-    } catch (ClassNotFoundException e) {
-      LOG.debug(className + " is not found, " + securityRuleMessage(e));
-    } catch (NoSuchMethodException e) {
-      LOG.debug("Method not found on " + className +", " + securityRuleMessage(e));
-    } catch (IllegalAccessException | InvocationTargetException e) {
-      LOG.debug(e.getClass().getSimpleName() + ": " + securityRuleMessage(e));
+    } catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
+      LOG.debug(String.format("[%s], no %s rules added to Sonar way Python profile: %s", e.getClass().getSimpleName(), rulesCategory, e.getMessage()));
     }
-
     return Collections.emptySet();
   }
-
-  private static String securityRuleMessage(Exception e) {
-    return "no security rules added to Sonar way Python profile: " + e.getMessage();
-  }
 }

sonar-python-plugin/src/test/java/com/sonarsource/plugins/dbd/api/PythonRules.java

@@ -0,0 +1,47 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package com.sonarsource.plugins.dbd.api;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Class required to test SonarWay for DBD rules
+ */
+public class PythonRules {
+  public static Set<String> ruleKeys = new HashSet<>();
+
+  public static boolean throwOnCall = false;
+
+  public static Set<String> getDataflowBugDetectionRuleKeys() {
+    if (throwOnCall) {
+      throw new RuntimeException("Boom!");
+    }
+    return ruleKeys;
+  }
+
+  public static String getRepositoryKey() {
+    return "dbd-repo-key";
+  }
+
+  public static Set<String> methodThrowingException() throws Exception {
+    throw new RuntimeException("testing");
+  }
+}

sonar-python-plugin/src/test/java/org/sonar/plugins/python/PythonProfileTest.java

@@ -28,7 +28,9 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.sonar.plugins.python.PythonProfile.SECURITY_RULES_CLASS_NAME;
 import static org.sonar.plugins.python.PythonProfile.SECURITY_RULE_KEYS_METHOD_NAME;
-import static org.sonar.plugins.python.PythonProfile.SECURITY_RULE_REPO_METHOD_NAME;
+import static org.sonar.plugins.python.PythonProfile.GET_REPOSITORY_KEY;
+import static org.sonar.plugins.python.PythonProfile.getDataflowBugDetectionRuleKeys;
+import static org.sonar.plugins.python.PythonProfile.getExternalRuleKeys;
 import static org.sonar.plugins.python.PythonProfile.getSecurityRuleKeys;
 
 public class PythonProfileTest {
@@ -52,23 +54,42 @@ public void profile() {
   public void should_contains_security_rules_if_available() {
     // no security rule available
     PythonRules.getRuleKeys().clear();
-    assertThat(getSecurityRuleKeys(SECURITY_RULES_CLASS_NAME, SECURITY_RULE_KEYS_METHOD_NAME, SECURITY_RULE_REPO_METHOD_NAME))
+    assertThat(getSecurityRuleKeys())
       .isEmpty();
 
     // one security rule available
     PythonRules.getRuleKeys().add("S3649");
-    assertThat(getSecurityRuleKeys(SECURITY_RULES_CLASS_NAME, SECURITY_RULE_KEYS_METHOD_NAME, SECURITY_RULE_REPO_METHOD_NAME))
+    assertThat(getSecurityRuleKeys())
       .containsOnly(RuleKey.of("pythonsecurity", "S3649"));
 
-    // invalid class name
-    assertThat(getSecurityRuleKeys("xxx", SECURITY_RULE_KEYS_METHOD_NAME, SECURITY_RULE_REPO_METHOD_NAME)).isEmpty();
+    PythonRules.throwOnCall = true;
+    assertThat(getSecurityRuleKeys())
+      .isEmpty();
+    PythonRules.throwOnCall = false;
+  }
 
-    // invalid method name
-    assertThat(getSecurityRuleKeys(SECURITY_RULES_CLASS_NAME, "xxx", SECURITY_RULE_REPO_METHOD_NAME)).isEmpty();
+  @Test
+  public void should_contains_dataflow_bug_detection_rules_if_available() {
+    // no dataflow bug detection rules available
+    com.sonarsource.plugins.dbd.api.PythonRules.getDataflowBugDetectionRuleKeys().clear();
+    assertThat(getDataflowBugDetectionRuleKeys()).isEmpty();
 
-    PythonRules.throwOnCall = true;
-    assertThat(getSecurityRuleKeys(SECURITY_RULES_CLASS_NAME, SECURITY_RULE_KEYS_METHOD_NAME, SECURITY_RULE_REPO_METHOD_NAME))
+    // one dataflow bug detection rule available
+    com.sonarsource.plugins.dbd.api.PythonRules.getDataflowBugDetectionRuleKeys().add("S2259");
+    assertThat(getDataflowBugDetectionRuleKeys()).containsOnly(RuleKey.of("dbd-repo-key", "S2259"));
+
+    com.sonarsource.plugins.dbd.api.PythonRules.throwOnCall = true;
+    assertThat(getDataflowBugDetectionRuleKeys())
       .isEmpty();
     PythonRules.throwOnCall = false;
   }
+
+  @Test
+  public void test_get_external_rule_keys() {
+    // invalid class name
+    assertThat(getExternalRuleKeys("xxx", SECURITY_RULE_KEYS_METHOD_NAME, GET_REPOSITORY_KEY)).isEmpty();
+
+    // invalid method name
+    assertThat(getExternalRuleKeys(SECURITY_RULES_CLASS_NAME, "xxx", GET_REPOSITORY_KEY)).isEmpty();
+  }
 }