SONARPY-883 Rule S6019 Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string (#963)

* SONARPY-883 Rule S6019 Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string

* Update ruling

Author: nils-werner-sonarsource

its/ruling/src/test/resources/expected/python-S6019.json

@@ -0,0 +1,8 @@
+{
+'project:biopython/Bio/Phylo/PAML/_parse_yn00.py':[
+137,
+],
+'project:biopython/Bio/SearchIO/ExonerateIO/exonerate_text.py':[
+32,
+],
+}

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -51,6 +51,7 @@
 import org.sonar.python.checks.hotspots.UnverifiedHostnameCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
 import org.sonar.python.checks.regex.RedundantRegexAlternativesCheck;
+import org.sonar.python.checks.regex.ReluctantQuantifierWithEmptyContinuationCheck;
 import org.sonar.python.checks.regex.StringReplaceCheck;
 
 public final class CheckList {
@@ -187,6 +188,7 @@ public static Iterable<Class> getChecks() {
       RedundantJumpCheck.class,
       RedundantRegexAlternativesCheck.class,
       RegexCheck.class,
+      ReluctantQuantifierWithEmptyContinuationCheck.class,
       ReturnAndYieldInOneFunctionCheck.class,
       ReturnYieldOutsideFunctionCheck.class,
       RobustCipherAlgorithmCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/ReluctantQuantifierWithEmptyContinuationCheck.java

@@ -0,0 +1,34 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.ReluctantQuantifierWithEmptyContinuationFinder;
+
+@Rule(key = "S6019")
+public class ReluctantQuantifierWithEmptyContinuationCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new ReluctantQuantifierWithEmptyContinuationFinder(this::addIssue).visit(regexParseResult);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6019.html

@@ -0,0 +1,17 @@
+<p>When a reluctant (or lazy) quantifier is followed by a pattern that can match the empty string or directly by the end of the regex, it will always
+match zero times for <code>*?</code> or one time for <code>+?</code>. If a reluctant quantifier is followed directly by the end anchor
+(<code>$</code>), it behaves indistinguishably from a greedy quantifier while being less efficient.</p>
+<p>This is likely a sign that the regex does not work as intended.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+re.replace(r"start\w*?(end)?", "x", "start123endstart456") # Noncompliant. In contrast to what one would expect, the result is not "xx"
+
+re.match(r"^\d*?$", "123456789") # Noncompliant. Matches the same as "/^\d*$/", but will backtrack in every position.
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+re.replace(r"start\w*?(end|$)", "x", "start123endstart456") # Result is "xx"
+
+re.match(r"^\d*$", "123456789")
+</pre>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6019.json

@@ -0,0 +1,17 @@
+{
+  "title": "Reluctant quantifiers in regular expressions should be followed by an expression that can\u0027t match the empty string",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6019",
+  "sqKey": "S6019",
+  "scope": "Main",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -137,6 +137,7 @@
     "S5855",
     "S5864",
     "S5886",
-    "S5890"
+    "S5890",
+    "S6019"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/regex/ReluctantQuantifierWithEmptyContinuationCheckTest.java

@@ -0,0 +1,32 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class ReluctantQuantifierWithEmptyContinuationCheckTest {
+
+  @Test
+  public void test() throws Exception {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/reluctantQuantifierWithEmptyContinuationCheck.py", new ReluctantQuantifierWithEmptyContinuationCheck());
+  }
+
+}

python-checks/src/test/resources/checks/regex/reluctantQuantifierWithEmptyContinuationCheck.py

@@ -0,0 +1,16 @@
+import re
+
+
+def non_compliant(input):
+    re.match(r".*?x?", input)  # Noncompliant {{Fix this reluctant quantifier that will only ever match 0 repetitions.}}
+    #          ^^^
+    re.match(r".+?x?", input)  # Noncompliant {{Fix this reluctant quantifier that will only ever match 1 repetition.}}
+    re.match(r".{2,4}?x?", input)  # Noncompliant {{Fix this reluctant quantifier that will only ever match 2 repetitions.}}
+    re.match(r".*?$", input)  # Noncompliant {{Remove the '?' from this unnecessarily reluctant quantifier.}}
+    re.match(r".*?()$", input)  # Noncompliant {{Remove the '?' from this unnecessarily reluctant quantifier.}}
+
+
+def compliant(input):
+    re.match(r".*?x", input)
+    re.match(r".*?x$", input)
+    re.match(r".*?[abc]", input)