SONARPY-4248 Add support for bandit's # nosec directive#2290
Draft
teemu-rytilahti-sonarsource wants to merge 1 commit into
Draft
SONARPY-4248 Add support for bandit's # nosec directive#2290teemu-rytilahti-sonarsource wants to merge 1 commit into
teemu-rytilahti-sonarsource wants to merge 1 commit into
Conversation
Extend NoSonarInfoParser to recognize `# nosec` comments. A bare `# nosec` (with or without trailing description text) is parsed the same way as bare `# NOSONAR` / `# noqa`, producing a NoSonarLineInfo with an empty suppressed-rule-key set — which the existing NoSonarIssueFilter already treats as "suppress all rules on this line". So e.g. S4790 is silenced when a `# nosec` is added to the offending line, matching bandit's own semantics. Bandit also accepts test IDs (e.g. `# nosec B303, B607`). Those are not parsed here: the repo has no Bandit-ID → Sonar-rule mapping, and any text after `nosec` is treated as a free-form description. Narrowing bare `# nosec` to security-typed rules only is tracked as a follow-up on SONARPY-4248.
teemu-rytilahti-sonarsource
deployed
to
sca-checking
GitHub Actions
Active
Code Review ✅ ApprovedExtends the OptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NoSonarInfoParserto recognize# noseccomments (case-insensitive, colon or whitespace separator, trailing description allowed).# nosecproduces aNoSonarLineInfowith an empty suppressed-rule-key set, which the existingNoSonarIssueFilteralready interprets as "suppress all rules on this line" — no filter changes needed. As a result,# nosecsilences e.g. S4790 on the offending line, matching bandit's own semantics.NoSonarInfoParserTest(bare,# nosec B101, with reason, colon form, uppercase, length-truncated, mixed with another#segment) and end-to-end cases inNoSonarLineInfoCollectorTest.Sibling of SONARGO-809 (Go
//nolint). Tracked as SONARPY-4248.Follow-up
Bandit also supports test IDs (
# nosec B303, B607). The repo has no Bandit-ID → Sonar-rule mapping today, so anything afternosecis parsed as free-form description and BXXX IDs are not honored.A nicer behaviour for bare
# nosecwould be to suppress only security-typed rules (71 rules withtype: VULNERABILITYorSECURITY_HOTSPOTunderpython-checks/.../l10n/py/rules/python/*.json) rather than everything on the line, closer to user intent. That would require:NoSonarLineInfo(e.g.SuppressionScope.SECURITY_ONLY).AbstractPythonRuleRepositoryviaRuleMetadataLoader).NoSonarIssueFilterto consult that set when the line's scope isSECURITY_ONLY.Out of scope for this PR; can land as a follow-up under the same ticket.
Test plan
mvn test -Dtest=NoSonarInfoParserTestinpython-frontend(68 tests pass).mvn test -Dtest=NoSonarLineInfoCollectorTestinpython-commons(collector test cases added but not run locally —python-commonsneedspython-frontendinstalled; CI will cover).# nosecon ahashlib.md5(...)line suppresses S4790.