SONARPY-3927 Migrated S5445 to TypeV2 (#967)

GitOrigin-RevId: 7015cf8f784fb3abd60fcb23bbefb6f861d8ecaa

Author: joke1196

python-checks/src/main/java/org/sonar/python/checks/TempFileCreationCheck.java

@@ -16,34 +16,38 @@
  */
 package org.sonar.python.checks;
 
-import java.util.Arrays;
-import java.util.List;
 import java.util.Optional;
-import javax.annotation.Nullable;
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.Tree;
-import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.types.v2.FullyQualifiedNameHelper;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
 
 @Rule(key = "S5445")
 public class TempFileCreationCheck extends PythonSubscriptionCheck {
 
-  private static final List<String> SUSPICIOUS_CALLS = Arrays.asList("os.tempnam", "os.tmpnam", "tempfile.mktemp");
+  // os.tempnam and os.tmpnam were removed in Python 3 and have no stubs.
+  // We use withFQN to match both qualified (os.tempnam) and direct import (from os import tempnam) forms,
+  // as the callee gets typed as UnresolvedImportType("os.tempnam") in both cases.
+  private static final TypeMatcher INSECURE_CALLS = TypeMatchers.any(
+    TypeMatchers.isType("tempfile.mktemp"),
+    TypeMatchers.withFQN("os.tempnam"),
+    TypeMatchers.withFQN("os.tmpnam")
+  );
 
   @Override
   public void initialize(Context context) {
-    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, ctx -> {
-      CallExpression callExpr = (CallExpression) ctx.syntaxNode();
-      Symbol symbol = callExpr.calleeSymbol();
-      isInsecureTempFile(symbol).ifPresent(s -> ctx.addIssue(callExpr, String.format("'%s' is insecure. Use 'tempfile.TemporaryFile' instead", s)));
-    });
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, TempFileCreationCheck::checkCallExpression);
   }
 
-  private static Optional<String> isInsecureTempFile(@Nullable Symbol symbol) {
-    if (symbol == null) {
-      return Optional.empty();
-    }
-    return SUSPICIOUS_CALLS.stream().filter(call -> call.equals(symbol.fullyQualifiedName())).findFirst();
+  private static void checkCallExpression(SubscriptionContext ctx) {
+    CallExpression callExpr = (CallExpression) ctx.syntaxNode();
+    Optional.of(callExpr.callee())
+      .filter(callee -> INSECURE_CALLS.isTrueFor(callee, ctx))
+      .flatMap(callee -> FullyQualifiedNameHelper.getFullyQualifiedName(callee.typeV2()))
+      .ifPresent(name -> ctx.addIssue(callExpr.callee(), String.format("'%s' is insecure. Use 'tempfile.TemporaryFile' instead", name)));
   }
 }

python-checks/src/test/resources/checks/tempFileCreationCheck.py

@@ -1,18 +1,25 @@
 import tempfile
 import os
+from os import tempnam
+from os import tmpnam
 
 filename = os.tempnam() # Noncompliant {{'os.tempnam' is insecure. Use 'tempfile.TemporaryFile' instead}}
-#          ^^^^^^^^^^^^
+#          ^^^^^^^^^^
 tmp_file = open(filename, "w+b")
 
 filename = os.tmpnam() # Noncompliant {{'os.tmpnam' is insecure. Use 'tempfile.TemporaryFile' instead}}
-#          ^^^^^^^^^^^
+#          ^^^^^^^^^
 tmp_file = open(filename, "w+b")
 
 filename = tempfile.mktemp() # Noncompliant {{'tempfile.mktemp' is insecure. Use 'tempfile.TemporaryFile' instead}}
-#          ^^^^^^^^^^^^^^^^^
+#          ^^^^^^^^^^^^^^^
 
 tmp_file = open(filename, "w+b")
 
+filename = tempnam() # Noncompliant {{'os.tempnam' is insecure. Use 'tempfile.TemporaryFile' instead}}
+#          ^^^^^^^
+
+filename = tmpnam() # Noncompliant {{'os.tmpnam' is insecure. Use 'tempfile.TemporaryFile' instead}}
+#          ^^^^^^
 
 tmp_file = tempfile.TemporaryFile() # Compliant

python-frontend/src/main/java/org/sonar/python/semantic/v2/types/typecalculator/QualifiedExpressionCalculator.java

@@ -20,8 +20,10 @@
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.types.v2.FullyQualifiedNameHelper;
 import org.sonar.plugins.python.api.types.v2.FunctionType;
 import org.sonar.plugins.python.api.types.v2.PythonType;
+import org.sonar.plugins.python.api.types.v2.UnknownType;
 import org.sonar.python.semantic.v2.types.TypeInferenceMatcher;
 import org.sonar.python.semantic.v2.types.TypeInferenceMatchers;
 import org.sonar.python.types.v2.matchers.TypePredicateContext;
@@ -38,10 +40,16 @@ public QualifiedExpressionCalculator(TypePredicateContext typePredicateContext)
 
   public PythonType calculate(QualifiedExpression qualifiedExpression) {
     Name name = qualifiedExpression.name();
-    return Optional.of(qualifiedExpression.qualifier())
-      .map(Expression::typeV2)
+    PythonType qualifierType = qualifiedExpression.qualifier().typeV2();
+    return Optional.of(qualifierType)
       .flatMap(t -> t.resolveMember(name.name()))
       .map(this::handlePropertyFunction)
+      .orElseGet(() -> unresolvedMemberType(qualifierType, name.name()));
+  }
+
+  private static PythonType unresolvedMemberType(PythonType qualifierType, String memberName) {
+    return FullyQualifiedNameHelper.getFullyQualifiedName(qualifierType)
+      .map(qualifierFqn -> (PythonType) new UnknownType.UnresolvedImportType(qualifierFqn + "." + memberName))
       .orElse(PythonType.UNKNOWN);
   }
 

python-frontend/src/test/java/org/sonar/python/semantic/v2/TypeInferenceV2Test.java

@@ -4041,8 +4041,10 @@ void reexportedWildcardImport() {
     var actualFoo = tupleExpr.elements().get(1);
 
     assertThat(importedFoo.typeV2())
-      .isEqualTo(PythonType.UNKNOWN)
+      .isInstanceOf(UnknownType.UnresolvedImportType.class)
       .isNotEqualTo(actualFoo.typeV2());
+    assertThat(((UnknownType.UnresolvedImportType) importedFoo.typeV2()).importPath())
+      .isEqualTo("mod2.foo");
   }
 
   @Test

python-frontend/src/test/java/org/sonar/python/semantic/v2/types/typecalculator/QualifiedExpressionCalculatorTest.java

@@ -22,6 +22,7 @@
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.plugins.python.api.types.v2.FunctionType;
 import org.sonar.plugins.python.api.types.v2.PythonType;
+import org.sonar.plugins.python.api.types.v2.UnknownType;
 import org.sonar.python.PythonTestUtils;
 import org.sonar.python.types.v2.matchers.TypePredicateContext;
 
@@ -114,6 +115,21 @@ class A:
     assertThat(result).isEqualTo(PythonType.UNKNOWN);
   }
 
+  @Test
+  void calculate_unknownMemberOnKnownModule_returnsUnresolvedImportType() {
+    FileInput fileInput = parseAndInferTypes("""
+      import os
+      os.nonexistent_member
+      """);
+
+    var qualifiedExpression = getQualifiedExpressionFromStatement(fileInput);
+    PythonType result = calculator.calculate(qualifiedExpression);
+
+    assertThat(result).isInstanceOf(UnknownType.UnresolvedImportType.class);
+    var unresolvedType = (UnknownType.UnresolvedImportType) result;
+    assertThat(unresolvedType.importPath()).isEqualTo("os.nonexistent_member");
+  }
+
   private static QualifiedExpression getQualifiedExpressionFromStatement(FileInput fileInput) {
     return PythonTestUtils.getLastDescendant(fileInput, t -> t.is(Tree.Kind.QUALIFIED_EXPR));
   }