SONARPY-2787 [S6437] Support additional libraries (#184)

GitOrigin-RevId: 67c5e689dcad634f3bcba83f8f052f1a8d2502f1

Author: GabinL21

python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java

@@ -21,11 +21,13 @@
 import java.io.InputStreamReader;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import javax.annotation.Nullable;
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
@@ -64,15 +66,18 @@ private void processCallExpression(SubscriptionContext ctx) {
   }
 
   private void checkCallArguments(SubscriptionContext ctx, CallExpression call) {
-    getMethod(call)
-      .ifPresent(method -> method.indices()
-        .forEach(argumentIndex -> {
-          var argumentName = method.args().get(argumentIndex);
-          var argument = TreeUtils.nthArgumentOrKeyword(argumentIndex, argumentName, call.arguments());
-          if (argument != null) {
-            checkArgument(ctx, argument);
-          }
-        }));
+    getMethod(call).ifPresent(method ->
+      getArgumentsToCheck(call, method)
+        .forEach(argument -> checkArgument(ctx, argument))
+    );
+  }
+
+  private Stream<RegularArgument> getArgumentsToCheck(CallExpression call, CredentialMethod method) {
+    return method.sensitiveArguments().stream()
+      .map(sensitiveArgument -> sensitiveArgument.index() != null
+        ? TreeUtils.nthArgumentOrKeyword(sensitiveArgument.index(), sensitiveArgument.name(), call.arguments())
+        : TreeUtils.argumentByKeyword(sensitiveArgument.name(), call.arguments()))
+      .filter(Objects::nonNull);
   }
 
   private static void checkArgument(SubscriptionContext ctx, RegularArgument argument) {
@@ -142,42 +147,41 @@ private Optional<CredentialMethod> getMethod(CallExpression call) {
       .map(methods::get);
   }
 
-  public static class CredentialMethod {
-    private String name;
-    private List<String> args;
-    private List<Integer> indices;
-
-    public String name() {
-      return name;
-    }
-
-    public List<String> args() {
-      return args;
-    }
+  public record CredentialMethod(
+    String name,
+    List<MethodArgument> sensitiveArguments) {
+  }
 
-    public List<Integer> indices() {
-      return indices;
-    }
+  public record MethodArgument(
+    String name,
+    @Nullable Integer index) {
   }
 
   private static class CredentialMethodsLoader {
-    private static final String METHODS_RESOURCE_PATH = "/org/sonar/python/checks/hardcoded_credentials_call_check_meta.json";
+    private static final String CHECKS_DIR = "/org/sonar/python/checks";
+    private static final String GENERATED_METHODS_RESOURCE_PATH = CHECKS_DIR + "/generated_hardcoded_credentials_call_check_meta.json";
+    private static final String MANUAL_METHODS_RESOURCE_PATH = CHECKS_DIR + "/manual_hardcoded_credentials_call_check_meta.json";
     private final Gson gson;
 
     private CredentialMethodsLoader() {
       gson = new Gson();
     }
 
     private Map<String, CredentialMethod> load() {
-      try (var is = HardcodedCredentialsCallCheck.class.getResourceAsStream(METHODS_RESOURCE_PATH)) {
+      var generatedCredentialMethods = loadMethodsFromResource(GENERATED_METHODS_RESOURCE_PATH);
+      var manualCredentialMethods = loadMethodsFromResource(MANUAL_METHODS_RESOURCE_PATH);
+      return Stream.concat(Stream.of(generatedCredentialMethods), Stream.of(manualCredentialMethods))
+        .collect(Collectors.toMap(CredentialMethod::name, Function.identity())); // Will throw an exception if there are duplicates
+    }
+
+    private CredentialMethod[] loadMethodsFromResource(String resourcePath) {
+      try (var is = HardcodedCredentialsCallCheck.class.getResourceAsStream(resourcePath)) {
         return Optional.ofNullable(is)
           .map(InputStreamReader::new)
-          .map(r -> gson.fromJson(r, CredentialMethod[].class))
-          .stream()
-          .flatMap(Stream::of)
-          .collect(Collectors.toMap(CredentialMethod::name, Function.identity()));
+          .map(reader -> gson.fromJson(reader, CredentialMethod[].class))
+          .orElseThrow(() -> new IllegalStateException("Unable to open resource: " + resourcePath));
       } catch (IOException e) {
-        throw new IllegalStateException("Unable to read methods metadata from " + METHODS_RESOURCE_PATH, e);
+        throw new IllegalStateException("Unable to read methods metadata from " + resourcePath, e);
       }
     }
   }

python-checks/src/main/resources/org/sonar/python/checks/generated_hardcoded_credentials_call_check_meta.json

@@ -0,0 +1,60 @@
+[
+  {
+    "name": "psycopg.connect",
+    "sensitiveArguments": [
+      { "name": "password" }
+    ]
+  },
+  {
+    "name": "psycopg2.connect",
+    "sensitiveArguments": [
+      { "name": "password" }
+    ]
+  },
+  {
+    "name": "mysql.connector.connect",
+    "sensitiveArguments": [
+      { "name": "password" },
+      { "name": "passwd" },
+      { "name": "password1" },
+      { "name": "password2" },
+      { "name": "password3" }
+    ]
+  },
+  {
+    "name": "mysql.connector.connection.MySQLConnection",
+    "sensitiveArguments": [
+      { "name": "password" },
+      { "name": "passwd" },
+      { "name": "password1" },
+      { "name": "password2" },
+      { "name": "password3" }
+    ]
+  },
+  {
+    "name": "pymysql.connections.connect",
+    "sensitiveArguments": [
+      { "name": "password" },
+      { "name": "passwd" }
+    ]
+  },
+  {
+    "name": "redis.Redis",
+    "sensitiveArguments": [
+      { "name": "password", "index": 3 },
+      { "name": "ssl_password", "index": 25 }
+    ]
+  },
+  {
+    "name": "pymongo.MongoClient",
+    "sensitiveArguments": [
+      { "name": "password" }
+    ]
+  },
+  {
+    "name": "boto3.resource",
+    "sensitiveArguments": [
+      { "name": "aws_secret_access_key" }
+    ]
+  }
+]

python-checks/src/main/resources/org/sonar/python/checks/hardcoded_credentials_call_check_meta.json

@@ -46,6 +46,43 @@ def obj_creation_hardcoded_assigned_value(password):
 def top_level_function_call():
     psycopg2cffi.connect(password="abc") # Noncompliant
 
+
+# Methods manually defined in "manual_hardcoded_credentials_call_check_meta.json"
+import psycopg
+import psycopg2
+import mysql.connector
+from mysql.connector import MySQLConnection
+import pymysql
+import redis as r
+from pymongo import MongoClient
+import boto3
+
+def manually_defined_method_calls_with_named_params():
+    psycopg.connect(password="abc") # Noncompliant
+    psycopg2.connect(password="abc") # Noncompliant
+    mysql.connector.connect(password='abc') # Noncompliant
+    mysql.connector.connect(passwd='abc') # Noncompliant
+    mysql.connector.connect(password1='abc', password2='abc', password3='abc') # Noncompliant 3
+    MySQLConnection(password='abc') # Noncompliant
+    MySQLConnection(passwd='abc') # Noncompliant
+    MySQLConnection(password1='abc', password2='abc', password3='abc') # Noncompliant 3
+    pymysql.connect(password="abc") # Noncompliant
+    pymysql.connect(passwd="abc") # Noncompliant
+    r.Redis(password="abc") # Noncompliant
+    MongoClient(password="abc") # Noncompliant
+    boto3.resource(aws_secret_access_key="abc") # Noncompliant
+
+def manually_defined_method_calls_with_positional_params():
+    r.Redis("host", "port", "db", "password") # Noncompliant
+    # The following calls are compliant because the password can't be a positional parameter
+    psycopg.connect("abc")
+    psycopg2.connect("abc")
+    mysql.connector.connect("abc")
+    MySQLConnection("abc")
+    pymysql.connect("abc")
+    MongoClient("abc")
+    boto3.resource("abc")
+
 # from S4433
 import ldap
 import os