SONARPY-2952 Rule S7493: Async functions should not contain synchronous file operations (#260)

GitOrigin-RevId: 75f49bf6cec0c954d13eebf32f484c69a5b23e6d

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -356,6 +356,7 @@ public Stream<Class<?>> getChecks() {
       SklearnPipelineSpecifyMemoryArgumentCheck.class,
       SklearnPipelineParameterAreCorrectCheck.class,
       SuperfluousCurlyBraceCheck.class,
+      SynchronousFileOperationsInAsyncCheck.class,
       TempFileCreationCheck.class,
       SynchronousHttpOperationsInAsyncCheck.class,
       ImplicitlySkippedTestCheck.class,

python-checks/src/main/java/org/sonar/python/checks/SynchronousFileOperationsInAsyncCheck.java

@@ -0,0 +1,72 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.List;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7493")
+public class SynchronousFileOperationsInAsyncCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Use an asynchronous file API instead of synchronous %s() in this async function.";
+  private static final String SECONDARY_MESSAGE = "This function is async.";
+
+  private final TypeCheckMap<String> syncFileFunctions = new TypeCheckMap<>();
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::initializeTypeCheckMap);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
+  }
+
+  private static final List<String> SYNC_FILE_FUNCTIONS = List.of(
+    "open",
+    "os.open",
+    "pathlib.Path.open",
+    "codecs.open",
+    "os.fdopen",
+    "os.popen",
+    "tempfile.TemporaryFile",
+    "tempfile.NamedTemporaryFile",
+    "tempfile.SpooledTemporaryFile",
+    "gzip.open",
+    "bz2.open",
+    "lzma.open");
+
+  private void initializeTypeCheckMap(SubscriptionContext context) {
+    SYNC_FILE_FUNCTIONS.forEach(fqn -> syncFileFunctions.put(context.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName(fqn), fqn));
+  }
+
+  private void checkCallExpression(SubscriptionContext ctx) {
+    CallExpression callExpression = (CallExpression) ctx.syntaxNode();
+    var asyncToken = TreeUtils.asyncTokenOfEnclosingFunction(callExpression).orElse(null);
+    if (asyncToken == null) {
+      return;
+    }
+    syncFileFunctions.getOptionalForType(callExpression.callee().typeV2()).ifPresent(
+      functionName ->
+        ctx.addIssue(callExpression, String.format(MESSAGE, functionName))
+        .secondary(asyncToken, SECONDARY_MESSAGE));
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7493.html

@@ -0,0 +1,88 @@
+<p>This rule raises an issue when synchronous file operations like <code>open()</code> are used within asynchronous functions.</p>
+<h2>Why is this an issue?</h2>
+<p>Using synchronous file operations like <code>open()</code> in asynchronous code blocks the entire event loop. This undermines the primary advantage
+of asynchronous programming - the ability to perform concurrent operations without blocking execution.</p>
+<p>When an async function makes a synchronous file operation:</p>
+<ul>
+  <li> The event loop is completely blocked until the file I/O operation completes </li>
+  <li> No other coroutines can run during this time, even if they’re ready to execute </li>
+  <li> The responsiveness of the application is degraded </li>
+  <li> In server applications, this can cause timeouts or failures for other concurrent requests </li>
+</ul>
+<p>Instead, async libraries provide mechanisms to handle file operations asynchronously:</p>
+<ul>
+  <li> <code>aiofiles</code> library for asyncio </li>
+  <li> <code>trio.open_file()</code> for Trio </li>
+  <li> <code>anyio.open_file()</code> for AnyIO </li>
+</ul>
+<p>Using these constructs allows other tasks to continue executing while waiting for the potentially blocking file operation to complete.</p>
+<h2>How to fix it in Asyncio</h2>
+<p>The standard library’s <code>asyncio</code> package doesn’t provide built-in asynchronous file I/O operations. Use the <code>aiofiles</code>
+library to handle file operations asynchronously.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+async def read_config():
+    with open("config.json", "r") as file:  # Noncompliant
+        data = file.read()
+    return data
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import aiofiles
+
+async def read_config():
+    async with aiofiles.open("config.json", "r") as file: # Compliant
+        data = await file.read()
+    return data
+</pre>
+<h2>How to fix it in Trio</h2>
+<p>Use <code>trio.open_file()</code> to handle file operations asynchronously.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+async def read_config():
+    with open("config.json", "r") as file:  # Noncompliant
+        data = file.read()
+    return data
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import trio
+
+async def read_config():
+    async with await trio.open_file("config.json", "r") as file: # Compliant
+        data = await file.read()
+    return data
+</pre>
+<h2>How to fix it in AnyIO</h2>
+<p>Use <code>anyio.open_file()</code> to handle file operations asynchronously.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+async def read_config():
+    with open("config.json", "r") as file:  # Noncompliant
+        data = file.read()
+    return data
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+import anyio
+
+async def read_config():
+    async with await anyio.open_file("config.json", "r") as file: # Compliant
+        data = await file.read()
+    return data
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> Trio - <a href="https://trio.readthedocs.io/en/stable/reference-io.html#trio.open_file">trio.open_file() documentation</a> </li>
+  <li> AnyIO - <a href="https://anyio.readthedocs.io/en/stable/fileio.html">File I/O in AnyIO</a> </li>
+  <li> Aiofiles - <a href="https://github.com/Tinche/aiofiles">aiofiles project</a> </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> Python - <a href="https://realpython.com/async-io-python/">Async IO in Python</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7493.json

@@ -0,0 +1,26 @@
+{
+  "title": "Async functions should not contain synchronous file operations",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "async",
+    "asyncio",
+    "anyio",
+    "trio"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7493",
+  "sqKey": "S7493",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "EFFICIENT"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -256,10 +256,8 @@
     "S6985",
     "S7483",
     "S7488",
-    "S7488",
     "S7491",
-    "S7483",
-    "S7488",
+    "S7493",
     "S7499",
     "S7501"
   ]

python-checks/src/test/java/org/sonar/python/checks/SynchronousFileOperationsInAsyncCheckTest.java

@@ -0,0 +1,30 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class SynchronousFileOperationsInAsyncCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/synchronousFileOperationsInAsync.py", new SynchronousFileOperationsInAsyncCheck());
+  }
+
+}