SONARPY-2817 Cache the result of resource loading in checks (#225)

ghislainpiot · sonartech · commit c5a5c82711c5 · 2025-04-28T13:20:48.000Z
GitOrigin-RevId: 6f8ab7b3193267443bcc2f725915b7b7e683ee82
diff --git a/python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java b/python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java
@@ -23,6 +23,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
@@ -161,15 +162,16 @@ private static class CredentialMethodsLoader {
     private static final String CHECKS_DIR = "/org/sonar/python/checks";
     private static final String GENERATED_METHODS_RESOURCE_PATH = CHECKS_DIR + "/generated_hardcoded_credentials_call_check_meta.json";
     private static final String MANUAL_METHODS_RESOURCE_PATH = CHECKS_DIR + "/manual_hardcoded_credentials_call_check_meta.json";
+    private static final Map<String, CredentialMethod[]> CACHED_METHODS = new ConcurrentHashMap<>();
     private final Gson gson;
 
     private CredentialMethodsLoader() {
       gson = new Gson();
     }
 
     private Map<String, CredentialMethod> load() {
-      var generatedCredentialMethods = loadMethodsFromResource(GENERATED_METHODS_RESOURCE_PATH);
-      var manualCredentialMethods = loadMethodsFromResource(MANUAL_METHODS_RESOURCE_PATH);
+      var generatedCredentialMethods = CACHED_METHODS.computeIfAbsent(GENERATED_METHODS_RESOURCE_PATH, this::loadMethodsFromResource);
+      var manualCredentialMethods = CACHED_METHODS.computeIfAbsent(MANUAL_METHODS_RESOURCE_PATH, this::loadMethodsFromResource);
       return Stream.concat(Stream.of(generatedCredentialMethods), Stream.of(manualCredentialMethods))
         .collect(Collectors.toMap(CredentialMethod::name, Function.identity())); // Will throw an exception if there are duplicates
     }
diff --git a/python-checks/src/main/java/org/sonar/python/checks/cdk/ResourceAccessPolicyCheck.java b/python-checks/src/main/java/org/sonar/python/checks/cdk/ResourceAccessPolicyCheck.java
@@ -22,11 +22,12 @@
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Predicate;
 import javax.annotation.Nullable;
 import org.slf4j.Logger;
@@ -44,26 +45,31 @@ public class ResourceAccessPolicyCheck extends AbstractIamPolicyStatementCheck {
   private static final Logger LOG = LoggerFactory.getLogger(ResourceAccessPolicyCheck.class);
   private static final String MESSAGE = "Make sure granting access to all resources is safe here.";
   private static final String SECONDARY_MESSAGE = "Related effect";
+  private static final Map<String, Set<String>> CACHED_RESOURCES = new ConcurrentHashMap<>();
   // visible for testing
   String resourceNameSensitiveAwsActions = "ResourceAccessPolicyCheck.txt";
   private Set<String> sensitiveAwsActions = null;
 
   void init() {
-    try {
-      sensitiveAwsActions = new HashSet<>(loadResource(resourceNameSensitiveAwsActions));
-    } catch (IOException e) {
-      sensitiveAwsActions = Collections.emptySet();
-      LOG.error("Couldn't load resource '" + resourceNameSensitiveAwsActions + "', rule [S6304] ResourceAccessPolicyCheck will be disabled.", e);
-    }
-  }
+    sensitiveAwsActions = CACHED_RESOURCES.computeIfAbsent(resourceNameSensitiveAwsActions, ResourceAccessPolicyCheck::loadResourceWrapper);
 
+  }
   @Override
   public void initialize(SubscriptionCheck.Context context) {
     super.initialize(context);
     init();
   }
 
-  private static List<String> loadResource(String resourceName) throws IOException {
+  private static Set<String> loadResourceWrapper(String resourceName) {
+    try {
+      return loadResource(resourceName);
+    } catch (IOException e) {
+      LOG.error("Couldn't load resource '{}', rule [S6304] ResourceAccessPolicyCheck will be disabled.", resourceName, e);
+      return Set.of();
+    }
+  }
+
+  private static Set<String> loadResource(String resourceName) throws IOException {
     try (InputStream is = ResourceAccessPolicyCheck.class.getResourceAsStream(resourceName)) {
       if (is == null) {
         throw new IOException("Cannot find resource file '" + resourceName + "'");
@@ -75,7 +81,7 @@ private static List<String> loadResource(String resourceName) throws IOException
         while((line = br.readLine()) != null) {
           result.add(line);
         }
-        return result;
+        return new HashSet<>(result);
       }
     }
   }
