SONARPY-4248 Add support for bandit's # nosec directive (#1183)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GitOrigin-RevId: 93c06d9ef7b24b76d1120bac3daeb3af937c5f24

Author: 2 people

its/plugin/it-python-plugin-test/profiles/nosonar.xml

@@ -22,5 +22,10 @@
       <key>S1309</key>
       <priority>INFO</priority>
     </rule>
+    <rule>
+      <repositoryKey>python</repositoryKey>
+      <key>S4423</key>
+      <priority>INFO</priority>
+    </rule>
   </rules>
 </profile>

its/plugin/it-python-plugin-test/projects/nosonar/nosec-project/main.py

@@ -0,0 +1,26 @@
+import ssl
+
+# Bare nosec suppresses every rule on the line (Bandit semantics).
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)  # nosec
+
+# Scoped nosec with a Bandit ID narrows suppression to that ID; B502 has no Sonar mapping, so S4423 still fires.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)  # nosec B502 legacy peer
+
+# Selective suppression by Sonar rule key.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)  # nosec S4423
+
+# Selective suppression narrows to the listed keys; OneStatementPerLine still fires.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1); ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)  # nosec S4423
+
+# Baseline: two S4423 + OneStatementPerLine all fire.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1); ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
+
+# Known FN: bare nosec silences a non-security rule on the same line.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1); ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)  # nosec
+
+# Trailing directive on the last statement.
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)  # nosec
+
+# Selective suppression lets S4423 through
+ssl.SSLContext(ssl.PROTOCOL_TLSv1)  # nosec S1234

its/plugin/it-python-plugin-test/src/test/java/com/sonar/python/it/plugin/NoSonarTest.java

@@ -31,6 +31,7 @@ public class NoSonarTest {
   private static final String NO_SONAR_PROJECT_KEY = "nosonar";
   private static final String EXTERNAL_ISSUE_PROJECT_KEY = "external-issues";
   private static final String NOQA_PROJECT_KEY = "noqa";
+  private static final String NO_SEC_PROJECT_KEY = "nosec";
 
   private static final String PROFILE_NAME = "nosonar";
 
@@ -132,6 +133,48 @@ void test_noqa() {
         .containsIssue(22, "python:S1309").doesNotContainIssue(22, "python:PrintStatementUsage");
   }
 
+  @Test
+  void test_nosec() {
+    analyzeProject(createScanner(NO_SEC_PROJECT_KEY, "projects/nosonar/nosec-project"));
+
+    IssueListAssert.assertThat(issues(NO_SEC_PROJECT_KEY))
+        .hasSize(14)
+        // bare nosec suppresses everything on the line; S1309 still fires (whitelisted)
+        .containsIssue(4, "python:S4423")
+        .doesNotContainIssue(5, "python:S4423")
+        .containsIssue(5, "python:S1309")
+
+        // scoped bandit ID has no Sonar mapping, so S4423 still fires
+        .containsIssue(8, "python:S4423")
+        .containsIssue(8, "python:S1309")
+
+        // selective suppression by Sonar rule key
+        .doesNotContainIssue(11, "python:S4423")
+        .containsIssue(11, "python:S1309")
+
+        // selective suppression narrows to listed keys; OneStatementPerLine still fires
+        .doesNotContainIssue(14, "python:S4423")
+        .containsIssue(14, "python:OneStatementPerLine")
+        .containsIssue(14, "python:S1309")
+
+        // baseline: 2 x S4423 + OneStatementPerLine all fire
+        .containsIssue(17, "python:S4423")
+        .containsIssue(17, "python:OneStatementPerLine")
+
+        // FN: bare nosec silences a non-security rule on the same line
+        .doesNotContainIssue(20, "python:S4423")
+        .doesNotContainIssue(20, "python:OneStatementPerLine")
+        .containsIssue(20, "python:S1309")
+
+        // nosec at end of file
+        .doesNotContainIssue(23, "python:S4423")
+        .containsIssue(23, "python:S1309")
+
+        // scoped nosec with unrelated key does not suppress S4423
+        .containsIssue(26, "python:S4423")
+        .containsIssue(26, "python:S1309");
+  }
+
   private void analyzeProject(SonarScanner scanner) {
     String projectKey = scanner.getProperty("sonar.projectKey");
     ORCHESTRATOR.getServer().provisionProject(projectKey, projectKey);

python-checks/src/main/java/org/sonar/python/checks/NoQaCommentCheck.java

@@ -26,16 +26,25 @@
 @Rule(key = "S1309")
 public class NoQaCommentCheck extends PythonSubscriptionCheck {
 
-  private static final String MESSAGE = "Is #noqa used to exclude false-positive or to hide real quality flaw?";
+  private static final String NOQA_MESSAGE = "Is 'noqa' used to exclude false-positive or to hide real quality flaw?";
+  private static final String NOSEC_MESSAGE = "Is 'nosec' used to exclude false-positive or to hide real security issue?";
 
   @Override
   public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.TOKEN, ctx -> {
       Token token = (Token) ctx.syntaxNode();
       for (Trivia trivia : token.trivia()) {
-        String commentLine = trivia.token().value();
-        if (NoSonarInfoParser.isValidNoQa(commentLine)) {
-          ctx.addIssue(trivia.token(), MESSAGE);
+        for (String comment : NoSonarInfoParser.splitInlineComments(trivia.token().value())) {
+          String message = null;
+          if (NoSonarInfoParser.isValidNoQa(comment)) {
+            message = NOQA_MESSAGE;
+          } else if (NoSonarInfoParser.isValidNoSec(comment)) {
+            message = NOSEC_MESSAGE;
+          }
+          if (message != null) {
+            ctx.addIssue(trivia.token(), message);
+            break;
+          }
         }
       }
     });

python-checks/src/test/resources/checks/noqaComment.py

@@ -1,5 +1,5 @@
 def divide(numerator, denominator):
-# Noncompliant@+1 {{Is #noqa used to exclude false-positive or to hide real quality flaw?}}
+# Noncompliant@+1 {{Is 'noqa' used to exclude false-positive or to hide real quality flaw?}}
     return numerator / denominator              # noqa denominator value might be 0
 #                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -30,3 +30,26 @@ def divide(numerator, denominator):
 # this is not no qa
 a = "noqa-text"
 text = "noqa is mentioned here"
+
+# --- nosec cases ---
+# S1309 is raised for both noqa and nosec suppression directives, so they share this fixture.
+
+# Noncompliant@+1 {{Is 'nosec' used to exclude false-positive or to hide real security issue?}}
+import ssl                                      # nosec
+#                                               ^^^^^^^
+
+# Noncompliant@+1
+import ssl  # nosec B101
+
+# Noncompliant@+1
+import ssl  # nosec S4423, S5332 reason text
+
+# Noncompliant@+1
+# NOSEC
+
+# a nosec just mixed in should not be detected
+
+# no sec with space should not be detected
+
+# Noncompliant@+1 {{Is 'nosec' used to exclude false-positive or to hide real security issue?}}
+# some comment followed by # nosec should be detected

python-checks/src/test/resources/checks/nosonarCommentFormat.py

@@ -40,3 +40,18 @@
 # NOSONAR(NoSonar)
 # Noncompliant@+1
 # NOSONAR(python:S1234)
+
+# nosec
+# nosec B101
+# nosec B101, B102
+# nosec B101, B102 reason text
+# nosec: S1234, S5678
+# nosec because of foo, bar, and baz
+# Noncompliant@+1
+# nosec B101,
+# Noncompliant@+1
+# nosec ,B101
+# Noncompliant@+1
+# nosec B101,,B102
+# Noncompliant@+1
+# nosec B101 reason, B102

python-commons/src/test/java/org/sonar/plugins/python/nosonar/NoSonarIssueFilterTest.java

@@ -71,4 +71,18 @@ private static Stream<Arguments> provideFilterParameters() {
       Arguments.of(Map.of(), "my_rule", 1, false, false)
     );
   }
+
+  // Known FN of `# nosec` handling: a bare `# nosec` suppresses every rule on the line, even non-security ones.
+  @ParameterizedTest
+  @MethodSource("provideNoSecFalseNegativeParameters")
+  void noSecFalseNegativeTest(Map<Integer, NoSonarLineInfo> noSonarInfos, String ruleKey, int line, boolean filterChainAcceptResult, boolean expectedResult) {
+    test(noSonarInfos, ruleKey, line, filterChainAcceptResult, expectedResult);
+  }
+
+  private static Stream<Arguments> provideNoSecFalseNegativeParameters() {
+    return Stream.of(
+      // FN: bare `# nosec` silences a non-security rule (e.g. S1481 unused local).
+      Arguments.of(Map.of(1, new NoSonarLineInfo(Set.of(), "")), "S1481", 1, true, false)
+    );
+  }
 }

python-commons/src/test/java/org/sonar/plugins/python/nosonar/NoSonarLineInfoCollectorTest.java

@@ -185,6 +185,33 @@ private static Stream<Arguments> provideCollectorParameters() {
         Set.of(1, 2, 3, 4, 5),
         "",
         ""
+      ),
+      Arguments.of("""
+          import hashlib
+          hashlib.md5(b"x").hexdigest() # nosec
+          """,
+        Map.of(2, new NoSonarLineInfo(Set.of(), "")),
+        Set.of(2),
+        "",
+        ""
+      ),
+      Arguments.of("""
+          import hashlib
+          hashlib.md5(b"x").hexdigest() # nosec B303 legacy hash
+          """,
+        Map.of(2, new NoSonarLineInfo(Set.of("B303"))),
+        Set.of(),
+        "B303",
+        "B303:"
+      ),
+      Arguments.of("""
+          import ssl
+          ssl.SSLContext(ssl.PROTOCOL_TLSv1) # nosec S4423
+          """,
+        Map.of(2, new NoSonarLineInfo(Set.of("S4423"))),
+        Set.of(),
+        "S4423",
+        "S4423:"
       )
     );
   }

python-frontend/src/main/java/org/sonar/plugins/python/api/nosonar/NoSonarInfoParser.java

@@ -33,20 +33,24 @@ public class NoSonarInfoParser {
   private static final String NOQA_PATTERN_REGEX = "^#\\s*noqa(?::\\s*(.+))?(?:[\\s;:].*)?";
   private static final String NOSONAR_PREFIX_REGEX = "^#\\s*NOSONAR(\\W.*)?";
   private static final String NOSONAR_PATTERN_REGEX = "^#\\s*NOSONAR(?:\\s*\\(([^)]*)\\))?($|\\s.*)";
+  private static final String NOSEC_PATTERN_REGEX = "(?i)^#\\s*nosec\\b[:\\s]*(.*)";
+  private static final String NOSEC_RULE_KEY_REGEX = "^[A-Za-z]\\d+$";
   private static final String RULE_KEY_PATTERN_REGEX = "^[a-zA-Z0-9]+$";
 
   private final Pattern noSonarPattern;
   private final Pattern noQaPattern;
+  private final Pattern noSecPattern;
 
   public NoSonarInfoParser() {
     noSonarPattern = Pattern.compile(NOSONAR_PATTERN_REGEX);
     noQaPattern = Pattern.compile(NOQA_PATTERN_REGEX);
+    noSecPattern = Pattern.compile(NOSEC_PATTERN_REGEX);
   }
 
   public boolean isInvalidIssueSuppressionComment(String commentsLine) {
     return splitInlineComments(commentsLine)
       .stream()
-      .anyMatch(comment -> isInvalidNoSonarComment(comment) || isInvalidNoQaComment(comment));
+      .anyMatch(comment -> isInvalidNoSonarComment(comment) || isInvalidNoQaComment(comment) || isInvalidNoSecComment(comment));
   }
 
   private boolean isInvalidNoSonarComment(String comment) {
@@ -86,6 +90,20 @@ private boolean isInvalidNoQaComment(String comment) {
     return !rules.isEmpty() && rules.stream().anyMatch(r -> r.isBlank() || r.contains(" "));
   }
 
+  private boolean isInvalidNoSecComment(String comment) {
+    if (!isValidNoSec(comment)) {
+      return false;
+    }
+    var args = getParamsString(noSecPattern, comment);
+    if (!args.contains(",")) {
+      return false;
+    }
+    var tokens = parseSuppressionRules(args);
+    // Only flag when the args look like a rule list (>=1 rule-shape token); free-form reasons with commas stay valid.
+    var ruleKeys = tokens.stream().filter(t -> t.matches(NOSEC_RULE_KEY_REGEX)).toList();
+    return !ruleKeys.isEmpty() && ruleKeys.size() != tokens.size();
+  }
+
   private static boolean isValidNoSonar(String noSonarCommentLine) {
     return noSonarCommentLine.matches(NOSONAR_PATTERN_REGEX);
   }
@@ -94,6 +112,10 @@ public static boolean isValidNoQa(String noSonarCommentLine) {
     return noSonarCommentLine.matches(NOQA_PATTERN_REGEX);
   }
 
+  public static boolean isValidNoSec(String commentLine) {
+    return commentLine.matches(NOSEC_PATTERN_REGEX);
+  }
+
   public Optional<NoSonarLineInfo> parse(String commentLine) {
     var rules = new HashSet<String>();
     StringBuilder concatenatedCommentBuilder = new StringBuilder();
@@ -132,13 +154,20 @@ private NoSonarLineInfo parseComment(String commentLine) {
         .filter(Predicate.not(String::isEmpty))
         .forEach(rules::add);
       comment = parseNoQaComment(commentLine);
+    } else if (isValidNoSec(commentLine)) {
+      var noSecRules = parseNoSecRules(commentLine);
+      if (noSecRules.isEmpty()) {
+        comment = parseNoSecComment(commentLine);
+      } else {
+        rules.addAll(noSecRules);
+      }
     } else {
       return null;
     }
     return new NoSonarLineInfo(rules, comment);
   }
 
-  private static List<String> splitInlineComments(String commentsLine) {
+  public static List<String> splitInlineComments(String commentsLine) {
     return Stream.of(commentsLine.split("#"))
       .filter(Predicate.not(String::isBlank))
       .map(s -> "#" + s)
@@ -155,7 +184,21 @@ private String parseNoSonarComment(String noSonarCommentLine) {
   }
 
   private List<String> parseNoQaRules(String noSonarCommentLine) {
-    var paramsString = getParamsString(noQaPattern, noSonarCommentLine);
+    return parseSuppressionRules(getParamsString(noQaPattern, noSonarCommentLine));
+  }
+
+  private String parseNoQaComment(String noSonarCommentLine) {
+    return getTruncatedCommentString(noQaPattern, noSonarCommentLine).strip();
+  }
+
+  private List<String> parseNoSecRules(String noSecCommentLine) {
+    return parseSuppressionRules(getParamsString(noSecPattern, noSecCommentLine))
+      .stream()
+      .filter(t -> t.matches(NOSEC_RULE_KEY_REGEX))
+      .toList();
+  }
+
+  private static List<String> parseSuppressionRules(String paramsString) {
     var paramsList = parseParamsString(paramsString).collect(Collectors.toList());
     if (!paramsList.isEmpty()) {
       // to get the last suppressed rule ID we need to split it to cut the trailing comment text.
@@ -170,8 +213,10 @@ private List<String> parseNoQaRules(String noSonarCommentLine) {
     return paramsList;
   }
 
-  private String parseNoQaComment(String noSonarCommentLine) {
-    return getTruncatedCommentString(noQaPattern, noSonarCommentLine).strip();
+  private String parseNoSecComment(String noSecCommentLine) {
+    var raw = getPatternGroup(1, noSecPattern, noSecCommentLine);
+    var truncated = raw.length() > MAX_COMMENT_LENGTH ? raw.substring(0, MAX_COMMENT_LENGTH) : raw;
+    return truncated.strip();
   }
 
   private static String getParamsString(Pattern pattern, String noSonarCommentLine) {