Code Quality and Security for Python [](https://github.com/SonarSource/sonar-python/actions/workflows/build.yml) [](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.python%3Apython)

Python analyzer for SonarQube Server, SonarQube Cloud, and SonarQube for IDE

Sonar's integrated code quality and code security solutions help developers deliver high-quality, efficient code standards that benefit the entire team or organization.

Useful links

• Project homepage
• Issue tracking
• Available rules
• SonarSource Community Forum for feedback

Building the project

Fast/minimal build

Prerequisites:

• JDK 11
• Maven 3.0.0 or newer

The easiest way to build the Project is by running:

mvn clean install -P-private

It builds only Java Maven modules, runs tests, and installs jar locally. The Python interpreter is not required in that case. Typeshed stub generation is skipped by default.

Full build

Prerequisites:

• JDK 11
• Maven 3.0.0 or newer
• Python 3.9 or newer
• tox - pip install tox
• Run git submodule update --init to retrieve Typeshed and SKlearn stubs as a Git submodules.
• Run the following commands to extract only the needed files for the SKlearn stubs

cd python-frontend/typeshed_serializer/resources/python-type-stubs
git sparse-checkout set stubs/sklearn 
git checkout

All the above should be available in PATH.

To execute the full build just run:

mvn clean install -P-private

The full build executes Typeshed serializer script. It generates protobuf messages for Typeshed symbols (for standard Python API) and our customs symbols (for Python libraries, e.g. AWS CDK). This helps with type inference and providing better rules.

Typeshed Stub Generation

By default, Maven builds skip typeshed stub generation for faster build times. The stubs are pre-generated and committed to the repository.

To regenerate typeshed stubs, use the provided Docker script:

cd python-frontend/typeshed_serializer
./build-with-docker.sh

Alternatively, you can generate stubs during a Maven build by adding the -DgenerateTypeshedStubs flag:

mvn clean install -DgenerateTypeshedStubs

Note: Stub generation requires Python 3.9+ and tox to be installed.

How to contribute

Configuration

First, please configure your IDE: https://github.com/SonarSource/sonar-developer-toolset.

Rule annotation

Each new implemented rule should have @Rule(key = "S0000") annotation on the class level. The number of the rule can be found here: https://sonarsource.github.io/rspec/#/rspec/?lang=python. The key is usually automatically generated by a rspec repository GitHub action and needs to be unique in the whole project.

Expectations:

• Commit message should be prefixed with the ticket number.
• Working on a separate branch and creating PR when it's finished.
• Clean coded, well-tested solution, quality gate should pass.
• Fix all issues reported by SonarQube Next instance.
• 95% or more code coverage for new changes (if possible). It can be checked on the CI build.

Before push

Please check if all files have a license header. If not, the mvn install will fail with the Some files do not have the expected license header message. To fix that please execute: mvn com.mycila:license-maven-plugin:format.

License

Copyright 2011-2024 SonarSource.

SonarQube analyzers released after November 29, 2024, including patch fixes for prior versions, are published under the Sonar Source-Available License Version 1 (SSALv1).

See individual files for details that specify the license applicable to each file. Files subject to the SSALv1 will be noted in their headers.