Python Analyzer Updates - June 2021

TLDR;

  • Added autofix for 1 Security Issue.
  • Improved issue descriptions for bug-risks and security category with more context.
  • Autofix improvements.
  • Resolved false positives you reported!

Here is the detailed changelog:

New Autofix

  • PTC-W6002 - Audit required: Server hostname may not be verified

An SSL connection is vulnerable to man-in-the-middle attacks if the server hostname is verified. The Autofix enables hostname verification if not enabled by default.

Before Autofix:

import ssl

context = ssl._create_stdlib_context()  # by default hostname verification is not done

After Autofix:

import ssl

context = ssl._create_stdlib_context()
context.check_hostname = True  # Explicitly set `check_hostname` to True

Analyzer Improvements:

  • Suppress W0612 (Unused variable found) for builtin Django error views.

Django built-in error views like handler404, handler500 needs to comply with the specified signature. It is necessary to provide arguments for request and exception, even for cases where they will not be used.

DeepSource will suppress W0612 for arguments in views with names handler400, handler403, handler404, and handler500.

  • Suppress FLK-E225 (Missing whitespace around operator) when / is used to signify end of the positional only arguments.

When / operator used as parameter in function call signifies the end of the *positional only* parameters.

For such cases, it is not necessary to have whitespace around it.

  • Suppress PYL-E1130 (Unary operand used on an unsupported object) when type is checked using isinstance.
if isinstance(to_negate, (int, float)):
            result = -to_negate # Do not raise issue
  • Suppress E0237 (Assigning to an attribute not defined in class slots) when raised for flask.g function.
  • Suppress PTC-W0065 (Implicit enumerate calls found) when iterable is not accessed inside the loop.
for i in range(len(mylist)):
	doSomething()
  • Change BAN-B608 (Risk of possible SQL injection vector through string-based query construction) to an Audit issue.
  • Improve issue description of security and bug-risk issues.
  • Change issue title of PYL-R0201 from “no use of self” to "Consider decorating method with @staticmethod".

Autofix Improvements:

  • Modify Autofix of BAN-B101 (Assert statement used outside of tests) to handle integer and await nodes.
  • Fix Autofix failure for PYL-E1141 (Missing .items()) for string prefixed with r.
  • Fix Autofix failures in PYL-R1705 (Unnecessary else / elif used after return) when nonstandard indentation is used.
  • Fix incorrect Autofix for PTC-W0015 (Unnecessary generator).