5 Python security rules added on top of new analyzer foundations

Hello Python developers,

Following the release of SonarQube 7.9 LTS and its SAST features for Java, C# and PHP, we decided that Python will be the next language to join the group.
This decision motivated us to review the foundations of our Python analyzer in order to provide more valuable rules.

Today, we are releasing a first set of 5 security rules based on these new foundations. This is the first of a long list of releases that will come in the next 6 months.
The ultimate goal being to raise the bar on Python analysis and move it at the top level.

  • S4423: Weak SSL/TLS protocols should not be used. (Security Vulnerability)
  • S4426: Cryptographic keys generations should be based on strong parameters. (Security Vulnerability)
  • S5443: Using publicly writable directories is security-sensitive. (Security Hotspot)
  • S5445: Insecure temporary files creation methods should not be used. (Security Vulnerability)
  • S5332: Clear-text protocols should not be used. (Security Hotspot)

Here are examples of these rules in action:

  • S4423: old versions of SSL/TLS protocol like “SSLv2” have been proven to be insecure

  • S4426: use a key length of at least 2048 bits

  • S5445: a malicious user can try to create a file with a predictable name before the application does

As a side effect of the refactoring of SonarPython, we decided to deprecate the support of XPath custom rules.
The reasons being that we don’t think it’s easy to use and actually used. This feature may be replaced by a Java API if required.
If you are doing intensive use of Python custom rules, please come back to us to discuss.

For more information you can read the changelog.

You can already enjoy these new features on SonarCloud. As for SonarQube, this will be built-in the next version (8.0), and meanwhile you can get it by installing v1.15 of the Python analysis engine.

All feedback is welcome.