Click command decorator false positive

• versions used (SonarQube, Scanner, language analyzer)

  • Community Edition Version 9.2.4 (build 50792)
  • SonarScanner 4.6.2.2472

• minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).

No error is raised for:

import click

click.Command(no_args_is_help=True)

But:

import click

@click.command(no_args_is_help=True)
def foo():
    print("hello")

Raises:

Remove this unexpected named argument ‘no_args_is_help’.
The number and name of arguments passed to a function should match its parameters.
See MITRE, CWE-628 - Function Call with Incorrectly Specified Arguments

See also:

• click Command class documented source code
• click command shortcut decorator documented source code

def command(
        self, *args: t.Any, **kwargs: t.Any
    ) -> t.Callable[[t.Callable[..., t.Any]], Command]:
    """A shortcut decorator for declaring and attaching a command to
    the group. [...]
    """

Hello @sbrunato,

Thank you for reporting this false positive!

We are using Typeshed behind the scenes to resolve type information from third party symbols, such as Click. As it happens, our Typeshed revision was a bit outdated and the stub for the function you mention was not correct.

We updated the Typeshed revision and this issue should disappear in upcoming SonarQube 9.4 (which should get released early April) and in SonarCloud in the next few weeks.

We still have an open ticket to update Typeshed further, following the removal of Pallets Project stubs (which include Click) from Typeshed and which you can follow here.

In the meantime, unfortunately the only workaround would be to either flag the issues as false positives or disable the rule.

Cheers,
Guillaume

thanks for your reply @Guillaume_Dequenne !

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.