SonarCloud false positive for pythonbugs:S2259

Tool used: SonarCloud
Language: python
Rule: pythonbugs:S2259

The below is an attempt at a small size reproducer but for the real stuff look at public issue SonarCloud

fp_2.zip (810 Bytes)

Problem of potential null ptr dereference is reported on util.check_token_is_user(args.token) although the previously called function parse_and_check_none_token(parser) verifies that args.token is not None

# main.py
import fp.utils as util

parser = util.set_args()
args = util.parse_and_check_none_token(parser)
util.check_token_is_user(args.token)

# fp/utils.py
import sys
import os
import argparse

def set_args():
    """Parses options common to all sonar-tools scripts"""
    parser = argparse.ArgumentParser(description="False positive example")
    parser.add_argument("--token", required=False, default=os.getenv("SONAR_TOKEN", None))
    parser.add_argument("--url", required=False, default=os.getenv("SONAR_HOST_URL", "http://localhost:9000"))
    return parser

def parse_and_check_none_token(parser):
    args = parser.parse_args()
    if args.token is None:
        print("FATAL: Token missing", file=sys.stderr)
        sys.exit(1)
    return args

def check_token_is_user(token):
    if token_type(token) != "user":
        print(f"The provided token {token} is a {token_type(token)} token, a user token is required for sonar-tools")
        sys.exit(2)

def token_type(token):
    if token[0:4] == "sqa_":
        return "global-analysis"
    elif token[0:4] == "sqp_":
        return "project-analysis"
    else:
        return "user"

Hi Olivier,

Thank you for taking the time to report this false positive. Our symbolic execution engine does not yet understand sys.exit, and so it erroneously finds a path where util.check_token_is_user is called with None. We’re aware of this issue and it is a high priority.

Best,
Sylvain

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.