SonarCloud false positive for pythonbugs:S2259

Clean Code Report False-positive / False-negative...
1

Tool used: SonarCloud
Language: python
Rule: pythonbugs:S2259

The below is an attempt at a small size reproducer but for the real stuff look at public issue SonarCloud

fp_2.zip (810 Bytes)

Problem of potential null ptr dereference is reported on util.check_token_is_user(args.token) although the previously called function parse_and_check_none_token(parser) verifies that args.token is not None

# main.py
import fp.utils as util

parser = util.set_args()
args = util.parse_and_check_none_token(parser)
util.check_token_is_user(args.token)

# fp/utils.py
import sys
import os
import argparse

def set_args():
    """Parses options common to all sonar-tools scripts"""
    parser = argparse.ArgumentParser(description="False positive example")
    parser.add_argument("--token", required=False, default=os.getenv("SONAR_TOKEN", None))
    parser.add_argument("--url", required=False, default=os.getenv("SONAR_HOST_URL", "http://localhost:9000"))
    return parser

def parse_and_check_none_token(parser):
    args = parser.parse_args()
    if args.token is None:
        print("FATAL: Token missing", file=sys.stderr)
        sys.exit(1)
    return args

def check_token_is_user(token):
    if token_type(token) != "user":
        print(f"The provided token {token} is a {token_type(token)} token, a user token is required for sonar-tools")
        sys.exit(2)

def token_type(token):
    if token[0:4] == "sqa_":
        return "global-analysis"
    elif token[0:4] == "sqp_":
        return "project-analysis"
    else:
        return "user"
1 Like
4

Hi Olivier,

Thank you for taking the time to report this false positive. Our symbolic execution engine does not yet understand sys.exit, and so it erroneously finds a path where util.check_token_is_user is called with None. We’re aware of this issue and it is a high priority.

Best,
Sylvain

1 Like
7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

10

Hi Olivier,

This problem has been fixed and you should not see the issue anymore on SonarCloud. Let me know if this is not the case.

Best,
Sylvain

1 Like