SONARPY-4109 Implement S8685 Function calls should not be used as default values in dataclass attributes (#1071)

GitOrigin-RevId: c50f02aec7cc528ce74f47465ab571ef44bb8b02

Author: guillaume-dequenne

python-checks/src/main/java/org/sonar/python/checks/DataClassFunctionCallDefaultCheck.java

@@ -0,0 +1,224 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * You can redistribute and/or modify this program under the terms of
+ * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Set;
+import java.util.stream.Stream;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.AnnotatedAssignment;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.ClassDef;
+import org.sonar.plugins.python.api.tree.Decorator;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.SubscriptionExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.TypeAnnotation;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S8685")
+public class DataClassFunctionCallDefaultCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Use \"field(default_factory=...)\" instead of a function call as a default value.";
+  private static final String DEFAULT_KEYWORD = "default";
+
+  private static final TypeMatcher IS_DATACLASS_DECORATOR = TypeMatchers.isType("dataclasses.dataclass");
+  private static final TypeMatcher IS_DATACLASSES_FIELD = TypeMatchers.isType("dataclasses.field");
+  private static final TypeMatcher IS_CLASS_VAR = TypeMatchers.isType("typing.ClassVar");
+
+  // Allowlist of callables whose result should be re-evaluated per dataclass instance.
+  // Calls to anything outside this list are assumed safe (e.g. user-defined helpers, frozen-dataclass
+  // constructors, wrappers around dataclasses.field(default_factory=...)) — we prefer FNs over FPs here.
+  //
+  // NOTE: random.* top-level functions are intentionally absent. In typeshed they are aliased from a
+  // module-level Random() instance (`randint = _inst.randint`, ...) and the V2 typeshed serializer
+  // flattens the bound-method type to CallableType[builtins.function], so isType("random.randint")
+  // resolves through Unknown. They are matched separately below via the random module qualifier.
+  private static final TypeMatcher IS_PROBLEMATIC_FACTORY = TypeMatchers.any(Stream.of(
+    // Current time / clock readings
+    "datetime.datetime.now",
+    "datetime.datetime.utcnow",
+    "datetime.datetime.today",
+    "datetime.datetime.fromtimestamp",
+    "datetime.datetime.utcfromtimestamp",
+    "datetime.date.today",
+    "datetime.date.fromtimestamp",
+    "time.time",
+    "time.time_ns",
+    "time.monotonic",
+    "time.monotonic_ns",
+    "time.perf_counter",
+    "time.perf_counter_ns",
+    "time.process_time",
+    "time.process_time_ns",
+    "time.localtime",
+    "time.gmtime",
+    // UUIDs
+    "uuid.uuid1",
+    "uuid.uuid3",
+    "uuid.uuid4",
+    "uuid.uuid5",
+    // Secrets
+    "secrets.token_hex",
+    "secrets.token_bytes",
+    "secrets.token_urlsafe",
+    "secrets.choice",
+    "secrets.randbelow",
+    "secrets.randbits",
+    // OS randomness
+    "os.urandom",
+    // Mutable container constructors — shared across all instances otherwise
+    "builtins.list",
+    "builtins.dict",
+    "builtins.set",
+    "builtins.bytearray",
+    "collections.defaultdict",
+    "collections.OrderedDict",
+    "collections.Counter",
+    "collections.deque").map(TypeMatchers::isType));
+
+  // The random module type itself is known, even though its top-level function members all resolve
+  // to Unknown (see NOTE on IS_PROBLEMATIC_FACTORY). We match `<random>.<name>` syntactically.
+  private static final TypeMatcher IS_RANDOM_MODULE = TypeMatchers.isType("random");
+
+  private static final Set<String> RANDOM_PROBLEMATIC_FUNCTION_NAMES = Set.of(
+    "random",
+    "randint",
+    "randrange",
+    "choice",
+    "choices",
+    "sample",
+    "uniform",
+    "gauss",
+    "normalvariate",
+    "triangular",
+    "betavariate",
+    "expovariate",
+    "gammavariate",
+    "lognormvariate",
+    "paretovariate",
+    "vonmisesvariate",
+    "weibullvariate",
+    "getrandbits",
+    "randbytes");
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.CLASSDEF, DataClassFunctionCallDefaultCheck::checkClassDef);
+  }
+
+  private static void checkClassDef(SubscriptionContext ctx) {
+    ClassDef classDef = (ClassDef) ctx.syntaxNode();
+    if (!isDataclass(classDef, ctx)) {
+      return;
+    }
+    classDef.body().statements().stream()
+      .flatMap(TreeUtils.toStreamInstanceOfMapper(AnnotatedAssignment.class))
+      .forEach(annotatedAssignment -> checkField(ctx, annotatedAssignment));
+  }
+
+  private static boolean isDataclass(ClassDef classDef, SubscriptionContext ctx) {
+    for (Decorator decorator : classDef.decorators()) {
+      Expression decoratorExpr = getDecoratorFunctionExpression(decorator);
+      if (IS_DATACLASS_DECORATOR.isTrueFor(decoratorExpr, ctx)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  private static Expression getDecoratorFunctionExpression(Decorator decorator) {
+    Expression expr = decorator.expression();
+    if (expr instanceof CallExpression callExpr) {
+      return callExpr.callee();
+    }
+    return expr;
+  }
+
+  private static void checkField(SubscriptionContext ctx, AnnotatedAssignment annotatedAssignment) {
+    Expression assignedValue = annotatedAssignment.assignedValue();
+    if (assignedValue == null || isClassVar(annotatedAssignment.annotation(), ctx)) {
+      return;
+    }
+    if (isMutableLiteral(assignedValue)) {
+      ctx.addIssue(assignedValue, MESSAGE);
+      return;
+    }
+    if (assignedValue instanceof CallExpression callExpression) {
+      Tree problematic = problematicCall(callExpression, ctx);
+      if (problematic != null) {
+        ctx.addIssue(problematic, MESSAGE);
+      }
+    }
+  }
+
+  private static boolean isMutableLiteral(Expression expression) {
+    return expression.is(Tree.Kind.LIST_LITERAL, Tree.Kind.DICTIONARY_LITERAL, Tree.Kind.SET_LITERAL);
+  }
+
+  // Returns the expression to flag, or null. Handles all of:
+  //   x: T = datetime.now()                       -> the outer call
+  //   x: T = field(default=datetime.now())        -> the inner default argument
+  //   x: T = field(default=[])                    -> the inner mutable literal
+  private static Tree problematicCall(CallExpression callExpression, SubscriptionContext ctx) {
+    if (isProblematicFactoryCall(callExpression, ctx)) {
+      return callExpression;
+    }
+    if (IS_DATACLASSES_FIELD.isTrueFor(callExpression.callee(), ctx)) {
+      RegularArgument defaultArg = TreeUtils.argumentByKeyword(DEFAULT_KEYWORD, callExpression.arguments());
+      if (defaultArg != null) {
+        Expression defaultExpr = defaultArg.expression();
+        if (isMutableLiteral(defaultExpr)) {
+          return defaultExpr;
+        }
+        if (defaultExpr instanceof CallExpression innerCall && isProblematicFactoryCall(innerCall, ctx)) {
+          return innerCall;
+        }
+      }
+    }
+    return null;
+  }
+
+  private static boolean isProblematicFactoryCall(CallExpression callExpression, SubscriptionContext ctx) {
+    Expression callee = callExpression.callee();
+    return IS_PROBLEMATIC_FACTORY.isTrueFor(callee, ctx) || isRandomModuleFunctionCall(callee, ctx);
+  }
+
+  // Workaround for the random.* alias gap in the V2 typeshed serializer (see NOTE on
+  // IS_PROBLEMATIC_FACTORY): the random module type itself is known, so we recognise
+  // a problematic call by checking the qualifier's type and the syntactic name.
+  private static boolean isRandomModuleFunctionCall(Expression callee, SubscriptionContext ctx) {
+    if (!(callee instanceof QualifiedExpression qualifiedExpression)) {
+      return false;
+    }
+    return RANDOM_PROBLEMATIC_FUNCTION_NAMES.contains(qualifiedExpression.name().name())
+      && IS_RANDOM_MODULE.isTrueFor(qualifiedExpression.qualifier(), ctx);
+  }
+
+  private static boolean isClassVar(TypeAnnotation annotation, SubscriptionContext ctx) {
+    Expression annotationExpr = annotation.expression();
+    if (annotationExpr instanceof SubscriptionExpression subscriptionExpr) {
+      return IS_CLASS_VAR.isTrueFor(subscriptionExpr.object(), ctx);
+    }
+    return IS_CLASS_VAR.isTrueFor(annotationExpr, ctx);
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -181,6 +181,7 @@ public Stream<Class<?>> getChecks() {
       CorsCheck.class,
       CorsMiddlewareOrderingCheck.class,
       CsrfDisabledCheck.class,
+      DataClassFunctionCallDefaultCheck.class,
       DataClassOnEnumCheck.class,
       DataclassFieldDefinitionCheck.class,
       DataEncryptionCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8685.html

@@ -0,0 +1,72 @@
+<p>Using a mutable or stateful value as a default for a dataclass attribute is rarely what developers intend. The value is evaluated only once, when
+the class is defined, so every instance shares the same object.</p>
+<h2>Why is this an issue?</h2>
+<p>Default values for dataclass attributes are evaluated once when the class is defined, not each time an instance is created. This is a fundamental
+aspect of how Python evaluates default values.</p>
+<p>When the default is produced by calling a function such as <code>datetime.now()</code> or <code>uuid.uuid4()</code>, or by a mutable container like
+<code>[]</code> or <code>list()</code>, the value is computed once and reused across every instance of the dataclass. Every instance therefore ends up
+with the same object.</p>
+<pre>
+@dataclass
+class Event:
+    timestamp: datetime = datetime.now()  # Noncompliant
+    tags: list = []  # Noncompliant
+
+event1 = Event()
+event2 = Event()
+event1.tags.append("x")
+# event2.tags is also ["x"] — tags is the same list object.
+# event1.timestamp and event2.timestamp are both the class-definition time.
+</pre>
+<p>In this example, <code>event1</code> and <code>event2</code> share the same <code>tags</code> list and the same timestamp.</p>
+<h3>What is the potential impact?</h3>
+<p>Using such defaults can cause reliability issues:</p>
+<ul>
+  <li><strong>Broken uniqueness</strong>: attributes meant to be unique per instance, such as UUIDs or timestamps, become identical across all
+  instances.</li>
+  <li><strong>State sharing bugs</strong>: mutating the default through one instance silently affects every other instance and every instance created
+  in the future.</li>
+  <li><strong>Incorrect business logic</strong>: time-sensitive operations use a stale timestamp captured at class definition, which leads to
+  incorrect ordering, expiration, or logging.</li>
+  <li><strong>Hard-to-diagnose bugs</strong>: the issue may not be visible in short-lived tests, but appears in production where instances are created
+  over a longer period of time or mutate their state.</li>
+</ul>
+<h2>How to fix it</h2>
+<p>Use <code>field(default_factory=…​)</code> instead. The <code>default_factory</code> parameter accepts a callable, without parentheses, that is
+invoked each time a new instance is created, so each instance receives a fresh value.</p>
+<p>The <code>default_factory</code> expects a callable with no arguments. If the function requires arguments, wrap it in a <code>lambda</code> or use
+<code>functools.partial</code>.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+@dataclass
+class Event:
+    timestamp: datetime = datetime.now()  # Noncompliant
+    event_id: uuid.UUID = uuid.uuid4()  # Noncompliant
+    tags: list = []  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+from dataclasses import dataclass, field
+
+@dataclass
+class Event:
+    timestamp: datetime = field(default_factory=datetime.now)
+    event_id: uuid.UUID = field(default_factory=uuid.uuid4)
+    tags: list = field(default_factory=list)
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li>Python dataclasses documentation - <a href="https://docs.python.org/3/library/dataclasses.html">Official Python documentation for the
+  dataclasses module</a></li>
+  <li>Python dataclasses - default_factory - <a href="https://docs.python.org/3/library/dataclasses.html#dataclasses.field">Documentation on the
+  field() function and default_factory parameter</a></li>
+  <li>Ruff RUF009 - <a href="https://docs.astral.sh/ruff/rules/function-call-in-dataclass-default-argument/">Ruff’s documentation for rule
+  RUF009</a></li>
+</ul>
+<h3>Related rules</h3>
+<ul>
+  <li>{rule:python:S6891} - Mutable objects should not be used as default parameter values</li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8685.json

@@ -0,0 +1,24 @@
+{
+  "title": "Mutable or stateful values should not be used as default values in dataclass attributes",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "dataclass",
+    "pitfall"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-8685",
+  "sqKey": "S8685",
+  "scope": "Main",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -346,6 +346,7 @@
     "S8520",
     "S8521",
     "S8554",
-    "S8572"
+    "S8572",
+    "S8685"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/DataClassFunctionCallDefaultCheckTest.java

@@ -0,0 +1,28 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * You can redistribute and/or modify this program under the terms of
+ * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class DataClassFunctionCallDefaultCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/dataClassFunctionCallDefault.py", new DataClassFunctionCallDefaultCheck());
+  }
+}