SONARPY-3087 Create rule S7632: Warn the user if the syntax of NOSONAR(SXXXX) isn't valid (#383)

GitOrigin-RevId: 1876d3c30e6ab8805a3bffc079d35c60c92529d9

Author: maksim-grebeniuk-sonarsource

python-checks/src/main/java/org/sonar/python/checks/NoSonarCommentFormatCheck.java

@@ -0,0 +1,49 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.nosonar.NoSonarInfoParser;
+import org.sonar.plugins.python.api.tree.Token;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.Trivia;
+
+@Rule(key = "S7632")
+public class NoSonarCommentFormatCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Fix the syntax of this issue suppression comment.";
+  private final NoSonarInfoParser parser;
+
+  public NoSonarCommentFormatCheck() {
+    parser = new NoSonarInfoParser();
+  }
+
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.TOKEN, ctx -> {
+      Token token = (Token) ctx.syntaxNode();
+      for (Trivia trivia : token.trivia()) {
+        if (parser.isInvalidIssueSuppressionComment(trivia.token().value())) {
+          ctx.addIssue(trivia.token(), MESSAGE);
+        }
+      }
+    });
+  }
+}
+

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -294,6 +294,7 @@ public Stream<Class<?>> getChecks() {
       NoPersonReferenceInTodoCheck.class,
       NoReRaiseInExitCheck.class,
       NoSonarCommentCheck.class,
+      NoSonarCommentFormatCheck.class,
       NotDiscoverableTestMethodCheck.class,
       NotImplementedErrorInOperatorMethodsCheck.class,
       NumpyWeekMaskValidationCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7632.html

@@ -0,0 +1,47 @@
+<p>This rule raises an issue when issue suppression comments have an incorrect format or syntax.</p>
+<h2>Why is this an issue?</h2>
+<p>Issue suppression comments like <code># NOSONAR</code> and <code># noqa</code> are essential tools for controlling code analysis. When these
+comments have incorrect syntax, they may not work as expected, leading to confusion about which issues are actually suppressed.</p>
+<p>Python code analysis supports two main suppression formats: - <code># NOSONAR</code> - SonarQube’s suppression comment - <code># noqa</code> -
+Python’s standard "no quality assurance" comment</p>
+<p>Each format has specific syntax rules. When these rules are violated, the suppression might fail silently or behave unexpectedly, making it unclear
+whether issues are intentionally ignored or accidentally unsuppressed.</p>
+<h3>What is the potential impact?</h3>
+<p>Incorrectly formatted suppression comments can lead to unintended code analysis behavior. Issues that developers think are suppressed might still
+be reported, while malformed syntax might cause the analyzer to ignore more issues than intended. This creates confusion during code review and
+reduces confidence in the analysis results.</p>
+<h2>How to fix it</h2>
+<p>Fix the syntax of issue suppression comments to follow the correct format.</p>
+<p>For <code># NOSONAR</code>: - Use <code># NOSONAR</code> alone to suppress all issues on the line - Use <code># NOSONAR()</code> with empty
+parentheses to suppress all issues - Use <code># NOSONAR(rule1, rule2)</code> to suppress specific rules - Don’t use redundant commas in the
+parentheses, e.g. <code># NOSONAR(,)</code> - Close all parentheses properly</p>
+<p>For <code># noqa</code>: - Use <code># noqa</code> alone to suppress all issues on the line - Use <code># noqa: rule1,rule2</code> to suppress
+specific rules (with or without spaces after colon) - Don’t use redundant commas in the comma-separated lists, e.g. <code># noqa: ,rule1</code> -
+Don’t forget the colon (<code>:</code>) between <code>noqa</code> and the rule ID, and don’t use other punctuation</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+def example():
+    x = 1  # NOSONAR(  # Noncompliant
+    y = 2  # NOSONAR(a,)  # Noncompliant
+    z = 3  # NOSONAR)(  # Noncompliant
+    a = 4  # noqa: ,rule1  # Noncompliant
+    b = 5  # noqa- rule1,rule2  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+def example():
+    x = 1  # NOSONAR
+    y = 2  # NOSONAR(a)
+    z = 3  # NOSONAR
+    a = 4  # noqa: rule1
+    b = 5  # noqa: rule1,rule2
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> SonarQube documentation - <a href="https://docs.sonarqube.org/latest/user-guide/issues/#header-4">Managing your code issues</a> </li>
+  <li> Flake8 documentation - <a href="https://flake8.pycqa.org/en/latest/user/violations.html#in-line-ignoring-errors">In-line Ignoring Errors</a>
+  </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7632.json

@@ -0,0 +1,21 @@
+{
+  "title": "Issue suppression comment should have the correct format",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "1min"
+  },
+  "tags": [],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7632",
+  "sqKey": "S7632",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -286,6 +286,7 @@
     "S7515",
     "S7516",
     "S7517",
-    "S7519"
+    "S7519",
+    "S7632"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/NoSonarCommentFormatCheckTest.java

@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class NoSonarCommentFormatCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/nosonarCommentFormat.py", new NoSonarCommentFormatCheck());
+  }
+
+}

python-checks/src/test/resources/checks/nosonarCommentFormat.py

@@ -0,0 +1,31 @@
+
+# NOSONAR
+# NOSONAR()
+# NOSONAR(a, b)
+# NOSONAR with some text
+# NOSONAR() with some text
+# NOSONAR(a, b) with some text
+# NOSONAR ()
+# NOSONARa
+# noqa
+# noqa: a,b
+# noqa: a, b
+
+# Noncompliant@+1
+# NOSONAR(
+# Noncompliant@+1
+# NOSONAR)
+# Noncompliant@+1
+# NOSONAR)(
+# Noncompliant@+1
+# NOSONAR(,)
+# Noncompliant@+1
+# NOSONAR(a,)
+# Noncompliant@+1
+# NOSONAR(a (b))
+# Noncompliant@+1
+# noqa: a,,c
+# Noncompliant@+1
+# noqa: a,c,
+# Noncompliant@+1
+# noqa: a, some text

python-commons/src/test/java/org/sonar/plugins/python/nosonar/NoSonarLineInfoCollectorTest.java

@@ -105,19 +105,24 @@ private static Stream<Arguments> provideCollectorParameters() {
         ""
       ),
       Arguments.of("# noqa: some text",
-        Map.of(1, new NoSonarLineInfo(Set.of("some"))),
+        Map.of(1, new NoSonarLineInfo(Set.of("some text"))),
         Set.of(),
-        "some"
+        "some text"
       ),
       Arguments.of("# noqa: a,b",
         Map.of(1, new NoSonarLineInfo(Set.of("a", "b"))),
         Set.of(),
         "a,b"
       ),
       Arguments.of("# noqa: a, b",
-        Map.of(1, new NoSonarLineInfo(Set.of("a"))),
+        Map.of(1, new NoSonarLineInfo(Set.of("a", "b"))),
+        Set.of(),
+        "a,b"
+      ),
+      Arguments.of("# noqa: a, b # Some text",
+        Map.of(1, new NoSonarLineInfo(Set.of("a", "b"))),
         Set.of(),
-        "a"
+        "a,b"
       ),
       Arguments.of("""
           ""\"

python-frontend/src/main/java/org/sonar/plugins/python/api/nosonar/NoSonarInfoParser.java

@@ -17,6 +17,7 @@
 package org.sonar.plugins.python.api.nosonar;
 
 import java.util.HashSet;
+import java.util.List;
 import java.util.Optional;
 import java.util.function.Predicate;
 import java.util.regex.Matcher;
@@ -27,7 +28,9 @@
 
 public class NoSonarInfoParser {
 
-  private static final String NOQA_PATTERN_REGEX = "^#\\s*noqa(?::\\s*([^\\s]+))?($|\\s.*)";
+  private static final String NOQA_PREFIX_REGEX = "#\\s*noqa([\\s:].*)?";
+  private static final String NOQA_PATTERN_REGEX = "^#\\s*noqa(?::\\s*(.+))?.*";
+  private static final String NOSONAR_PREFIX_REGEX = "^#\\s*NOSONAR(\\W.*)?";
   private static final String NOSONAR_PATTERN_REGEX = "^#\\s*NOSONAR(?:\\s*\\(([^)]*)\\))?($|\\s.*)";
 
   private final Pattern noSonarPattern;
@@ -38,6 +41,34 @@ public NoSonarInfoParser() {
     noQaPattern = Pattern.compile(NOQA_PATTERN_REGEX);
   }
 
+  public boolean isInvalidIssueSuppressionComment(String commentsLine) {
+    return splitInlineComments(commentsLine)
+      .stream()
+      .anyMatch(comment -> isInvalidNoSonarComment(comment) || isInvalidNoQaComment(comment));
+  }
+
+  private boolean isInvalidNoSonarComment(String comment) {
+    if (!Pattern.matches(NOSONAR_PREFIX_REGEX, comment)) {
+      return false;
+    }
+    if (!isValidNoSonar(comment)) {
+      return true;
+    }
+    var rules = parseNoSonarRules(comment).toList();
+    return rules.size() > 1 && rules.stream().anyMatch(r -> r.isBlank() || r.contains(" "));
+  }
+
+  private boolean isInvalidNoQaComment(String comment) {
+    if (!comment.matches(NOQA_PREFIX_REGEX)) {
+      return false;
+    }
+    if (!isValidNoQa(comment)) {
+      return true;
+    }
+    var rules = parseNoQaRules(comment).toList();
+    return !rules.isEmpty() && rules.stream().anyMatch(r -> r.isBlank() || r.contains(" "));
+  }
+
   private static boolean isValidNoSonar(String noSonarCommentLine) {
     return noSonarCommentLine.matches(NOSONAR_PATTERN_REGEX);
   }
@@ -48,20 +79,43 @@ private static boolean isValidNoQa(String noSonarCommentLine) {
 
   public Optional<NoSonarLineInfo> parse(String commentLine) {
     var rules = new HashSet<String>();
-    if (isValidNoSonar(commentLine)) {
-      parseNoSonarRules(commentLine)
+    var comments = splitInlineComments(commentLine);
+    for (var comment : comments) {
+      var noSonarLineInfo = parseComment(comment);
+
+      if (noSonarLineInfo != null) {
+        if (noSonarLineInfo.isSuppressedRuleKeysEmpty()) {
+          return Optional.of(noSonarLineInfo);
+        }
+        rules.addAll(noSonarLineInfo.suppressedRuleKeys());
+      }
+    }
+    return Optional.of(rules).filter(Predicate.not(HashSet::isEmpty)).map(NoSonarLineInfo::new);
+  }
+
+  @CheckForNull
+  private NoSonarLineInfo parseComment(String comment) {
+    var rules = new HashSet<String>();
+    if (isValidNoSonar(comment)) {
+      parseNoSonarRules(comment)
         .filter(Predicate.not(String::isEmpty))
         .forEach(rules::add);
-    } else if (isValidNoQa(commentLine)) {
-      parseNoQaRules(commentLine)
+    } else if (isValidNoQa(comment)) {
+      parseNoQaRules(comment)
         .filter(Predicate.not(String::isEmpty))
         .forEach(rules::add);
     } else {
-      return Optional.empty();
+      return null;
     }
-    return Optional.of(new NoSonarLineInfo(rules));
+    return new NoSonarLineInfo(rules);
   }
 
+  private static List<String> splitInlineComments(String commentsLine) {
+    return Stream.of(commentsLine.split("#"))
+      .filter(Predicate.not(String::isBlank))
+      .map(s -> "#" + s)
+      .toList();
+  }
 
   private Stream<String> parseNoSonarRules(String noSonarCommentLine) {
     var contentInsideParentheses = getParamsString(noSonarPattern, noSonarCommentLine);