# sonar-python

**Repository Path**: mirrors_SonarSource/sonar-python

## Basic Information

- **Project Name**: sonar-python
- **Description**: :snake: SonarQube Python plugin
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-08-19
- **Last Updated**: 2026-06-27

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# Code Quality and Security for Python [![Build](https://github.com/SonarSource/sonar-python/actions/workflows/build.yml/badge.svg)](https://github.com/SonarSource/sonar-python/actions/workflows/build.yml)  [![Quality Gate Status](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=org.sonarsource.python%3Apython&metric=alert_status&token=sqb_06cb5f8ba00ff7b54824e7f4d14b213dc38b2a96)](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.python%3Apython)
#### Python analyzer for SonarQube Server, SonarQube Cloud, and SonarQube for IDE

Sonar's [integrated code quality and code security](https://www.sonarsource.com/solutions/for-developers/) solutions help developers deliver high-quality, efficient code standards that benefit the entire team or organization.

## Useful links

* [Project homepage](https://www.sonarsource.com/products/codeanalyzers/sonarpython.html)
* [Issue tracking](http://jira.sonarsource.com/browse/SONARPY)
* [Available rules](https://rules.sonarsource.com/python)
* [SonarSource Community Forum](https://community.sonarsource.com) for feedback

## Building the project

### Fast/minimal build

**Prerequisites:**
- JDK 11
- Maven 3.0.0 or newer

The easiest way to build the Project is by running:

`mvn clean install -P-private`

It builds only Java Maven modules, runs tests, and installs jar locally.
The Python interpreter is not required in that case. Typeshed stub generation is skipped by default.

### Full build

**Prerequisites:**
- JDK 11
- Maven 3.0.0 or newer
- Python 3.9 or newer
- [tox](https://tox.readthedocs.io/en/latest/) - `pip install tox`
- Run `git submodule update --init` to retrieve [Typeshed](https://github.com/python/typeshed) and [SKlearn stubs](https://github.com/microsoft/python-type-stubs/tree/main/stubs/sklearn) as a Git submodules.
- Run the following commands to extract only the needed files for the SKlearn stubs
```
cd python-frontend/typeshed_serializer/resources/python-type-stubs
git sparse-checkout set stubs/sklearn 
git checkout
```

All the above should be available in PATH.

To execute the full build just run:

`mvn clean install -P-private`

The full build executes [Typeshed](https://github.com/python/typeshed) serializer script.
It generates protobuf messages for Typeshed symbols (for standard Python API) and our customs symbols
(for Python libraries, e.g. [AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/work-with-cdk-python.html)).
This helps with type inference and providing better rules.

### Typeshed Stub Generation

By default, Maven builds skip typeshed stub generation for faster build times. The stubs are pre-generated and committed to the repository.

To regenerate typeshed stubs, use the provided Docker script:
```
cd python-frontend/typeshed_serializer
./build-with-docker.sh
```

Alternatively, you can generate stubs during a Maven build by adding the `-DgenerateTypeshedStubs` flag:
```
mvn clean install -DgenerateTypeshedStubs
```

Note: Stub generation requires Python 3.9+ and tox to be installed.

## How to contribute

### Configuration

First, please configure your IDE:
https://github.com/SonarSource/sonar-developer-toolset.

### Rule annotation

Each new implemented rule should have `@Rule(key = "S0000")` annotation on the class level.
The number of the rule can be found here: https://sonarsource.github.io/rspec/#/rspec/?lang=python.
The key is usually automatically generated by a [rspec](https://github.com/SonarSource/rspec) repository GitHub action
and needs to be unique in the whole project.

### Expectations:
- Commit message should be prefixed with the ticket number.
- Working on a separate branch and creating PR when it's finished.
- Clean coded, well-tested solution, quality gate should pass.
- Fix all issues reported by [SonarQube Next](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.python%3Apython) instance.
- 95% or more code coverage for new changes (if possible). It can be checked on the CI build.

### Before push

Please check if all files have a license header.
If not, the `mvn install` will fail with the `Some files do not have the expected license header` message.
To fix that please execute: `mvn com.mycila:license-maven-plugin:format`.

## License

Copyright 2011-2024 SonarSource.

SonarQube analyzers released after November 29, 2024, including patch fixes for prior versions, are published under the [Sonar Source-Available License Version 1 (SSALv1)](LICENSE.txt).

See individual files for details that specify the license applicable to each file. Files subject to the SSALv1 will be noted in their headers.