SonarSource · Seppli11 · Sep 24, 2024 · Sep 24, 2024
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ParsingError.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ParsingError.json
@@ -13,5 +13,5 @@
  "ruleSpecification": "RSPEC-2260",
  "sqKey": "ParsingError",
  "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S112.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S112.json
@@ -25,5 +25,5 @@
      397
    ]
  },
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1135.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1135.json
@@ -24,5 +24,5 @@
      546
    ]
  },
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1186.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1186.json
@@ -19,5 +19,5 @@
  "ruleSpecification": "RSPEC-1186",
  "sqKey": "S1186",
  "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1763.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1763.json
@@ -25,5 +25,5 @@
      561
    ]
  },
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1871.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1871.json
@@ -20,5 +20,5 @@
  "ruleSpecification": "RSPEC-1871",
  "sqKey": "S1871",
  "scope": "Main",
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html
@@ -8,7 +8,6 @@
 <p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.</p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
 strings, and for variable names that match any of the patterns from the provided list.</p>
-<p>It’s recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", …</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
  <li> Credentials allow access to a sensitive component like a database, a file storage, an API or a service. </li>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.html
@@ -44,7 +44,7 @@ <h4>Noncompliant code example</h4>
    modes,
 )

-iv     = "doNotTryThis@Home2023"
+iv     = b"exampleIV1234567"
 cipher = Cipher(algorithms.AES(key), modes.CBC(iv))

 cipher.encryptor()  # Noncompliant
@@ -83,7 +83,7 @@ <h4>Noncompliant code example</h4>
 from Crypto.Random import get_random_bytes
 from Crypto.Util.Padding import pad

-iv     = "doNotTryThis@Home2023"
+iv     = b"exampleIV1234567"
 cipher = AES.new(key, AES.MODE_CBC, iv)
 cipher.encrypt(pad(data, AES.block_size))  # Noncompliant
 </pre>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4144.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4144.json
@@ -21,5 +21,5 @@
  "ruleSpecification": "RSPEC-4144",
  "sqKey": "S4144",
  "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "infeasible"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html
@@ -142,8 +142,10 @@ <h2>See</h2>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/352">CWE-352 - Cross-Site Request Forgery (CSRF)</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
-  <li> <a href="https://owasp.org/www-community/attacks/csrf">OWASP: Cross-Site Request Forgery</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-community/attacks/csrf">Cross-Site Request Forgery</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603">Application Security and
  Development: V-222603</a> - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. </li>
+  <li> PortSwigger - <a href="https://portswigger.net/research/web-storage-the-lesser-evil-for-session-tokens">Web storage: the lesser evil for
+  session tokens</a> </li>
 </ul>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5797.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5797.html
@@ -3,7 +3,8 @@
 <h2>Why is this an issue?</h2>
 <p>When a constant is used as a condition, either it has no effect on the execution flow and it can be removed, or some code will never be executed
 and it is a bug.</p>
-<h3>Noncompliant code example</h3>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 def foo():
    a = True
@@ -12,7 +13,7 @@ <h3>Noncompliant code example</h3>
    else:
      return 2
 </pre>
-<h3>Compliant solution</h3>
+<h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
 def foo():
    a = bar()

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6330.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6330.html
@@ -11,20 +11,6 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>It’s recommended to encrypt SQS queues that contain sensitive information. Encryption and decryption are handled transparently by SQS, so no
 further modifications to the application are necessary.</p>
 <h2>Sensitive Code Example</h2>
-<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html">aws_cdk.aws_sqs.Queue</a>:</p>
-<pre>
-from aws_cdk import (
-    aws_sqs as sqs
-)
-
-class QueueStack(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
-        super().__init__(scope, construct_id, **kwargs)
-        sqs.Queue( # Sensitive, unencrypted by default
-            self,
-            "example"
-        )
-</pre>
 <p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html">aws_cdk.aws_sqs.CfnQueue</a>:</p>
 <pre>
 from aws_cdk import (
@@ -34,27 +20,13 @@ <h2>Sensitive Code Example</h2>
 class CfnQueueStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
        super().__init__(scope, construct_id, **kwargs)
-        sqs.CfnQueue( # Sensitive, unencrypted by default
-            self,
-            "example"
-        )
-</pre>
-<h2>Compliant Solution</h2>
-<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html">aws_cdk.aws_sqs.Queue</a>:</p>
-<pre>
-from aws_cdk import (
-    aws_sqs as sqs
-)
-
-class QueueStack(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
-        super().__init__(scope, construct_id, **kwargs)
-        sqs.Queue(
+        sqs.CfnQueue(
            self,
            "example",
-            encryption=sqs.QueueEncryption.KMS_MANAGED
+            sqs_managed_sse_enabled=False # Sensitive, unencrypted
        )
 </pre>
+<h2>Compliant Solution</h2>
 <p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html">aws_cdk.aws_sqs.CfnQueue</a>:</p>
 <pre>
 from aws_cdk import (
@@ -64,11 +36,10 @@ <h2>Compliant Solution</h2>
 class CfnQueueStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
        super().__init__(scope, construct_id, **kwargs)
-        my_key = kms.Key(self, "key")
        sqs.CfnQueue(
            self,
            "example",
-            kms_master_key_id=my_key.key_id
+            sqs_managed_sse_enabled=True
        )
 </pre>
 <h2>See</h2>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6973.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6973.html
@@ -1,19 +1,21 @@
-<p>This rule raises an issue when a Scikit-learn model is instantiated without specifying the important hyperparameters.</p>
+<p>This rule raises an issue when a machine learning estimator or optimizer is instantiated without specifying the important hyperparameters.</p>
 <h2>Why is this an issue?</h2>
-<p>When instantiating a Scikit-learn estimator, it will use default values for the hyperparameters that are not specified. Relying on the default
-values can lead to non-reproducible results across diffferent versions of the library.</p>
+<p>When instantiating an estimator or an optimizer, default values for any hyperparameters that are not specified will be used. Relying on the default
+values can lead to non-reproducible results across different versions of the library.</p>
 <p>Furthermore, the default values might not be the best choice for the specific problem at hand and can lead to suboptimal performance.</p>
 <p>Here are the estimators and the parameters considered by this rule :</p>
 <table>
  <colgroup>
    <col style="width: 50%;">
    <col style="width: 50%;">
  </colgroup>
-  <tbody>
+  <thead>
    <tr>
-      <td><p><strong>Estimator</strong></p></td>
-      <td><p><strong>Hyperparameters</strong></p></td>
+      <th>Scikit-learn - Estimator</th>
+      <th>Hyperparameters</th>
    </tr>
+  </thead>
+  <tbody>
    <tr>
      <td><p>AdaBoostClassifier</p></td>
      <td><p>learning_rate</p></td>
@@ -100,7 +102,73 @@ <h2>Why is this an issue?</h2>
    </tr>
  </tbody>
 </table>
-<h2>How to fix it</h2>
+<table>
+  <colgroup>
+    <col style="width: 50%;">
+    <col style="width: 50%;">
+  </colgroup>
+  <thead>
+    <tr>
+      <th>PyTorch - Optimizer</th>
+      <th>Hyperparameters</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><p>Adadelta</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>Adagrad</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>Adam</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>AdamW</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>SparseAdam</p></td>
+      <td><p>lr</p></td>
+    </tr>
+    <tr>
+      <td><p>Adamax</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>ASGD</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>LBFGS</p></td>
+      <td><p>lr</p></td>
+    </tr>
+    <tr>
+      <td><p>NAdam</p></td>
+      <td><p>lr, weight_decay, momentum_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>RAdam</p></td>
+      <td><p>lr, weight_decay</p></td>
+    </tr>
+    <tr>
+      <td><p>RMSprop</p></td>
+      <td><p>lr, weight_decay, momentum</p></td>
+    </tr>
+    <tr>
+      <td><p>Rprop</p></td>
+      <td><p>lr</p></td>
+    </tr>
+    <tr>
+      <td><p>SGD</p></td>
+      <td><p>lr, weight_decay, momentum</p></td>
+    </tr>
+  </tbody>
+</table>
+<h2>How to fix it in Scikit-Learn</h2>
 <p>Specify the hyperparameters when instantiating the estimator.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
@@ -117,6 +185,23 @@ <h4>Compliant solution</h4>
    n_neighbors=5
 )
 </pre>
+<h2>How to fix it in PyTorch</h2>
+<p>Specify the hyperparameters when instantiating the optimizer</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+from my_model import model
+from torch.optim import AdamW
+
+optimizer = AdamW(model.parameters(), lr = 0.001) # Noncompliant : weight_decay is not specified, different values can change the behaviour of the optimizer significantly
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+from my_model import model
+from torch.optim import AdamW
+
+optimizer = AdamW(model.parameters(), lr = 0.001, weight_decay = 0.003) # Compliant
+</pre>
 <h2>Resources</h2>
 <h3>Articles &amp; blog posts</h3>
 <ul>
@@ -125,6 +210,10 @@ <h3>Articles &amp; blog posts</h3>
  <li> van Rijn, J. N., &amp; Hutter, F. (2018, July). Hyperparameter importance across datasets. In Proceedings of the 24th ACM SIGKDD International
  Conference on Knowledge Discovery &amp; Data Mining (pp. 2367-2376). </li>
 </ul>
+<h3>Documentation</h3>
+<ul>
+  <li> PyTorch Documentation - <a href="https://pytorch.org/docs/stable/optim.html">torch.optim</a> </li>
+</ul>
 <h3>External coding guidelines</h3>
 <ul>
  <li> Code Smells for Machine Learning Applications - <a

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6973.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6973.json
@@ -1,5 +1,5 @@
 {
-  "title": "Important hyperparameters should be specified for Scikit-Learn estimators",
+  "title": "Important hyperparameters should be specified for machine learning libraries\u0027 estimators and optimizers",
  "type": "CODE_SMELL",
  "status": "ready",
  "remediation": {

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6985.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6985.html
@@ -4,7 +4,9 @@ <h2>Why is this an issue?</h2>
 <code>pickle</code> library to load the model and the weights. If the model comes from an untrusted source, an attacker could inject a malicious
 payload which would be executed during the deserialization.</p>
 <h2>How to fix it</h2>
-<p>Use a safer alternative to load the model, such as <code>safetensors.torch.load_model</code>.</p>
+<p>Use a safer alternative to load the model, such as <code>safetensors.torch.load_model</code>. Alternatively, PyTorch can be instructed to only load
+the weights by setting the parameter <code>weights_only=True</code>. This avoids the use of the <code>pickle</code> library and is therefore safe.
+Note that the use of <code>weights_only</code> requires saving only the <code>state_dict</code> of a model instead of the whole model.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">

diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
  "languages": [
    "PY"
  ],
-  "latest-update": "2024-08-19T11:35:16.981419705Z",
+  "latest-update": "2024-09-24T09:07:11.168038831Z",
  "options": {
    "no-language-in-filenames": true,
    "preserve-filenames": true