How to detect Python unused import in SonarQube?
Our Python source code may contain unused import that we would like to detect during Sonar analysis. There are some rules for unused stuff : Unused assignments should be removed and Unused local variables should be removed . We are running on Data Center Edition Version 8.9.7 (build 52159) and we are looking for a rule such as Unused import should be removed .
Hello @RichardDally ,
Welcome to our community and thanks a lot for your suggestion. We have this rule about unused import in our backlog ( S1128 ).
I cannot give you an exact date yet, however we’re discussing about implementing this rule relatively soon.
![unused assignments should be removed sonar SonarLint : Unused local variables should be removed](https://cdn.hashnode.com/res/hashnode/image/upload/v1630823747003/Xi4FPKGZn.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
![](http://pechenka.online/777/templates/cheerup1/res/banner1.gif)
SonarLint : Unused local variables should be removed
![unused assignments should be removed sonar sandeep negi's photo](https://cdn.hashnode.com/res/hashnode/image/upload/v1626949384497/0LOg3nBEV.jpeg?w=200&h=200&fit=crop&crop=faces&auto=compress,format&format=webp)
If there are some variables that are usually used by the developers for debugging but later those variables are not used. Those variables should be removed since it is a dead code.It will improve the maintainability and other developers will not wonder where this local variable is used.
Example from sonar lint
Noncompliant Code Example
Compliant solution.
IDE extension that lets you fix coding issues before they exist!
Setup is effortless and analysis is automatic for most languages
Self-Hosted
Fast, accurate analysis; enterprise scalability
Why is this an issue?
How can i fix it.
Open redirection occurs when an application uses user-controllable data to build URLs used during redirects.
An attacker with malicious intent could manipulate a user to browse into a specially crafted URL, such as https://trusted.example.com/redirect?url=evil.com , to redirect the victim to their evil domain.
Open redirection is most often used to trick users into browsing to a malicious domain that they believe is safe. As such, attackers commonly use open redirect exploits in mass phishing campaigns.
What is the potential impact?
An attacker can use this vulnerability to redirect a user from a trusted domain to a malicious domain controlled by the attacker. At that point, the attacker can perform various attacks, such as phishing.
Below are some scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Suppose the attacker creates a malicious website that mirrors the interface of the trusted website. In that case, they can use the open redirect vulnerability to lead the user to this malicious site.
Due to the similarity in the application appearance and the supposedly trustable hyperlink, the user fails to identify that they are browsing on a malicious domain. From here, an attacker can capture the user’s credentials, bypass Multi-Factor Authentication (MFA), and take over the user’s account on the trusted website.
![](http://pechenka.online/777/templates/cheerup1/res/banner1.gif)
Malware distribution
By leveraging the domain mirroring technique explained above, the attacker could also create a website that hosts malware. A user who is unaware of the redirection from a trusted website to this malicious website might then download and execute the attacker’s malware. In the worst case, this can lead to a complete system compromise for the user.
JavaScript injection (XSS)
In certain circumstances, an attacker can use DOM-based open redirection to execute JavaScript code. This can lead to further exploitation in the trusted domain and has consequences such as the compromise of the user’s account.
Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications You must be signed in to change notification settings
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Rule S1068: Unused "private" fields should be removed #7406
gregory-paidis-sonarsource commented Jun 13, 2023
No branches or pull requests
![](http://pechenka.online/777/templates/cheerup1/res/banner1.gif)
IMAGES
VIDEO
COMMENTS
I'm using Eclipse 2020-03 (4.15.0) with Sonarlint for Eclipse 5.1.0.17086 and I get , IMO, false positive S1854 warnings in the following code (taken from the book "Java 8 In Action"). Working with...
Must-share information (formatted with Markdown): which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) - SonarQube - 8.9.6 what are you trying to achieve - Running scan on JS files what have you tried so far to achieve this - Rule firing when it is not supposed to. The variables are not re-assigned without being used; But they are within 'If block' which is ...
Our Python source code may contain unused import that we would like to detect during Sonar analysis. There are some rules for unused stuff: Unused assignments should be removed and Unused local variables should be removed. We are running on Data Center Edition Version 8.9.7 (build 52159) and we are looking for a rule such as Unused import ...
S1854 - Unused assignments should be removed: FP Example * Array index * Function argument * Null example * Another null example: Explanation. This rule raises issues for increment and decrements operators, even when the result of the expression is used.
Unused assignments should be removed Code SmellSections of code should not be commented out Code SmellUnused method parameters should be removed Code SmellUnused "private" methods should be removed Code SmellUnused "private" fields should be removed Code SmellUnused labels should be removed Code SmellPackages containing only "package-info.java ...
Assigning a value to a local variable that is not read by any subsequent instruction is called a dead store. The following code snippet depicts a few dead stores. int x = 0; // Noncompliant: dead store, next line overwrites x. x = 100; // Noncompliant: dead store, next line overwrites x. x = 200; int y = 0; y += 9001; // Noncompliant: dead ...
a lambda expression captures the local variable. the variable is unused (case covered by Rule S1481) it's an initialization to -1, 0, 1, null, true, false , "" or string.Empty. Available In: Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code.
Saved searches Use saved searches to filter your results more quickly
Note that this would also be an issue if the initial assignment was something other than null. Unless the right-hand-side of the assignment has a side effect, any assignment is wasted. (Sonar analyses for side-effects) This is suspicious to Sonar: Maybe the programmer expected the first assignment to have an effect -- it doesn't, so perhaps it ...
Remove the declaration of the unused 'ButtonIcon' variable. And... Unused local variables and functions should be removed. Expected behavior Whilst I appreciate the code could be rewritten to cast the variable name in the function declaration: const IconLabelButton = ({ icon: ButtonIcon, label, clickHandler }) => { ...
Those variables should be removed since it is a dead code.It will improve the maintainability and other developers will not wonder where this local variable is used. Example from sonar lint. int seconds = 0; // seconds is never used return hours * 60; return hours * 60;
Saved searches Use saved searches to filter your results more quickly
Explanation. Unused assignments may signal a mistake or unfinished code. If the variable is never used after being assigned, then the assignment can be removed. Variables with an underscore prefix such as _x will not trigger this lint. The `unused_assignments` lint detects assignments that will never be read.
Renaming import, export, and destructuring assignments should not be to the same name Code SmellUnnecessary constructors should be removed Code SmellTernary operator should not be used instead of simpler alternatives Code SmellUnnecessary calls to ".bind()" should not be used Code SmellConstructors should not return values Code Smell
Strings literals should be placed on the left side when checking for equality (Sonar Rule 1132) Unused "private" fields should be removed (Sonar Rule 1068) Unused assignments should be removed (Sonar Rule 1854) Unused local variables should be removed (Sonar Rule 1481) Utility classes should not have public constructors (Sonar Rule 1118 ...
应删除未使用的局部变量或函数(Unused local variables and functions should be removed) 8. 函数不应有相同的实现(Functions should not have identical implementations) 9. 不应有空函数(Functions should not be empty) 10. 分配(的变量)不应是多余的(Assignments should not be redundant) 11.
I think its a design guideline that events always should be (derived) of the type EventHandler. So that means you will always get the sender and EventArgs. So even tho the subscribers don't use those parameters all events in the .Net framework are build using this paradigm and so SonarLint should be able to handle this.
Development. No branches or pull requests. 1 participant. Sonar rule - java:S1854 - Unused assignments should be removed leads to a lot of false positives which makes the rule unusable. Create a rule which detects unused assignments. example: String doodle = "init"; // bad, assigned value overw...
The rule's functionality is already implemented as part of S1144, but we should raise S1068 for fields, to be more precise. class MyClass { private int foo = 42; // Noncompliant: foo is unused public: int compute(int a) { return a * 42; ...