Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #8253 > unrolled thread

static analysis and other tools for checking Python code

Back to article view | Back to linux.debian.maint.python

Contents

  static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-02 04:30 +0100
    Re: static analysis and other tools for checking Python code Scott Kitterman <debian@kitterman.com> - 2016-03-02 05:40 +0100
      Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-02 06:00 +0100
    Re: static analysis and other tools for checking Python code Nicolas Chauvat <nicolas.chauvat@logilab.fr> - 2016-03-02 15:20 +0100
      Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-03 01:10 +0100
        Re: static analysis and other tools for checking Python code "Paul R. Tagliamonte" <paultag@gmail.com> - 2016-03-03 01:30 +0100
        Re: static analysis and other tools for checking Python code Nicolas Chauvat <nicolas.chauvat@logilab.fr> - 2016-03-03 13:00 +0100
          Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-04 06:10 +0100
            Re: static analysis and other tools for checking Python code Nicolas Chauvat <nicolas.chauvat@logilab.fr> - 2016-03-04 10:30 +0100
              Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-04 14:40 +0100
                Re: static analysis and other tools for checking Python code Nicolas Chauvat <nicolas.chauvat@logilab.fr> - 2016-03-04 16:20 +0100
                  Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-05 04:20 +0100
                    Re: static analysis and other tools for checking Python code Nicolas Chauvat <nicolas.chauvat@logilab.fr> - 2016-03-05 15:10 +0100
                      Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-06 10:20 +0100
    Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-03 01:40 +0100
      Re: static analysis and other tools for checking Python code Jeremy Stanley <fungi@yuggoth.org> - 2016-03-03 01:50 +0100
      Re: static analysis and other tools for checking Python code Daniel Stender <stender@debian.org> - 2016-03-04 15:40 +0100
        Re: static analysis and other tools for checking Python code Paul Wise <pabs@debian.org> - 2016-03-05 04:10 +0100
    Re: static analysis and other tools for checking Python code Jeremy Stanley <fungi@yuggoth.org> - 2016-03-03 01:40 +0100

#8253 — static analysis and other tools for checking Python code

Hi all,

Some of you may have noticed I'm working on a tool called
check-all-the-things that does what it says on the tin.

https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/doc/README

One of the things it has checks for is Python. So far it runs pyflakes
and pep8 and a few hacky greps for some things that shouldn't be done
in Python in my experience.

https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/python

There is a long list of TODO items for Python checking tools. I would
really appreciate some help turning this TODO list into checks and or
packaging of some of the tools not yet in Debian.

If anyone knows of tools that do the equivalent of the hacky greps
that would be helpful too, or even just which tool should be adding
tests for those issues.

If anyone wants to help work on the c-a-t-t code, it is written in Python too.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [next] | [standalone]

#8256

On Wednesday, March 02, 2016 11:22:52 AM Paul Wise wrote:
> Hi all,
> 
> Some of you may have noticed I'm working on a tool called
> check-all-the-things that does what it says on the tin.
> 
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/d
> oc/README
> 
> One of the things it has checks for is Python. So far it runs pyflakes
> and pep8 and a few hacky greps for some things that shouldn't be done
> in Python in my experience.
> 
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/d
> ata/python
> 
> There is a long list of TODO items for Python checking tools. I would
> really appreciate some help turning this TODO list into checks and or
> packaging of some of the tools not yet in Debian.
> 
> If anyone knows of tools that do the equivalent of the hacky greps
> that would be helpful too, or even just which tool should be adding
> tests for those issues.
> 
> If anyone wants to help work on the c-a-t-t code, it is written in Python
> too.

It's probably worth looking at [1] to see if there's anything worth salvaging 
for what you're doing.

Scott K

[1] http://snapshot.debian.org/package/lintian4python/0.28.4/

[toc] | [prev] | [next] | [standalone]

#8257

On Wed, Mar 2, 2016 at 12:38 PM, Scott Kitterman wrote:

> It's probably worth looking at [1] to see if there's anything worth salvaging
> for what you're doing.
...
> [1] http://snapshot.debian.org/package/lintian4python/0.28.4/

If someone were to revive upstream development of lintian4python
(perhaps as a native package) and reintroduce it to Debian again,
c-a-t-t could certainly start running it again. I had to disable it
when it got removed from Debian.

https://jwilk.net/software/lintian4python
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/python#n35

[lintian4python]
groups = package
flags = todo
comment = re-enable if the package is ever revived, see #768988 and #778796
apt = lintian4python
files = ../*.changes ../*.deb ../*.dsc *.changes *.deb *.dsc
command = lintian4py {files}

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8259

Hi,

On Wed, Mar 02, 2016 at 11:22:52AM +0800, Paul Wise wrote:
> One of the things it has checks for is Python. So far it runs pyflakes
> and pep8

Maybe add pylint?

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

[toc] | [prev] | [next] | [standalone]

#8262

On Wed, Mar 2, 2016 at 9:23 PM, Nicolas Chauvat wrote:

> Maybe add pylint?

As I understand it:

pylint runs code from the source tree so it isn't suitable for running
by default as that could be a security issue for people reviewing
potentially untrusted code.

pylint isn't able to be run automatically, it needs a human to come up
with the right command-line.

c-a-t-t could certainly print a suggestion to run pylint like it does
for fuzzers like afl/zzuf.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8263

[Multipart message — attachments visible in raw view] — view raw

flake8 has the most mindshare these days :)
On Mar 2, 2016 7:07 PM, "Paul Wise" <pabs@debian.org> wrote:

> On Wed, Mar 2, 2016 at 9:23 PM, Nicolas Chauvat wrote:
>
> > Maybe add pylint?
>
> As I understand it:
>
> pylint runs code from the source tree so it isn't suitable for running
> by default as that could be a security issue for people reviewing
> potentially untrusted code.
>
> pylint isn't able to be run automatically, it needs a human to come up
> with the right command-line.
>
> c-a-t-t could certainly print a suggestion to run pylint like it does
> for fuzzers like afl/zzuf.
>
> --
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise
>
>

[toc] | [prev] | [next] | [standalone]

#8267

/Disclaimer: I started pylint with Sylvain Thénault back in 2001, but
the project has had new maintainers for a few years./

On Thu, Mar 03, 2016 at 08:06:52AM +0800, Paul Wise wrote:
> On Wed, Mar 2, 2016 at 9:23 PM, Nicolas Chauvat wrote:
> 
> > Maybe add pylint?
> 
> As I understand it:
> 
> pylint runs code from the source tree so it isn't suitable for running
> by default as that could be a security issue for people reviewing
> potentially untrusted code.

That would be https://pypi.python.org/pypi/PyChecker

Pylint has never run code from the source tree.

> pylint isn't able to be run automatically, it needs a human to come up
> with the right command-line.

"pylint <themodule>" should work fine.

Tuning pylint to a specific coding or project requires human action.

One option is to run "pylint -E <themodule>" to look only for
errors. This is also faster.

> [Paul Tagliamonte] flake8 has the most mindshare

That's not what google trends says

  https://www.google.fr/trends/explore#q=flake8%2C%20pylint%2C%20pyflakes&cmpt=q&tz=Etc%2FGMT-1

I included pyflakes because flake8's doc says "Flake8 is a wrapper around
PyFlakes, pep8 and Ned Batchelder’s McCabe script".
	    
The "Design Principles" section from pyflakes' doc states:

  """Pyflakes is also faster than Pylint or Pychecker. This is largely
  because Pyflakes only examines the syntax tree of each file
  individually. As a consequence, Pyflakes is more limited in the types
  of things it can check."""

To get the list of all the things your installed version of pylint can check for:

  pylint --list-msgs
  
Github stats prove the pylint project is pretty active

  https://github.com/PyCQA/pylint/graphs/contributors

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

[toc] | [prev] | [next] | [standalone]

#8269

[Multipart message — attachments visible in raw view] — view raw

On Thu, 2016-03-03 at 12:52 +0100, Nicolas Chauvat wrote:


> That would be https://pypi.python.org/pypi/PyChecker
> 
> Pylint has never run code from the source tree.

I wonder where I got that impression from.

What about from the module it is checking?

> "pylint <themodule>" should work fine.

Unfortunately that needs the module installed to work.

Is there any way to make it scan the source tree instead?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8270

Hi,

On Fri, Mar 04, 2016 at 01:03:17PM +0800, Paul Wise wrote:
> > That would be https://pypi.python.org/pypi/PyChecker
> > 
> > Pylint has never run code from the source tree.
> 
> I wonder where I got that impression from.
> 
> What about from the module it is checking?
> 
> > "pylint <themodule>" should work fine.
> 
> Unfortunately that needs the module installed to work.
> 
> Is there any way to make it scan the source tree instead?

It *does* read the source and scan the tree.

It *does*not* import or execute the code.

That is the very first goal of pylint: "detect code smells in python
code by staticaly analyzing the syntax tree read from the source".

  $ cat foo.py
  a = b+1
  $ pylint -E foo.py
  No config file found, using default configuration
  ************* Module foo
  E:  1, 4: Undefined variable 'b' (undefined-variable)
  $ mkdir bar
  $ mv foo.py bar
  $ touch bar/__init__.py
  $ pylint -E bar/
  No config file found, using default configuration
  ************* Module bar.foo
  E:  1, 4: Undefined variable 'b' (undefined-variable)

There is even a library named https://pypi.python.org/pypi/astroid
that was extracted out of pylint to make it easier for other tools to
do type inference (and other things) on Python's Abstract Syntax
Trees.

I hope this helps making clearer what pylint can be used for. I had a
look at the README and I suppose the intro section at the top could
state the above goal with more clarity.

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

[toc] | [prev] | [next] | [standalone]

#8271

On Fri, Mar 4, 2016 at 5:24 PM, Nicolas Chauvat wrote:

> I hope this helps making clearer what pylint can be used for. I had a
> look at the README and I suppose the intro section at the top could
> state the above goal with more clarity.

It does, thanks.

Do you know if pylint can recursively scan for Python files rather
than being passed the names of Python files?

Incidentally, I got a patch for c-a-t-t to support pylint from the
author of yamllint:

https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/patch/?id=4dc0a9ca929fa3488ab93cb4e997101d52bbe8a8

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8273

On Fri, Mar 04, 2016 at 09:33:17PM +0800, Paul Wise wrote:
> Do you know if pylint can recursively scan for Python files rather
> than being passed the names of Python files?

It does recursively scan for Python files:

$ tree bar/
bar/
├── baz
│   ├── gloo.py
│   └── __init__.py
├── foo.py
└── __init__.py
$ cat bar/**/*py
b = a-1
a = b+1
$ pylint -E bar/
No config file found, using default configuration
************* Module bar.foo
E:  1, 4: Undefined variable 'b' (undefined-variable)
************* Module bar.baz.gloo
E:  1, 4: Undefined variable 'a' (undefined-variable)

> Incidentally, I got a patch for c-a-t-t to support pylint from the
> author of yamllint:
> 
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/patch/?id=4dc0a9ca929fa3488ab93cb4e997101d52bbe8a8

Nice!

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

[toc] | [prev] | [next] | [standalone]

#8275

On Fri, Mar 4, 2016 at 11:11 PM, Nicolas Chauvat wrote:

> It does recursively scan for Python files:

That doesn't pick up Python scripts that don't have .py in their name.

I couldn't get it to work with files in the current directory:

$ touch __init__.py
$ echo 'a = b+1' > bar.py
$ pylint -E .
No config file found, using default configuration

Should I file bugs about these two issues?

It does work with subdirectories as you pointed out though.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8276

On Sat, Mar 05, 2016 at 11:16:28AM +0800, Paul Wise wrote:
> On Fri, Mar 4, 2016 at 11:11 PM, Nicolas Chauvat wrote:
> 
> > It does recursively scan for Python files:
> 
> That doesn't pick up Python scripts that don't have .py in their name.

I had not noticed that.

> I couldn't get it to work with files in the current directory:
> 
> $ touch __init__.py
> $ echo 'a = b+1' > bar.py
> $ pylint -E .
> No config file found, using default configuration

Would "pylint -E *.py" do what you want?

Or maybe use find with 'file' as a filter?

> Should I file bugs about these two issues?

You may. I am not part of the maintainers/contributors anymore,
so I will not be able to help solve these issues.

https://github.com/PyCQA/pylint/

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

[toc] | [prev] | [next] | [standalone]

#8277

On Sat, Mar 5, 2016 at 10:03 PM, Nicolas Chauvat wrote:

> Would "pylint -E *.py" do what you want?

That is essentially what the added check does now.

> Or maybe use find with 'file' as a filter?

MIME support is in progress in c-a-t-t.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8264

On Thu, Mar 3, 2016 at 7:52 AM, Jeremy Stanley wrote:

> ...

All of flake8, hacking, bandit, pep257, clonedigger and more are on
the TODO list:

https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/python

FYI pep257 is definitely packaged:

https://packages.debian.org/search?keywords=pep257

> I can probably think up more that I've used, but the above rise to
> the top of my list.

More suggestions would be useful but most useful would be actual
tests. They are very simple to add if you know how to run the tools.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8266

On 2016-03-03 08:38:40 +0800 (+0800), Paul Wise wrote:
[...]
> FYI pep257 is definitely packaged:
> 
> https://packages.debian.org/search?keywords=pep257
[...]

Whoops! Thanks--I almost certainly fat-fingered my package search on
that one.
-- 
Jeremy Stanley

[toc] | [prev] | [next] | [standalone]

#8272

On 03.03.2016 01:38, Paul Wise wrote:
> On Thu, Mar 3, 2016 at 7:52 AM, Jeremy Stanley wrote:
>> ...
> 
> All of flake8, hacking, bandit, pep257, clonedigger and more are on
> the TODO list:
> 
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/python
> 
> FYI pep257 is definitely packaged:
> 
> https://packages.debian.org/search?keywords=pep257
> 
>> I can probably think up more that I've used, but the above rise to
>> the top of my list.
> 
> More suggestions would be useful but most useful would be actual
> tests. They are very simple to add if you know how to run the tools.

BTW there's also Prospector which provides a uniform interface to many individual linters:
https://packages.qa.debian.org/p/prospector.html

Cheers,
DS

-- 
4096R/DF5182C8
http://www.danielstender.com/blog/

[toc] | [prev] | [next] | [standalone]

#8274

On Fri, Mar 4, 2016 at 10:14 PM, Daniel Stender wrote:

> BTW there's also Prospector which provides a uniform interface to many individual linters:
> https://packages.qa.debian.org/p/prospector.html

Already on the TODO list:

https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/python

If it is possible to disable the prospector checks for things that
prospector runs that c-a-t-t already runs, please feel free to add a
check that runs prospector. It seems that prospector is only a
wrapper, it doesn't do any checks only implemented in it though?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[toc] | [prev] | [next] | [standalone]

#8265

On 2016-03-02 11:22:52 +0800 (+0800), Paul Wise wrote:
[...]
> One of the things it has checks for is Python. So far it runs pyflakes
> and pep8 and a few hacky greps for some things that shouldn't be done
> in Python in my experience.
[...]

The "flake8" framework basically incorporates the pyflakes and pep8
analyzers along with a code complexity checker, and provides a
useful mechanism for controlling their behavior in a consistent
manner as well as pluggability to add your own:

    https://packages.debian.org/flake8

One flake8 plug-in which came out of the OpenStack developer
community is "hacking" (obviously not for every project, but an
interesting reference example of layering in your own style checks):

    https://packages.debian.org/python-hacking

Another output of the OpenStack community is "bandit," a security
analyzer for Python code:

    https://packages.debian.org/bandit

Some other interesting analyzers not yet packaged for Debian as far
as I can tell include "pep257" (a Python docstring checker) and
"clonedigger" (a DRYness checker).

    https://pypi.python.org/pypi/pep257
    https://pypi.python.org/pypi/clonedigger

I can probably think up more that I've used, but the above rise to
the top of my list.
-- 
Jeremy Stanley

[toc] | [prev] | [standalone]

Back to top | Article view | linux.debian.maint.python

csiph-web