Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Target audience:

Users of the extension providing Python support.

Summary: This document provides basic information about the extension providing Python support.

What's new

In beta phase

  • New Quality Rules
    • Avoid Python string interpolations to prevent SQL injections
    • Two security rules (OpenStack framework)
    • A series of quality rules following the PEP-8 recommendations
    • Avoid using global statement
    • Avoid superclass knowing subclass
  • ActiveMQ and RabbitMQ messaging protocol support


This extension provides support for Python.

In what situation should you install this extension?

If your application contains Python source code and you want to view these object types and their links with other objects, then you should install this extension.

Supported Python versions

The following table displays the supported versions matrix:


Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
Quality and SizingSecurity

CAST AIP compatibility

This extension is compatible with:

CAST AIP release
7.3.4 and all higher 7.3.x releases(tick)

Supported DBMS servers

This extension is compatible with the following DBMS servers:

CAST AIP releaseCSSOracleMicrosoft
All supported releases(tick)(tick)(error)


(tick)An installation of any compatible release of CAST AIP (see table above)

Dependencies with other extensions

  • Web Services Linker (internal technical extension)
  • CAST AIP Internal extension (internal technical extension)

Note that when using the CAST Extension Downloader to download the extension and the Manage Extensions interface in CAST Server Manager to install the extension, any dependent extensions are automatically downloaded and installed for you. You do not need to do anything.

Download and installation instructions

Please see:

The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Packaging, delivering and analyzing your source code

Once the extension is installed, no further configuration changes are required before you can package your source code and run an analysis. The process of packaging, delivering and analyzing your source code is as follows:

Packaging and delivery

Note that the Python extension does not contain any CAST Delivery Manager Tool discoverers or extractors, therefore, no "Python" projects will be detected by the CAST Delivery Manager Tool (DMT). You therefore need to manually create an Analysis Unit in the CAST Management Studio - this is explained below.

Using the CAST Delivery Manager Tool:

  • create a new Version
  • create a new Package for your Python source code using the Files on your file system option:

Click to enlarge:

  • Define a name for the package and the root folder of your Application source code:

Click to enlarge:

  • Run the Package action: the CAST Delivery Manager Tool will not find any "projects" related to the Python application source code - this is the expected behaviour. However, if your Python related source code is part of a larger application, then other projects may be found during the package action.

Click to enlarge:

  • Deliver the Version


Using the CAST Management Studio:

  • Accept and deploy the Version in the CAST Management Studio. No Analysis Units will be created automatically relating to the Python source code - this is the expected behaviour. However, if your Python related source code is part of a larger application, then other Analysis Units may be created automatically:

Click to enlarge:

  • In the Current Version tab, add a new Analysis Unit specifically for your Python source code, selecting the Add new Universal Analysis Unit option:

  • Edit the new Analysis Unit and configure in the Source Settings tab:
    • a name for the Analysis Unit
    • ensure you tick the Python option
    • define the location of the deployed Python source code (the CAST Management Studio will locate this automatically in the Deployment folder):

  • Run a test analysis on the Analysis Unit before you generate a new snapshot.

Automatic skipping of unit-test code

The analyzer skips files that are recognized as forming part of testing code, i.e., in principle, code not pertaining to production code. The reason to avoid inclusion of testing code is that many Quality Rule violations are overrepresented in test code, either because code tends to be of poorer quality (certainly not critical) or prevalence of particular testing patterns. Accounting for test code would negatively impact the total score of the project. The heuristics used by the analyzer are based on detecting unit-test library imports, and file and path naming conventions as summarized in the table below: 

FileContentimport unittest12 
FileContentfrom unittest import12 
FileContentfrom import12 
FileContentself.assert 2
The ** symbol represents any arbitrary path string, whereas * represents any string without directory slashes.

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner:

Python Class and method example

iOS Front-end connected to a Python Flask Back-end.


The following specific objects are displayed in CAST Enlighten:


Python Project, Python External Library
Python Module
Python Class
Python Method
Python Script

Python Get Urllib, Urllib2, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Get Operation

Python Post Urllib, Urllib2, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Post Operation

Python Put Urllib, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Put Operation

Python Delete Urllib, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Delete Operation

SQL Named Query

RabbitMQ Python QueueCall

ActiveMQ Python QueueCall

RabbitMQ Python QueueReceive

ActiveMQ Python QueueReceive

The following links are constructed :

  • call links between methods
  • inherit link between classes
  • refer link from methods to class (constructor call)
  • use link between modules through import


You can find a full list of rules delivered with this extension here:

Web Service calls and operations support

The following libraries are supported for Web Service operations (left) and Web Service HTTP API calls (right):

Once the Python extension analysis is finished, the analyzer will output the final number of web service call and operation objects created.


Example for GET request:

import requests
r = requests.get('')


Example for GET request:

import urllib.request
with urllib.request.urlopen('') as response:
   html =


Example for GET request:

import urllib2

req = urllib2.Request('')
response = urllib2.urlopen(req)
the_page =

Example for POST request.

import urllib2
import urllib

values = {'name' : 'Michael Foord',
          'location' : 'Northampton',
          'language' : 'Python' }

data = urllib.urlencode(values)

req = urllib2.Request('', data)
response = urllib2.urlopen(req)
the_page =
PUT and DELETE calls are not supported by the urllib2 module (Python version 2.x) by default. Workarounds to bypass this limitation are not detected by the analyzer.


Example for GET request:

from httplib import HTTPConnection
def f():
    conn = HTTPConnection("")
    conn.request("GET", "/index.html")

Example link from method "f" to the get httplib service:


Example for GET request:

from http.client import HTTPConnection
def f():
    conn = HTTPConnection("")
    conn.request("GET", "/index.html")

In this case a Python Get Httplib Service will be generated (the httplib module from Python 2 has been renamed to http.client in Python 3).


The following code will issue a http get to the url '':

import httplib2
h = httplib2.Http(".cache")
(resp, content) = h.request("")


The following code will issue a http get to the url '':

import aiohttp
session = aiohttp.ClientSession()
res = session.get(''

The aiohttp module can be also used in server mode, implementing web service operations

from aiohttp import web
async def handler(request):
    return web.Response(text="Welcome in Python")
app = web.Application()
app.router.add_get('/index', handler)

In this case a Web Service Operation object associated to the function (coroutine) handler will be generated similar to the example for flask given below.


Flask route annotations for web service operations (GET, PUT, POST, DELETE) are supported. In particular, any decorator with the format @prefix.route is considered as a flask annotation where prefix can be a Flask application object or blueprint object. In the following example, a default GET operation is ascribed to the function f, and the POST and PUT operations to the upload_file function:

from flask import Flask
app = Flask(__name__)
def f():
    return 'hello world!'
@app.route('/upload', methods=['POST', 'PUT'])
def upload_file()
	if request.method == 'POST':
	# ...

The link between the GET operation named after the routing URL "/"  and the called function f is represented by an arrow pointing to the function:

The name of a saved Web Service Operation object will be generated from the routing URL by adding a final slash when not present. In this example the name of the PUT and POST operations is "/upload/" after the routing url "/upload".

URL query parameters such as @app.route('/user/<username>') are supported. In this case the generated Web Service Operation object will be named as /user/{}/, as shown in the example below.

from flask import Flask
app = Flask(__name__)
def show_user_profile(username):
    return 'User %s' % username

Similarly double slashes // in flask routing URLs are transformed into /{}/. Additional backslashes inside URL query parameters of type path [ @app.route('/<path:path>') ] are not resolved (which in principle could catch any URL) so the web service will be named as a regular parameter /{}/.

The equivalent alternative to routing annotations using the Flask add_url_rule is also supported.

from flask import Flask
app = Flask(__name__)    
def index():
app.add_url_rule('/', 'index')

Database queries

Simple database queries consistent with the Python Database API Specification (PEP 249) are recognized. This allows to support a large number of important libraries interfacing Python and SQL databases (SQLite, MySQL, etc). The analyzer identifies execute method calls as potential database queries and searches for generic SQL statements passed in as an argument ('SELECT ...", "INSERT ...)". In the example below data from the stocks table is retrieved via a SELECT statement passed explicitly by a string to the execute method of a cursor object.

import sqlite3

conn = sqlite3.connect('example.db')
c = conn.cursor()
c.execute('SELECT * FROM stocks') 

The analyzer creates a SQL Named Query object with name SELECT * FROM stocks (first 4 words are only used as naming convention) representing a call to a database. Provided analysis dependencies between SQL and Python are configured in CAST Management Studio, the analyzer will automatically link this object to the corresponding Table object, in this case stocks, that has been generated by a SQL analysis unit.

File system access functions

Representing end points based on file system access is important to automatically configure transactions. Towards this goal we aim at providing automatic recognition of standard library input/output functions. Currently we provide support for the built-in open function and the most common methods associated to file-like objects write, read, writelines, readline, readlines, and close,  as shown in the example below.

data = """<html>
<header><title>This is title</title></header>
Hello world
f = open('page.html', 'w')

The objects corresponding to the code of the file are inside the Universal Directory root object. Additionally the analyzer will automatically generate a Python external library object representing the Python Standard Library. Within this, the Python built-in library is abstracted as a Python source code object named, with its corresponding open function and file class (abstracting general file-like objects) that contains the above mentioned methods. No differences are considered between Python2 and Python3 built-in functions. Notice the external character of these objects denoted by gray-shaded icons in the left Object Browser panel.

Due to implementation constraints in CAIP versions [7.3.6, 8.1] a spurious link is generated between the Python external library object and a PY File object.

Message Queues


Message queues are software-engineering components used for inter-process communication, or for inter-thread communication within the same process. They use a queue for messaging. A producer posts messages to a queue. At the appointed time, the receivers are started up and process the messages in the queue. A queued message can be stored and forwarded, and the message can be redelivered until the message is processed. Message queues enable asynchronous processing, which allows messages to be queued without the need to process them immediately.

Message Queues currently handled by the Python analyzer


Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. The goal of ActiveMQ is to provide standards-based, message-oriented application integration across as many languages and platforms as possible. ActiveMQ acts as the middleman allowing heterogeneous integration and interaction in an asynchronous manner.


RabbitMQ is an open source message-queueing software called a message broker or queue manager RabbitMQ implements AMQP. It supports multiple messaging protocols. RabbitMQ can be deployed in distributed and federated configurations to meet high-scale, high-availability requirements.

Message queue applications using the below mentioned frameworks/clients are handled:

  • Library interface with STOMP protocol for ActiveMQ

  • Pika client with AMQP protocol for RabbitMQ

CAST Enlighten screenshots

When a message queue application is analyzed by the Python analyser, the following transactions can be found at the end of analysis:

Example of ActiveMQ Producer

import stomp

conn = stomp.Connection10()
conn.send('SampleQueue', 'Its working!!')

Example of ActiveMQ Consumer

import stomp

queue = 'SampleQueue'
conn = stomp.Connection10()

CAST Enlighten screenshot of ActiveMQ Transaction

Example of RabbitMQ Producer

import pika

connection = pika.BlockingConnection(pika.ConnectionParameters('localhost'))
channel =
channel.queue_declare(queue = "sample_queue")
channel.basic_publish(exchange = '', routing_key = "sample_queue", body = "Hello world!" )

Example of RabbitMQ Consumer

import pika

def callback(ch, method, properties, body):
    print("[x] Received % r" % body)
connectionconnection = pika.BlockingConnection(pika.ConnectionParameters(host='localhost'))
channel =
channel.queue_declare(queue = "sample_queue")
channel.basic_consume(callback, queue = "sample_queue", no_ack = True)

CAST Enlighten screenshot of RabbitMQ Transaction




  • Not fully supported Python Decorator function.
  • Quality rules do not apply to code inside the class definition (class or "static" variables)
  • Limited Python resolution that leads to missing links:
    • No support for __all__
    • No support for variable of type class, function
    • Limited method resolution when used super under multiple inheritance.
  • Flask:
    • Objects for other web service operations such as PATCH are not generated.
    • The endpoint abstraction layer between functions and annotations is not considered. When using  add_url_rule the endpoint argument is taken as the calling function name.
  • Message queues
    •  To generate queue message objects the queue name has to be initialized explicitly in the code (dynamic naming not supported).
  • No labels