Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel

On this page:

Table of Contents

Target audience:

Users of the extension providing Python support.

Info

Summary: This document provides basic information about the extension providing Python support.

Description

This extension provides support for Python.

In what situation should you install this extension?

If your application contains Python source code and you want to view these object types and their links with other objects, then you should install this extension.

Supported Python versions

The following table displays the supported versions matrix:

VersionSupport
3.x(tick)
2.x(tick)
1.x(error)

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
(transactions)
Quality and SizingSecurity
(tick)(tick)(tick)

CAST AIP compatibility

This extension is compatible with:

CAST AIP release
Supported
8.3.x(tick)
8.2.x(tick)
8.1.x(tick)
8.0.x(tick)
7.3.4 and all higher 7.3.x releases(tick)

Supported DBMS servers

This extension is compatible with the following DBMS servers:

CAST AIP releaseCSSOracleMicrosoft
All supported releases(tick)(tick)(error)

Prerequisites

(tick)An installation of any compatible release of CAST AIP (see table above)

Dependencies with other extensions

  • Web services linker service (internal technical extension)
  • CAST AIP Internal extension ((internal technical extension)

Info
Note that when using the CAST Extension Downloader to download the extension and the Manage Extensions interface in CAST Server Manager to install the extension, any dependent extensions are automatically downloaded and installed for you. You do not need to do anything.

Download and installation instructions

Please see:

Info

The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Packaging, delivering and analyzing your source code

Once the extension is installed, no further configuration changes are required before you can package your source code and run an analysis. The process of packaging, delivering and analyzing your source code is as follows:

Packaging and delivery

Info
  • Note that the Python extension does not contain any CAST Delivery Manager Tool discoverers or extractors, therefore, no "Python" projects will be detected by the DMT. You therefore need to manually create an Analysis Unit in the CAST Management Studio - this is explained below.

Using the CAST Delivery Manager Tool:

  • create a new Version
  • create a new Package for your Python source code using the Files on your file system option:

  • Define a name for the package and the root folder of your Application source code:

  • Run the Package action: the CAST Delivery Manager Tool will not find any "projects" related to the Python application source code - this is the expected behaviour. However, if your Python related source code is part of a larger application, then other projects may be found during the package action.

  • Deliver the Version

Analyzing

Using the CAST Management Studio:

  • Accept and deploy the Version in the CAST Management Studio. No Analysis Units will be created automatically relating to the Python source code - this is the expected behaviour. However, if your Python related source code is part of a larger application, then other Analysis Units may be created automatically:

  • In the Current Version tab, add a new Analysis Unit specifically for your Python source code, selecting the Add new Universal Analysis Unit option:

  • Edit the new Analysis Unit and configure in the Source Settings tab:
    • a name for the Analysis Unit
    • ensure you tick the Python option
    • define the location of the deployed Python source code (the CAST Management Studio will locate this automatically in the Deployment folder):

  • Run a test analysis on the Analysis Unit before you generate a new snapshot.

Automatic skipping of unit-test code

The analyser skips files that are recognized as forming part of testing code, i.e., in principle code not pertaining to production code. The reason to avoid inclusion of testing code is that many quality rule violations are overrepresented  in test code, either because tends to be more sloppy code (certainly not critical) or prevalence of particular testing patterns. Accounting for test code would impact negatively the total score of the project. The heuristics used by the analyser are based on detecting unit-test library imports, and file and path naming conventions as summarized in the table below: 

TypeValueHeaderLinesMinimuCount
FilePath**/test_*.py  
FilePath**/*_test.py  
FilePath**/*_test_*.py  
FilePath**/test/*.py  
FilePath**/tests/*.py  
FileContentimport unittest12 
FileContentfrom unittest import12 
FileContentfrom nose.tools import12 
FileContentself.assert 2
Info
The ** symbol represents any arbitrary path string whereas * represents any string without directory slashes.

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner:

Python Class and method example

iOS Front-end connected to a Python Flask Back-end.

Objects

The following specific objects are displayed in CAST Enlighten:

IconDescription

Python Project, Python External Library
Python Module
Python Class
Python Method
Python Script

Python Get Urllib, Urllib2, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Get Operation

Python Post Urllib, Urllib2, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Post Operation

Python Put Urllib, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Put Operation

Python Delete Urllib, Httplib, Httplib2, aiohttp Service

Python Flask, aiohttp Web Service Delete Operation

SQL Named Query

The following links are constructed :

  • call links between methods
  • inherit link between classes
  • refer link from methods to class (constructor call)
  • use link between modules through import

Quality Rules

HTML
<!-- COPY/PASTE FROM HERE -->

<div id="qualityrulesheader"></div>
<p id="qualityrules"></p>

<style>

.qualityrulesheaderclear {
    clear: both;
}

.qualityrulesinputbox {
	font: 13px 'Helvetica';
	color:#222;
	display: inline-block;
	text-align: center;
}

.qualityrulesinputbox input{
	font: 15px 'Helvetica';
}

.qualityrulesheader {
	max-width:100%;
	height:40px;
}

.qualityrulescounter {
	margin-top:7px;
	font: 16px 'Helvetica';
	width:70%;
	float:left;
}

.qualityrulessearchzone {
	float:right;
	width:30%;
	position:relative;
	text-align: right;
}

.qualityrulessearchzone #qualityrulessearch {
	margin-right:5px;
}

.qualityruletable {
	width:100%;
	font: 13px 'Helvetica';
	-webkit-border-horizontal-spacing: 0px;
	border-spacing: 0px 2px;
	table-layout: fixed;
}

.qualityruletable thead {
	background-color:#DDD;
	font-weight: bold;
}

.qualityruletable thead td {
	padding: 8px 8px;
}

.qualityruletable tbody tr	{

	background-color:#FBF9F9;
}

.qualityruletable tbody tr:hover	{

	background-color:#EFF7FF;
}

.qualityruletable tbody td	{

	padding: 8px 8px ;
	color: black;
	font-weight:normal;
}

.qualityruletable .tdid	{

	width: 8% ;
}

.qualityruletable .tdname	{

	width: 34% ;
}

.qualityruletable .tdcritical	{

	width: 8% ;
}

.qualityruletable .tdhealth	{

	width: 20% ;
}

.qualityruletable .tdcisq	{

	width: 15% ;
}

.qualityruletable .tdother	{

	width: 15% ;
}

.qualityruletable tbody td.highlighted {
	color: #4A90E2;
	font-weight:bold;
	background-color:#E2EBF6;
}

.qualityruletable tbody td.detailsrule	{

	background-color: white ;
	border-color: #4A90E2;
	border-style: solid;
	border-width: 1px;
}

.qualityruletable .greencheck {
	background-color:#559410;
	color: white;
	padding:4px 6px;
	border-radius:12px;
	font-size:10px;
}

.qualityruletable .sourcecode {
	padding: 4px;
	margin: 4px;
	font: 13px "Courier";
	background-color: #EEE;
}

</style>

<script>
var parser, xmlDoc;
var IMPLQualityRules = '';
var SPECContributors = '';
var SPECDocumentation = '';
var securitylist = ['61001','61004','61014','61018','66062','66063','66065','66066','66069','66070'];
var efficiencylist = ['61011','61018','61019','61029','66068'];
var transferabilitylist = ['61003','61006','61007','61008','61009','61010','61011','61013','61015','61017','61022','61023','61024','61027','61028','61029','61030','61031'];
var changeabilitylist = ['61001','61004','61009','61010','61011','61013','61017','61020','61024','61027','61028','61029','61031','66070'];
var robustnesslist = ['61001','61003','61004','61009','61010','61011','61013','61014','61022','61024','61029','66009','66065','66069','66070'];

var detailsheaders = ["Description","Rationale","Remediation","Sample","Remediation sample","Reference","Output","Total","Parameters","Parent Technical Criterion(s)"];
var detailssections = ["description","rationale","remediation","sample","remediationSample","reference","output","total","parameters","technical-criterion"];
var detailsdictionary = {};

/*
   Copy/paste the content of IMPLQualityRules.xml file hereafter

   WARNING: make sure you have replaced "" by \"\" and there is not TAB between IMPLQualityRules = ` and <?xml
*/
function loadIMPLQualityRules() {

IMPLQualityRules = `<?xml version='1.0' encoding='utf-8'?>
<root>
    <metric id='1021000' type='quality-rule' originalName='Avoid Artifacts with High Cyclomatic Complexity (Python)'                    xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='0'       scopeLabel='NO LABEL' propertyID='0'       associatedValueResultType='no-value' failedChecksOperator1='count'          failedChecksProcedure='DIAG_SCOPE_PYTHONTECCPLEX001' totalChecksProcedure='DIAG_PYTHON_ARTIFACTS_TOTAL' consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021002' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python httplib HTTPConnection inside a loop'  xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021001' scopeLabel='NO LABEL' propertyID='1021000' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021004' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python requests inside a loop'                xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021002' scopeLabel='NO LABEL' propertyID='1021002' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021006' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop'   xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021003' scopeLabel='NO LABEL' propertyID='1021004' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021008' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python urllib.request inside a loop'          xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021004' scopeLabel='NO LABEL' propertyID='1021006' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021010' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python urllib2 inside a loop'                 xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021005' scopeLabel='NO LABEL' propertyID='1021008' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021012' type='quality-rule' cisq='ASCPEM-PRF-08' originalName='Avoid using a web service with Python httplib2 Http inside a loop'           xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021006' scopeLabel='NO LABEL' propertyID='1021010' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021014' type='quality-rule' originalName='Avoid using yield and return with value inside a function'                   xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021007' scopeLabel='NO LABEL' propertyID='1021012' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021016' type='quality-rule' cisq='ASCSM-CWE-327' other='OWASP-2013-A6' originalName='Avoid using MD5 hashes to hash passwords or to encrypt data'                 xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021008' scopeLabel='NO LABEL' propertyID='1021013' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021018' type='quality-rule' cisq='ASCRM-RLB-01' originalName='Avoid catch-all except blocks with empty handlers'                           xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021015' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
	<metric id='1021020' type='quality-rule' cisq='ASCMM-MNT-20' originalName='Avoid using wildcard (*) imports'      					                    xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021016' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
	<metric id='1021022' type='quality-rule' originalName='Initialize ancestors when overriding __init__'  		                    	xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021007' scopeLabel='NO LABEL' propertyID='1021017' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
	<metric id='1021024' type='quality-rule' cisq='ASCRM-RLB-01' originalName='Avoid return statement in finally block'  		                         	xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021018' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021026' type='quality-rule' cisq='ASCPEM-PRF-15, ASCRM-CWE-772' originalName='Avoid leaving open file resources'                                           xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021019' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
	<metric id='1021028' type='quality-rule' cisq='ASCRM-RLB-01' originalName='Avoid empty finally block'  		                         					xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021020' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021030' type='quality-rule' cisq='ASCRM-RLB-18' originalName='Avoid hardcoded network resource names'                                      xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021010' scopeLabel='NO LABEL' propertyID='1021022' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
    <metric id='1021032' type='quality-rule' originalName='Avoid disabling certificate check when requesting secured urls' other='OWASP-2013-A5, OWASP-2017-A5'    xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021023' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'   consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />  
     <metric id='1021034' type='quality-rule' originalName='Avoid inconsistent initialization when deriving a new exception'             xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021007' scopeLabel='NO LABEL' propertyID='1021024' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
	<metric id='1021036' type='quality-rule' originalName='Avoid using eval'  other ='MITRE-CWE-95, OWASP-2013-A1, OWASP-2017-A1'  xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021025' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'   consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />   
<metric id='1021038' type='quality-rule' originalName='Avoid using exec'           other ='MITRE-CWE-95, OWASP-2013-A1, OWASP-2017-A1'  xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021026' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'   consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
<metric id='1021040' type='quality-rule' originalName='Avoid attributes only differing by caps'                                                                xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021011' scopeLabel='NO LABEL' propertyID='1021027' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
<metric id='1021042' type='quality-rule' originalName='Avoid hardcoded passwords'                         other ='MITRE-CWE-798, MITRE-CWE-259'                xxl='N/A' unify='N/A' executionLocation='local-central' scopeID='1021009' scopeLabel='NO LABEL' propertyID='1021028' associatedValueResultType='no-value' failedChecksOperator1='count-distinct' failedChecksProcedure='DSS_DIAG_SCOPE_GENERIC_NUM'   totalChecksProcedure='DSS_DIAG_TOTAL_GENERIC'      consolidationLocalProcedure='DSS_FILTER_SCOPE' consolidationCentralProcedure='N/A' />
</root>     
`;
/* END OF IMPLQualityRules.xml copy/paste file */
}

/*
   Copy/paste the content of SPECDocumentation.xml file hereafter

   WARNING: make sure you have replaced "" by \"\" and there is not TAB between SPECDocumentation = ` and <?xml
*/

function loadSPECDocumentation() {

SPECDocumentation = `<?xml version='1.0' encoding='utf-8'?>
<root>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="associatedValueName">
  <english>Cyclomatic complexity</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="description">
  <english>Avoid Artifacts with High Cyclomatic Complexity (CC &gt; 20). Complex Artifacts are difficult to maintain. Keeping Artifacts small and simple ensures an good readability of the code.  The threshold level is a parameter that can be changed at will.</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="name">
  <english>Avoid Artifacts with High Cyclomatic Complexity (Python)</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="output">
  <english>Associated to each Python Artifact with violations, the Quality Rule provides:
- The Cyclomatic complexity</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="rationale">
  <english>The effort and time for diagnosis of deficiencies or causes of failures, or for identification of parts to be modified is directly related to the number of execution paths, i.e. the complexity of the control flow. 
Analyzability declines with increasing Cyclomatic Complexity. 
Each modification must be correct for all execution paths. Cyclomatic Complexity computes the number of the linearly independent paths, a lower bound of all execution paths ignoring multiple iterations. 
Changeability declines with increasing Cyclomatic Complexity. 
Complete testing requires coverage of all execution paths. Cyclomatic Complexity computes the number of the linearly independent paths, a lower bound of all execution paths ignoring multiple iterations. 
Testability declines with increasing Cyclomatic Complexity.</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="remediation">
  <english>Review the design of the Artifact to reduce number of independent paths. E.g.: Reduce the number of conditional statements.</english>
 </metric>
 <metric id="1021000" type="quality-rule" originalName="Avoid Artifacts with High Cyclomatic Complexity (Python)" section="total">
  <english>Number of Python Artifacts</english>
 </metric>
 
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python httplib syntax HTTPConnection, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="name">
        <english>Avoid using a web service with Python httplib HTTPConnection inside a loop</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. 
By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
 <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="sample">
        <english>>>> from httplib import HTTPConnection
>>> conn = HTTPConnection("www.python.org")
>>> for url in urllist:
>>>     conn.request("GET", url)</english>
    </metric>
    <metric id="1021002" type="quality-rule" originalName="Avoid using a web service with Python httplib HTTPConnection inside a loop" section="total">
        <english>Python artifacts using httplib</english>
    </metric>
 
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python requests syntax, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="name">
        <english>Avoid using a web service with Python requests inside a loop</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="sample">
        <english>>>> import requests
>>> for url in urllist:
>>>      r = requests.get(url)
</english>
    </metric>
    <metric id="1021004" type="quality-rule" originalName="Avoid using a web service with Python requests inside a loop" section="total">
        <english>Python artifacts web service with Python requests</english>
    </metric>
 
 
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python requests syntax, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="name">
        <english>Avoid using a web service with Python aiohttp ClientSession inside a loop</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="sample">
        <english>>>> import aiohttp
>>> session = aiohttp.ClientSession()
>>> for url in urllist:
>>>     res = session.get(url)
</english>
    </metric>
    <metric id="1021006" type="quality-rule" originalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' section="total">
        <english>Python artifacts web service with Python aiohttp</english>
    </metric>
 
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python requests syntax, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="name">
        <english>Avoid using a web service with Python urllib.request inside a loop</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="sample">
        <english>>>> import urllib.request
>>> for url in urllist:
>>>     res = urllib.request.urlopen(url)
</english>
    </metric>
    <metric id="1021008" type="quality-rule" originalName='Avoid using a web service with Python urllib.request inside a loop' section="total">
        <english>Python artifacts web service with Python urllib</english>
    </metric>
 
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python requests syntax, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="name">
        <english>Avoid using a web service with Python urllib2 inside a loop</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="sample">
        <english>>>> import urllib2
>>> for url in urllist:
>>>     res = urllib2.urlopen(url)
</english>
    </metric>
    <metric id="1021010" type="quality-rule" originalName='Avoid using a web service with Python urllib2 inside a loop' section="total">
        <english>Python artifacts web service with Python urllib2</english>
    </metric>

    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="description">
        <english>When designing web service to get/post/put data, you want to make sure that you minimize the number of calls between the client application and web service server. This rule will check the official Python requests syntax, to do call to web service. This rule is compliant with CISQ OMG ASCPEM-PRF-08 recommendation.</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="name">
        <english>Avoid using a web service with Python httplib2 Http inside a loop</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="rationale">
        <english>When designing web service to get/put/post data, you want to make sure that you minimize the number of calls between the client application and web service server. By minimizing the number of calls, you improve application speed, reduce communications overhead (why send three request when you can do it by one), and reduce network traffic.</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="remediation">
        <english>Try to create a process queue that will manage all the requests with a limited number of concurrent requests. When a request callback has been managed a new request could be fired.</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="sample">
        <english>>>> import httplib2 
>>> conn = httplib2.Http()
>>> for url in urllist:
>>>     res = conn.request(url,'GET')
</english>
    </metric>
    <metric id="1021012" type="quality-rule" originalName='Avoid using a web service with Python httplib2 Http inside a loop' section="total">
        <english>Python artifacts web service with Python httplib2</english>
    </metric>

    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="description">
    <english>Functions that are using yield and return with value (different from None) are very sensitive to the Python version. To avoid any technical complexity, we strongly suggest you to do not use these annotations together within functions in your code.</english>        
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="name">
        <english>Avoid using yield and return with value inside a function</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="rationale">
        <english>Mixing return with value and yield in the same function could lead to technical complexity. Based on the version used to run the Python script (2.x, 3.3, 3.4 for example), the results will not be the same.</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="remediation">
        <english>Try to avoid return with value statements within functions containing yield.</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="sample">
        <english>>>> def generator1(n):
>>>     for i in range(n):
>>>         yield i
>>>     return 0
</english>
    </metric>
    <metric id="1021014" type="quality-rule" originalName='Avoid using yield and return with value inside a function' section="total">
        <english>Python artifacts using yield</english>
    </metric>

    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="description">
    <english>MD5 hashes were used as salt to hash a password or a passphrase. In cryptography, a salt is random data that's used as additional input to a one-way function. Recently, several exploits were developed which proved that MD5 will generate identical outputs for the different input parameters. As a consequence, somebody can break your encryption or log on to your website. This rule is compliant with CISQ OMG ASCSM-CWE-327 recommendation.</english>        
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="name">
        <english>Avoid using MD5 hashes to hash passwords or to encrypt data</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="rationale">
        <english>The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break the algorithm.</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="remediation">
        <english>Avoid using MD5 hashes as input to cryptographic functions or to store passwords. Python offers the following hashing algorithms: SHA1, SHA224, SHA256, SHA384, and SHA512. Make sure you choose the most appropriate one, depending on your use case, security requirements and runtime constraints.</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="sample">
        <english>>>> import hashlib 
>>> md5_hash = hashlib.md5() 
>>> md5_hash.update("This hash can be exploited") 
>>> md5_hash.digest() 
</english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="remediationSample">
        <english>>>> import hashlib 
>>> secure_hash = hashlib.sha512() 
>>> secure_hash.update("This hash is secure") 
>>> secure_hash.digest() 
        </english>
    </metric>
    <metric id="1021016" type="quality-rule" originalName='Avoid using MD5 hashes to hash passwords or to encrypt data' section="total">
        <english>Python artifacts using hashlib library</english>
    </metric>
 
 
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="description">
    <english>This metric reports all methods with at least one cath-all except block with an empty implementation. Working with exceptions is common to Python but sometimes using try/except blocks without doing anything when an exception happened is very dangerous. This rule is compliant with the CISQ OMG ASCRM-RLB-01 recommendation.</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="name">
        <english>Avoid catch-all except blocks with empty handlers</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="rationale">
        <english>Exceptions are a mechanism to interrupt a program for signaling run-time anomalies in the code. In Python the common way for object type checking is to 'try' methods and properties. Thus well-defined exceptions are expected to appear and often the desired reaction is to silently ignore them. 
        A catch-all except clause (one that captures all types of exceptions) when not properly handled ascribes this behaviour to every exception, included the unexpected. This practice should be avoided because it hinders debugging.</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="remediation">
        <english>The exception must be handled correctly according to its type. If no exception type is declared or if a high-level cath-all exception type is used, the body of the exception block should execute specific code or inform if something wrong happened.</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="sample">
        <english>>>> try:
>>>     doSomething()
>>> except:          # no exception type declared
>>>     pass         # empty handler
</english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="remediationSample">
        <english>>>> # easy remediation
>>> try:
>>>     doSomething()
>>> except:
>>>     logging.debug("Someting happened")
>>> # better remediation
>>> try:
>>>     doSomething()
>>> except SomeException as e:
>>>     logging.debug("Something happened:" + e.error)
>>> except:
>>>     logging.debug("Something unexpected happened ...")
        </english>
    </metric>
    <metric id="1021018" type="quality-rule" originalName='Avoid catch-all except blocks with empty handlers' section="total">
        <english>Python artifacts handling exceptions</english>
    </metric>
 
 
 <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="description">
    <english>Most of the time the import statements should be as specific as possible and you should only import what is needed. When from module import * is used, you are implicitly loading all locals of the imported module into and over the importing module. This has two disadvantages: first, you might unintentionally overload already imported objects. Second, it becomes difficult to detect undefined names in the program that imported the module. This rule is compliant with the CISQ OMG ASCMM-MNT-20 recommendation.</english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="name">
        <english>Avoid using wildcard (*) imports</english>
    </metric>
 <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="output">
  <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="rationale">
        <english>Software that does not follow the principles of reuse requires more maintenance effort in order to propagate changes to all instances of duplicated code </english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="remediation">
        <english>Avoid using wildcard (*) imports. Either import the full module. A direct import would bind to the same name as that of another object. Second way is to make the import statement more specific.</english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="sample">
        <english>>>> from math import *
>>> from numpy import *
</english>
    </metric>
 <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="remediationSample">
        <english>>>> from math import floor 
>>> from numpy import floor as np_floor
>>> values = array([2.3, 8.7])
>>> np_floor(values)
        </english>
    </metric>
    <metric id="1021020" type="quality-rule" originalName='Avoid using wildcard (*) imports' section="total">
        <english>Python artifacts importing modules</english>
    </metric>

    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="description">
    <english>Inheritance in object-oriented programming allows code reuse between hierarchically related classes. In Python by default the subclass inherits all of the methods including the __init__ method which is usually used for instance member initialization. However the subclass can replace any particular implementation that has inherited. To avoid accidental access to uninitialized instance members we strongly suggest you to initialize ancestor classes in the overriden __init__ method or to reconsider refactoring the code so that no inheritance is needed.</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="name">
        <english>'Initialize ancestors when overriding __init__'</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="rationale">
        <english>Accessing uninitialized variables is a typical source of errors and unexpected behaviour. Overriding the __init__ method of an ancestor class without initializing it can leave unitialized instance members.</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="remediation">
        <english>Initialize ancestors when overriding __init__ using consistently non-super methods or super() if their ancestors do.</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="sample">
        <english>>>> class A:
>>>     def __init__(self):
>>>         self.x = 3
>>>         self.y = 14
>>> 
>>> class B(A):
>>>     def __init__(self):
>>>         self.y = 2
</english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="remediationSample">
        <english>>>> # approach (1)
>>> class B(A):
>>>     def __init__(self): 
>>>         super().__init__()        # in Python2: super(B, self).__init__()
>>>         self.y = 2
>>> 
>>> # approach (2)
>>> class B(A):
>>>     def __init__(self):
>>>         A.__init__()
>>>         self.y = 2
        </english>
    </metric>
    <metric id="1021022" type="quality-rule" originalName='Initialize ancestors when overriding __init__' section="total">
        <english>Python artifacts initializing instance members</english>
    </metric>

 <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="description">
    <english>Reports all methods that contain an abrupt in a finally block. An abrupt completion of a statement or block occurs when it throws an exception, executes a break or continues to an enclosing statement, or executes a return from the method. This rule is compliant with CISQ OMG ASCMM-MNT-01 recommendation.</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="name">
        <english>Avoid return statement in finally block</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="rationale">
        <english>Care must be taken if completion of a try-catch block occurs as a result of executing a return. If a finally block also returns a value, then that return supersedes any previous return in the try-catch block. Also, if an exception was thrown in the try or catch blocks that was not caught, then execution of a return in the finally block prevents the exception from being thrown to the caller (because it is not possible for the caller to simultaneously evaluate the return and catch the exception). This is also valid for break or continue instructions.</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="remediation">
        <english>Avoid using finally statement in return block. If used, it will swallow the exception raised but not handled in above try except block.</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="sample">
        <english>>>> def experiment():
>>>     try:
>>>         x = 2/0
>>>     except:
>>>         logging.debug("Not possible")
>>>     finally:
>>>         logging.debug("Division")
>>>         return
</english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="remediationSample">
        <english>>>> def experiment():
>>>     try:
>>>         x = 2/0
>>>     except:
>>>         logging.debug("Not Possible")
>>>     finally:
>>>         logging.debug("Division")
>>>         clean_up_code()    #Return should not be used inside finally
        </english>
    </metric>
    <metric id="1021024" type="quality-rule" originalName='Avoid return statement in finally block' section="total">
        <english>Python artifacts handling exceptions</english>
    </metric>

    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="description">
    <english>Reports all Python artifacts that don't guarantee unequivocal file closing. This requires correct handling of potential exceptions arising from file manipulation.
The preferred way (from Python 2.5) is opening files using the with statement. Otherwise file manipulation has to be performed inside try-except blocks and file closing has to be assured in the finally block. This rule is compliant with OMG CISQ ASCPEM-PRF-15, ASCRM-CWE-772 recommendations.</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="name">
        <english>Avoid leaving open file resources</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="rationale">
        <english>When a file is opened by Python, resources are allocated until the file is closed. Thus it is important to ensure the file is closed as soon as the file manipulation is done by handling correctly potential exceptions. Delegating file closing to the underlying interpreter/compiler can have a negative impact on code portability and can result in unexpected behavior.</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="remediation">
        <english>Use the with statement to open a file, otherwise explicitly close opened files while correctly handling exceptions arising from file manipulation.</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="sample">
        <english>>>> f = open("hello.txt",'w')
>>> f.write("world")
>>> f.close()
</english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="remediationSample">
        <english>>>> f = open("hello.txt", 'w')
>>> try:
>>>     f.write("world")
>>> finally:
>>>     f.close()
# or even better
>>> with open("hello.txt", 'w') as f:
>>>     f.write("world")
        </english>
    </metric>
    <metric id="1021026" type="quality-rule" originalName='Avoid leaving open file resources' section="total">
        <english>Python artifacts opening file resources</english>
    </metric>
 <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="description">
    <english>In a try and catch/finally statement, finally blocks should contain code to handle the thrown exception or release resources. This rule is compliant with CISQ OMG ASCRM-RLB-01 recommendation.</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="name">
        <english>Avoid empty finally block</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="rationale">
        <english>Finally blocks must be used to execute the code that is needed after either the try and/or the catch block have been executed. It is usually the place to code the release of resources used in the try block. As such, an empty finally block is most probably the sign of potential "resource leaks" that will jeopardize the application's stability.</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="remediation">
        <english>Avoid empty finally blocks. Finally block should contain code to release resource.</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="sample">
        <english>>>> def experiment():
>>>     try:
>>>         x = 2/0
>>>     except ZeroDivisionError as e:
>>>         logging.debug("Division by 0 not possible")
>>>     finally:
>>>         pass
</english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="remediationSample">
        <english>>>> def experiment():
>>>     try:
>>>         x = 2/0
>>>     except ZeroDivisionError as e:
>>>         logging.debug("Division by 0 not possible")
>>>     finally:
>>>         logging.debug("Quotient")
        </english>
    </metric>
    <metric id="1021028" type="quality-rule" originalName='Avoid empty finally block' section="total">
        <english>Python artifacts handling exceptions</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="description">
    <english>Reports all Python artifacts harcoding network resources that do not partain to configuration, installation, or test files. This rule is compliant with OMG CISQ ASCRM-RLB-18 recommendation.</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="name">
        <english>Avoid hardcoded network resource names</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="rationale">
        <english>Built-in remote addresses cause problems when the target is moved. Avoid hardcoded network resources (e.g., IP addresses, URLs, absolute file paths, etc.) to assure robustness and portability.</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="sample">
        <english>>>> url = "http://0.0.0.0:8080/'</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="remediationSample">
        <english>>>> # "server_address" is uploaded from somewhere else
>>> url = "http://%s:%d/" % server_address
        </english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="remediation">
        <english>Utilize indirect access to network resources using underlaying operating system calls and relative paths. In case hardcoding is necessary, isolating hardcoded data to installation scripts or configuration files can limit its potential negative impact.</english>
    </metric>
    <metric id="1021030" type="quality-rule" originalName='Avoid hardcoded network resource names' section="total">
        <english>Python artifacts opening file resources</english>
    </metric>
 <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="description">
  <english>In Python, to avoid connection to unsecured source, developer has to ensure that all HTTP communication are encrypted. Avoid man-in-the-middle attacks by validating certificates on HTTPS connections to the server. This rule is compliant with OWASP A5 2013 and 2017 recommendations.</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="name">
        <english>Avoid disabling certificate check when requesting secured urls</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="rationale">
        <english>Ensure the developer will work with a list of trusted source. Thanks to Strict-Transport-Security header you will enforces secure (HTTP over SSL/TLS) connections to the server.</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="remediation">
        <english>Ensure you have enabled secure https connection when creating your connection.</english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="sample">
        <english>>>> import requests
>>> requests.get(url = "https://www.openstack.org/",verify = False)
</english>
    </metric>
 <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="remediationSample">
        <english>&gt;&gt;&gt; import requests
&gt;&gt;&gt; requests.get(url = "https://www.openstack.org/", verify = CONF.ca_file) #Certificate check will be performed using file 
&gt;&gt;&gt; requests.get(url = "https://myserver.com") # Certificate check will be perfomed. Default value of verify "True" will be processed
        </english>
    </metric>
    <metric id="1021032" type="quality-rule" originalName='Avoid disabling certificate check when requesting secured urls' section="total">
 <english>Python artifacts using requests</english>
    </metric>
  
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="description">
    <english>Reports all Python __init__ methods that override the __init__() method of the parent Exception class with inconsistent number of passed arguments.</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="name">
        <english>Avoid inconsistent initialization when deriving a new exception</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="rationale">
        <english>Python Exceptions accept all arguments passed to them being stored in the .args attribute as a tuple. Various libraries and parts of Python rely on this behaviour. To prevent source of errors and unexpected behaviour, avoid inconsistent initialization when subclassing a new exception by passing the same number of arguments to the parent __init__ call.</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="sample">
        <english>>>> class CustomError(Exception):
>>>     def __init__(self, message, status):
>>>     self.message = message
>>>     self.status = status</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="remediationSample">
        <english>>>> class CustomError(Exception):
>>>     def __init__(self, message, status):
>>>     self.message = message
>>>     self.status = status
>>>     # parent exception class is initialized with same number of parameters
>>>     super().__init__(message, status)</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="remediation">
        <english>Initialize parent exception class with the same number of parameters.</english>
    </metric>
    <metric id="1021034" type="quality-rule" originalName='Avoid inconsistent initialization when deriving a new exception' section="total">
        <english>Python __init__ methods</english>
    </metric>
    <metric id='1021034' type='quality-rule' originalName='Avoid inconsistent initialization when deriving a new exception' section='reference'>
        <english>D. Beazley and B.K. Jones, Python Cookbook, 3rd Ed. (O'Reilly Media, Sebastopol, CA, May 2013), p. 579</english>
    </metric>
 <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="description">
  <english>The eval statement is used to run Python stored in literal strings as code. In almost all cases, it should not be necessary to use it. Because it allows arbitrary code to be run, it also represents a security problem. The rule is compliant with MITRE CWE-95 and OWASP A1 2013, 2017 recommendations.</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="name">
        <english>Avoid using eval</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="output">
        <english>Line and column for each violation.
Associated value => number of violations found</english>
 </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="rationale">
        <english>The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="remediation">
        <english>If possible, refactor your code so that it does not need to use eval() at all.</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="sample">
        <english>>>> import os
>>> stat = 'os.mkdir("C://New_Folder_1")'
>>> eval(stat)
</english>
    </metric>
 <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="remediationSample">
        <english>>>> import os
>>> os.mkdir("C://New_Folder_1")
</english>
    </metric>
    <metric id="1021036" type="quality-rule" originalName='Avoid using eval' section="total">
 <english>Python artifacts</english>
    </metric>
    
 <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="description">
  <english>The exec statement is used to run Python stored in literal strings as code. In almost all cases, it should not be necessary to use it. Because it allows arbitrary code to be run, it also represents a security problem. The rule is compliant with MITRE CWE-95 and OWASP A1 2013, 2017 recommendations.</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="name">
        <english>Avoid using exec</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="output">
        <english>Line and column for each violation.
Associated value => number of violations found</english>
 </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="rationale">
        <english>The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "exec").</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec ' section="remediation">
        <english>In most scenarios, you can easily refactor the code to avoid the use of exec.</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="sample">
        <english>>>> s = "logging.debug(\"Hello, World!\")"
>>> exec s
</english>
    </metric>
 <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="remediationSample">
        <english>>>> def print_hello_world()
>>>     logging.debug("Hello, World!")
>>> print_hello_world()
</english>
    </metric>
    <metric id="1021038" type="quality-rule" originalName='Avoid using exec' section="total">
    <english>Python artifacts</english>
    </metric>
    <metric id='1021038' type='quality-rule' originalName='Avoid using exec' section='reference'>
        <english>http://cwe.mitre.org/data/definitions/95.html https://www.owasp.org/index.php/Top_10_2013-A1-Injection </english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="description">
    <english>Python is a case-sensitive language which allows reutilization of identifier names for different types by simple capitalization changes. A typical example would be using capitalized class names and the corresponding lowercase names for their instances. However defining attributes (methods and fields) in a class that only differ by capitalization can lead to confusion and to unexpected behaviour when used with case-insensitive interfaces.</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="name">
        <english>Avoid instance attributes only differing by capitalization</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="rationale">
        <english>Differentiating instance attributes by only changing name capitalization is a poor naming practice and source of confusion for future users of the class.</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="sample">
        <english>>>> class Transmission:
>>>     def __init__(self, callObject):
>>>         self.Call = callObject
>>>
>>>     def call(self):
>>>         self.Call.call()
</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="remediationSample">
        <english>>>> class Transmission:
>>>     def __init__(self, callObject):
>>>         self.callObject = callObject
>>>
>>>     def call(self):
>>>         self.callObject.call()
</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="remediation">
        <english>Rename the attributes in a more discernible way.</english>
    </metric>
    <metric id="1021040" type="quality-rule" originalName='Avoid attributes only differing by caps' section="total">
        <english>Python classes</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="associatedValueName">
        <english>Single Value</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="description">
    <english>This rule identifies variable assignments and function calls and interfaces that include a hardcoded password. This identification is based on password-related semantics.</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="name">
        <english>Avoid hardcoded passwords</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="output">
        <english>Line and column for each violation
Associated value => number of violations found</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid attributes only differing by caps' section="rationale">
        <english>Hardcoded passwords in source code should be avoided because they can potentially be retrieved through code inspection and inverse engineering by attackers. Such an attack is difficult to be discovered, and eventually the problem can only be solved at software level thus compromising the usability of the application in the meantime.</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="sample">
        <english>>>> set_password(user = "John", password = "WinterIsComing")</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="remediation">
        <english>A non-secure starting patch would be to apply obfuscation techniques to the hardcoded password to prevent reverse-engineering of the generated Python (byte)code. This could be done by hashing the password or constructing the password string in many different places by non-trivial methods. Sensible data such as passwords should be in principle encrypted and saved in separate files or in a database with restricted user access.
Finally one should consider removing backdoors and delegate the password ownership to the end-user.</english>
    </metric>
    <metric id="1021042" type="quality-rule" originalName='Avoid hardcoded passwords' section="total">
        <english>Python artifacts</english>
    </metric>
    
</root>
`;
/* ----------- END OF SPECDocumentation.xml copy/paste file --------------*/
}


/*
   Copy/paste the content of SPECContributors.xml file hereafter

   WARNING: make sure you have replaced "" by \"\" and there is not TAB between IMPLQualityRules = ` and <?xml
*/
function loadSPECContributors() {

SPECContributors = `<?xml version='1.0' encoding='utf-8'?>
<root>
    <metric id='61009' type='technical-criterion' originalName='Complexity - Algorithmic and Control Structure Complexity' contributorId='1021000' contributorType='quality-rule' contributorOriginalName='Avoid Artifacts with High Cyclomatic Complexity (Python)' 	critical='false' weight='5' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021002' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python httplib HTTPConnection inside a loop' 		critical='true' weight='7' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021004' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python requests inside a loop' 					critical='true' weight='7' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021006' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python aiohttp ClientSession inside a loop' 		critical='true' weight='7' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021008' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python urllib.request inside a loop' 				critical='true' weight='7' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021010' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python urllib2 inside a loop' 					critical='true' weight='7' />
    <metric id='66068' type='technical-criterion' originalName='Efficiency - Expensive Calls in Loops' contributorId='1021012' contributorType='quality-rule' contributorOriginalName='Avoid using a web service with Python httplib2 Http inside a loop' 				critical='true' weight='7' />
    <metric id='61026' type='technical-criterion' originalName='Complexity - Technical Complexity'     contributorId='1021014' contributorType='quality-rule' contributorOriginalName='Avoid using yield and return with value inside a function' 						critical='true' weight='7' />
    <metric id='66063' type='technical-criterion' originalName='Secure Coding - API Abuse'             contributorId='1021016' contributorType='quality-rule' contributorOriginalName='Avoid using MD5 hashes to hash passwords or to encrypt data' 					critical='true' weight='8' />
    <metric id='61014' type='technical-criterion' originalName='Programming Practices - Error and Exception Handling' contributorId='1021018' contributorType='quality-rule' contributorOriginalName='Avoid catch-all except blocks with empty handlers' 		        critical='true' weight='7' />
    <metric id='66069' type='technical-criterion' originalName='Programming Practices - Unexpected Behavior' contributorId='1021020' contributorType='quality-rule' contributorOriginalName='Avoid using wildcard (*) imports' 		             					    critical='true' weight='7' />
    <metric id='61003' type='technical-criterion' originalName='Programming Practices - OO Inheritance and Polymorphism' contributorId='1021022' contributorType='quality-rule' contributorOriginalName='Initialize ancestors when overriding __init__'                 critical='true' weight='7' />
    <metric id='61014' type='technical-criterion' originalName='Programming Practices - Error and Exception Handling' contributorId='1021024' contributorType='quality-rule' contributorOriginalName='Avoid return statement in finally block' 					     	critical='true' weight='7' />
    <metric id='61019' type='technical-criterion' originalName='Efficiency - SQL and Data Handling Performance' contributorId='1021026' contributorType='quality-rule' contributorOriginalName='Avoid leaving open file resources'										critical='true' weight='7' />
    <metric id='61014' type='technical-criterion' originalName='Programming Practices - Error and Exception Handling' contributorId='1021028' contributorType='quality-rule' contributorOriginalName='Avoid empty finally block' 					     				critical='true' weight='7' />
    <metric id='61004' type='technical-criterion' originalName='Architecture - OS and Platform Independence' contributorId='1021030' contributorType='quality-rule' contributorOriginalName='Avoid hardcoded network resource names' 					     			critical='true' weight='7' />
    <metric id='66062' type='technical-criterion' originalName='Secure Coding - Input Validation' contributorId='1021032' contributorType='quality-rule' contributorOriginalName='Avoid disabling certificate check when requesting secured urls'          critical='false' weight='9' />
    <metric id='66069' type='technical-criterion' originalName='Programming Practices - Unexpected Behavior' contributorId='1021034' contributorType='quality-rule' contributorOriginalName='Avoid inconsistent initialization when deriving a new exception' 		    critical='true' weight='7' />
	<metric id='66062' type='technical-criterion' originalName='Secure Coding - Input Validation' contributorId='1021036' contributorType='quality-rule' contributorOriginalName='Avoid using eval'            critical='true' weight='7' />
<metric id='66062' type='technical-criterion' originalName='Secure Coding - Input Validation' contributorId='1021038' contributorType='quality-rule' contributorOriginalName='Avoid using exec'                      critical='true' weight='7' />
</root>`;
/* END OF SPECContributors.xml copy/paste file */
}

function updateRelativeRowCount(counter)
{
	$('.qualityrulescounter').text(counter+" of "+$('.qualityruletable tr.summary').length+ " Quality Rules");
}

function updateRowCount()
{
	$('.qualityrulescounter').text($('.qualityruletable tr.summary').length+ " Quality Rules");
}

function prettyPrintDescription(rowid)
{
	//console.log("start prettyPrintDescription... ",rowid);

	var htmlcontent = "";

	$.each(detailsheaders, function(index,section) {

		if(section != "Name")
		{
			var sectiond = detailssections[index];
			var content = detailsdictionary[rowid][sectiond];

			//console.log(section+":"+content);

			if(typeof content != 'undefined')
			{
				if(content.indexOf("%0D%0A") > -1)
				{
					//Windows encodes returns as \r\n hex
					content = content.replace(/%0D%0A/g,"<br>");
				}
				else if(content.indexOf("%0A") > -1)
				{
					//Unix encodes returns as \n hex
					content = content.replace(/%0A/g,"<br>");
		  		}
				else if(content.indexOf("%0D") > -1)
				{
					//Macintosh encodes returns as \r hex
					content = content.replace(/%0D/g,"<br>");
		  		}
				else if(content.indexOf("\r\n") > -1)
				{
					content = content.replace(/\r\n/g,"<br>");
		  		}
				else if(content.indexOf("\n") > -1)
				{
					content = content.replace(/\n/g,"<br>");
		  		}

				if((sectiond == "sample") || (sectiond == "remediationSample"))
				{
					if(content.indexOf(" ") > -1)
					{
						content = content.replace(/ /g,"&nbsp;");
			  		}

					content = '<div class="sourcecode">'+content+'</div>';
				}

				htmlcontent += '<h3>'+section+'</h3><p>'+content+'</p>';
			}
		}
	});

	//console.log("end prettyPrintDescription... ",htmlcontent);


	return htmlcontent;
}

// --- end of functions declaration/implementation ---

// --- main ---

// process the main data to fullfill the main table
loadIMPLQualityRules();

parser = new DOMParser();
IMPLQualityRulesXMLDoc = parser.parseFromString(IMPLQualityRules,"text/xml");

var txt = '<table class="qualityruletable"><thead><tr><td class="tdid">Metric ID</td><td class="tdname">Name</td><td class="tdhealth">Health Factors</td><td class="tdciritical">Critical</td><td class="tdcisq">CISQ</td><td class="tdother">Other</td></tr></thead>'; //do not forget to init the variable

if (IMPLQualityRulesXMLDoc.evaluate)
{
    var nodes = IMPLQualityRulesXMLDoc.evaluate('/root/metric', IMPLQualityRulesXMLDoc, null, XPathResult.ANY_TYPE, null);
    var result = nodes.iterateNext();

	txt += '<tbody>';

    while (result) {

		var row_id = result.getAttribute('id');

		if(row_id!='')
		{
			var cisq_content = '';

			if(result.getAttribute('cisq'))
			{
				cisq_content = result.getAttribute('cisq');
			}

			var other_content = '';

			if(result.getAttribute('other'))
			{
				other_content = result.getAttribute('other');
			}

//			console.log(result.getAttribute('id'));
	        txt += '<tr id="'+ row_id +'" class="summary"><td>'+row_id+'</td><td>'+result.getAttribute('originalName') + '</td><td>-</td><td>-</td><td>'+cisq_content+'</td><td>'+other_content+'</td></tr>';
			txt += '<tr id="'+ row_id +'-details" class="details"><td colspan="6" class="detailsrule"></td></tr>';
		}
        result = nodes.iterateNext();
    }

	txt += '</tbody>';

// Code For Internet Explorer
} else if (window.ActiveXObject) {

	alert('no evaluate...');

/*    xmlDoc.setProperty("SelectionLanguage", "XPath");
    nodes = xml.selectNodes(path);
    for (i = 0; i < nodes.length; i++) {
        txt += nodes[i].childNodes[0].nodeValue + "<br>";
    }*/
}

txt = txt + '</table>';

document.getElementById("qualityrules").innerHTML = txt;
document.getElementById("qualityrulesheader").innerHTML = '<div class="qualityrulesheaderclear"><div class="qualityrulescounter"></div><div class="qualityrulessearchzone"><div class="qualityrulesinputbox"><input type="search" id="qualityrulessearch"><br>Filter</div></div></div>';

updateRowCount();

$(document).ready(function(){

   // jQuery methods go here...

	$('.details').hide();

	$('#qualityrulessearch').bind('keyup', function() {

		var textvalue = $(this).val();

		//console.log("textvalue="+textvalue);

		$(".summary").find('td').removeClass("highlighted");
		$(".details").hide();

		if(textvalue!='')
		{
			var alltrs = $(".qualityruletable tr.summary");
			alltrs.hide();
			var counter = 0;

			$.each(alltrs,function(index,value) {

				//console.log("value:"+value.childNodes[1].innerText);

				if(value.childNodes[1].innerText.indexOf(textvalue)!==-1)
				{
					$(value).show();
					counter++;
				}
			});

			updateRelativeRowCount(counter);
		}
		else
		{
			$(".qualityruletable tr.summary").show();
			updateRowCount();
		}

	});


	$('.summary').click(function(){

		var row_id = $(this).attr("id");

		if(SPECDocumentation=='')
		{
			loadSPECDocumentation();
			SPECDocumentationXMLDoc = parser.parseFromString(SPECDocumentation,"text/xml");

			parser = new DOMParser();

			var docnodes = SPECDocumentationXMLDoc.evaluate('/root/metric', SPECDocumentationXMLDoc, null, XPathResult.ANY_TYPE, null);
		    var docresult = docnodes.iterateNext();

			while (docresult) {

				var docrow_id = docresult.getAttribute('id');

				if(docrow_id!='')
				{
					var section = docresult.getAttribute('section');

					var contentdictionary = detailsdictionary[docrow_id];

					if(!contentdictionary)
					{
						contentdictionary = {};
					}

					contentdictionary[section] = docresult.childNodes[1].textContent;

					//console.log("should create contentdictionary..."+contentdictionary);

					detailsdictionary[docrow_id] = contentdictionary;
				}

				docresult = docnodes.iterateNext();
			}
		}

		//console.log(detailsdictionary);

		var htmlblock = $("#"+row_id+"-details");
		var htmlblocktdfirst = $(htmlblock).find('td:first');

		if($(htmlblocktdfirst).html()=='')
		{
			$(htmlblocktdfirst).html(prettyPrintDescription(row_id));
		}

		$("#"+row_id).find('td').toggleClass("highlighted");
		$(htmlblock).toggle("fast").toggleClass("highlighted");
	});

	loadSPECContributors();
	SPECContributorsXMLDoc = parser.parseFromString(SPECContributors,"text/xml");

	parser = new DOMParser();

	var specnodes = SPECContributorsXMLDoc.evaluate('/root/metric', SPECContributorsXMLDoc, null, XPathResult.ANY_TYPE, null);
    var specresult = specnodes.iterateNext();

	while (specresult) {

		var row_id = specresult.getAttribute('id');
		var contr_row_id = specresult.getAttribute('contributorId');
		var critical = specresult.getAttribute('critical');
		var technicalcrit = specresult.getAttribute('originalName');

		//console.log('technicalcrit '+technicalcrit);

		var healthstatus = [];

		if(row_id!='')
		{
			//console.log("is secured "+securitylist.indexOf(row_id)+' with id:'+contr_row_id);
			//console.log("is efficient "+efficiencylist.indexOf(row_id)+' with id:'+contr_row_id);
			//console.log("is transferable "+transferabilitylist.indexOf(row_id)+' with id:'+contr_row_id);

			var contentdictionary = detailsdictionary[contr_row_id];

			if(!contentdictionary)
			{
				contentdictionary = {};
			}

			contentdictionary['technical-criterion'] = technicalcrit;

			//console.log("should create contentdictionary..."+contentdictionary);

			detailsdictionary[contr_row_id] = contentdictionary;

			//console.log("detailsdictionary..."+detailsdictionary[contr_row_id]);

			if(securitylist.indexOf(row_id)!='-1')
			{
				healthstatus.push('Security');
			}

			if(efficiencylist.indexOf(row_id)!='-1')
			{
				healthstatus.push('Efficiency');
			}

			if(transferabilitylist.indexOf(row_id)!='-1')
			{
				healthstatus.push('Transferability');
			}

			if(changeabilitylist.indexOf(row_id)!='-1')
			{
				healthstatus.push('Changeability');
			}

			if(robustnesslist.indexOf(row_id)!='-1')
			{
				healthstatus.push('Robustness');
			}

			//txt += '<tr id="'+ row_id +'" class="summary"><td>'+row_id+'</td><td>'+result.getAttribute('originalName') + '</td><td>X</td><td>X</td><td>X</td></tr>';
			//txt += '<tr id="'+ row_id +'-details" class="details"><td>Loading...</td></tr>';

			var alltds = $("#"+specresult.getAttribute('contributorId')).find("td");

			alltds[2].innerText = healthstatus.join(', ');
			//console.log(alltds[3].innerHtml);

			if(critical==='true')
			{
				$(alltds[3]).html('<span class="greencheck">&#10004;</span>');
			}
			else
			{
				$(alltds[3]).html('');
			}

		}

		specresult = specnodes.iterateNext();
	}

});

</script>

<!-- COPY/PASTE ENDS HERE -->
#Name (ID)CISQOWASPCritical
1

Avoid Artifacts with High Fan-In (7776)

   
2

Avoid Artifacts with High Fan-Out (7778)

   
3Avoid Classes with a High Number Of Children (7792)   

Web Service calls and operations support

The following libraries are supported for Web Service operations (left) and Web Service HTTP API calls (right):

Once the Python extension analysis is finished, the analyzer will output the final number of web service call and operation objects created.

requests

Example for GET request:

Code Block
languagepy
themeDJango
import requests
r = requests.get('https://api.github.com/events')

urllib

Example for GET request:

Code Block
languagepy
themeDJango
import urllib.request
with urllib.request.urlopen('http://python.org/') as response:
   html = response.read()

urllib2

Example for GET request:

Code Block
languagepy
themeDJango
import urllib2

req = urllib2.Request('http://python.org/')
response = urllib2.urlopen(req)
the_page = response.read()

Example for POST request.

Code Block
languagepy
themeDJango
import urllib2
import urllib

values = {'name' : 'Michael Foord',
          'location' : 'Northampton',
          'language' : 'Python' }

data = urllib.urlencode(values)

req = urllib2.Request('http://python.org/', data)
response = urllib2.urlopen(req)
the_page = response.read()
Info
PUT and DELETE calls are not supported by the urllib2 module (Python version 2.x) by default. Workarounds to bypass this limitation are not detected by the analyzer.

httplib

Example for GET request:

Code Block
languagepy
themeDJango
from httplib import HTTPConnection
def f():
    conn = HTTPConnection("www.python.org")
    conn.request("GET", "/index.html")
 

Example link from method "f" to the get httplib service:

http.client

Example for GET request:

Code Block
languagepy
themeDJango
from http.client import HTTPConnection
def f():
    conn = HTTPConnection("www.python.org")
    conn.request("GET", "/index.html")

In this case a Python Get Httplib Service will be generated (the httplib module from Python 2 has been renamed to http.client in Python 3).

httplib2

The following code will issue a http get to the url 'https://api.github.com/events':

Code Block
languagepy
themeDJango
import httplib2
h = httplib2.Http(".cache")
(resp, content) = h.request("https://api.github.com/events")

aiohttp

The following code will issue a http get to the url 'https://api.github.com/events':

Code Block
languagepy
themeDJango
import aiohttp
session = aiohttp.ClientSession()
res = session.get('https://api.github.com/events'

The aiohttp module can be also used in server mode, implementing web service operations

Code Block
languagepy
themeDJango
from aiohttp import web
async def handler(request):
    return web.Response(text="Welcome in Python")
app = web.Application()
app.router.add_get('/index', handler)
web.run_app(app)

In this case a Web Service Operation object associated to the function (coroutine) handler will be generated similar to the example for flask given below.

flask

Flask route annotations for web service operations (GET, PUT, POST, DELETE) are supported. In particular, any decorator with the format @prefix.route is considered as a flask annotation where prefix can be a Flask application object or blueprint object. In the following example, a default GET operation is ascribed to the function f, and the POST and PUT operations to the upload_file function:

Code Block
languagepy
themeDJango
from flask import Flask
app = Flask(__name__)
 
@app.route('/')
def f():
    return 'hello world!'
 
@app.route('/upload', methods=['POST', 'PUT'])
def upload_file()
	if request.method == 'POST':
            pass
	# ...

The link between the GET operation named after the routing URL "/"  and the called function f is represented by an arrow pointing to the function:

The name of a saved Web Service Operation object will be generated from the routing URL by adding a final slash when not present. In this example the name of the PUT and POST operations is "/upload/" after the routing url "/upload".

URL query parameters such as @app.route('/user/<username>') are supported. In this case the generated Web Service Operation object will be named as /user/{}/, as shown in the example below.

Code Block
languagepy
themeDJango
from flask import Flask
app = Flask(__name__)
 
@app.route('/user/<username>')
def show_user_profile(username):
    return 'User %s' % username


Similarly double slashes // in flask routing URLs are transformed into /{}/. Additional backslashes inside URL query parameters of type path [ @app.route('/<path:path>') ] are not resolved (which in principle could catch any URL) so the web service will be named as a regular parameter /{}/.

The equivalent alternative to routing annotations using the Flask add_url_rule is also supported.

Code Block
languagepy
themeDJango
from flask import Flask
app = Flask(__name__)    
 
def index():
    pass
    
app.add_url_rule('/', 'index')
  

Database queries

Simple database queries consistent with the Python Database API Specification (PEP 249) are recognized. This allows to support a large number of important libraries interfacing Python and SQL databases (SQLite, MySQL, etc). The analyzer identifies execute method calls as potential database queries and searches for generic SQL statements passed in as an argument ('SELECT ...", "INSERT ...)". In the example below data from the stocks table is retrieved via a SELECT statement passed explicitly by a string to the execute method of a cursor object.

Code Block
languagepy
themeDJango
# select.py
import sqlite3

conn = sqlite3.connect('example.db')
c = conn.cursor()
c.execute('SELECT * FROM stocks') 

The analyzer creates a SQL Named Query object with name SELECT * FROM stocks (first 4 words are only used as naming convention) representing a call to a database. Provided analysis dependencies between SQL and Python are configured in CAST Management Studio, the analyzer will automatically link this object to the corresponding Table object, in this case stocks, that has been generated by a SQL analysis unit.

File system access functions

Representing end points based on file system access is important to automatically configure transactions. Towards this goal we aim at providing automatic recognition of standard library input/output functions. Currently we provide support for the built-in open function and the most common methods associated to file-like objects write, read, writelines, readline, readlines, and close,  as shown in the example below.

Code Block
languagepy
themeDJango
# file1.py
 
data = """<html>
<header><title>This is title</title></header>
<body>
Hello world
</body>
</html>
"""
 
f = open('page.html', 'w')
f.write(data)
f.close()

The objects corresponding to the code of the file1.py file are inside the Universal Directory root object. Additionally the analyser will automatically generate a Python external library object representing the Python Standard Library. Within this, the Python built-in library is abstracted as a Python source code object named builtins.py, with its corresponding open function and file class (abstracting general file-like objects) that contains the above mentioned methods. No differences are considered between Python2 and Python3 built-in functions. Notice the external character of these objects denoted by gray-shaded icons in the left Object Browser panel.

Due to implementation constraints in CAIP versions [7.3.6, 8.1] a spurious link is generated between the Python external library object and a PY File object.

Limitations

Status
colourYellow
titleCANDIDATE FOR IMPROVEMENT

  • Not fully supported Python Decorator function.
  • Quality rules do not apply to code inside the class definition (class or "static" variables)
  • Limited Python resolution that leads to missing links:
    • No support for __all__
    • No support for variable of type class, function
    • Limited method resolution when used super under multiple inheritance.
  • Flask:
    • Objects for other web service operations such as PATCH are not generated.
    • The endpoint abstraction layer between functions and annotations is not considered. When using  add_url_rule the endpoint argument is taken as the calling function name.