qgis-plugin-analyzer 1.5.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

analyzer/visitors/standards_visitor.py

@@ -0,0 +1,284 @@
+"""AST visitor for QGIS-specific standards and best practices."""
+
+import ast
+from typing import Any, Dict, List, Optional, Set
+
+from ..rules.qgis_rules import I18N_METHODS
+from .base import BaseVisitor
+
+
+class StandardsVisitor(BaseVisitor):
+    """Visitor focused on QGIS-specific standards and best practices.
+
+    Detects issues like:
+    - Missing i18n translations
+    - Missing signal slots
+    - Mandatory cleanup methods
+    - Obsolete API usage
+    - Blocking network calls in UI
+    - Spatial index optimization opportunities
+    - Non-pythonic loops
+    """
+
+    def __init__(self, rel_path: str, rules_config: Optional[Dict[str, Any]] = None) -> None:
+        """Initializes the standards visitor.
+
+        Args:
+            rel_path: Relative path to the file being analyzed.
+            rules_config: Optional configuration for audit rules and severities.
+        """
+        super().__init__(rel_path, rules_config)
+        self.class_methods_stack: List[Set[str]] = []
+        self.i18n_methods = I18N_METHODS
+
+    def visit_ClassDef(self, node: ast.ClassDef) -> None:
+        """Analyzes class definitions.
+
+        Args:
+            node: The class definition AST node.
+        """
+        methods = {
+            item.name
+            for item in node.body
+            if isinstance(item, (ast.FunctionDef, ast.AsyncFunctionDef))
+        }
+        self.class_methods_stack.append(methods)
+
+        # MANDATORY_CLEANUP
+        has_init_gui = "initGui" in methods
+        has_unload = "unload" in methods
+
+        if has_init_gui and not has_unload:
+            self._report_issue(
+                "MANDATORY_CLEANUP",
+                node.lineno,
+                f"Class '{node.name}' implements 'initGui()' but is missing 'unload()'.",
+                f"class {node.name}...",
+            )
+
+        self.generic_visit(node)
+        self.class_methods_stack.pop()
+
+    def visit_FunctionDef(self, node: ast.FunctionDef) -> None:
+        """Analyzes function definitions.
+
+        Args:
+            node: The function definition AST node.
+        """
+        # IFACE_AS_ARGUMENT
+        for arg in node.args.args:
+            if arg.annotation and isinstance(arg.annotation, ast.Name):
+                if arg.annotation.id == "QgisInterface":
+                    self._report_issue(
+                        "IFACE_AS_ARGUMENT",
+                        node.lineno,
+                        f"Function '{node.name}' receives 'QgisInterface' as an argument. Use the global 'iface' or Singleton pattern.",
+                        ast.unparse(node).split("\n")[0],
+                    )
+
+        self.generic_visit(node)
+
+    def visit_Call(self, node: ast.Call) -> None:
+        """Analyzes function calls.
+
+        Args:
+            node: The call AST node.
+        """
+        self._check_obsolete_api(node)
+        self._check_missing_i18n(node)
+        self._check_missing_slot(node)
+        self._check_unsafe_subprocess(node)
+        self._check_blocking_network(node)
+        self.generic_visit(node)
+
+    def visit_For(self, node: ast.For) -> None:
+        """Analyzes loop nodes.
+
+        Args:
+            node: The for-loop AST node.
+        """
+        # SPATIAL_INDEX check
+        if (
+            isinstance(node.iter, ast.Call)
+            and isinstance(node.iter.func, ast.Attribute)
+            and node.iter.func.attr == "getFeatures"
+        ):
+            warn = False
+            if not node.iter.args:
+                warn = True
+            elif len(node.iter.args) == 1:
+                arg = node.iter.args[0]
+                if (
+                    isinstance(arg, ast.Call)
+                    and isinstance(arg.func, ast.Name)
+                    and arg.func.id == "QgsFeatureRequest"
+                ):
+                    if not arg.args and not arg.keywords:
+                        warn = True
+
+            if warn:
+                self._report_issue(
+                    "SPATIAL_INDEX",
+                    node.lineno,
+                    "Iteration over features with getFeatures() and no filter.",
+                    ast.unparse(node.iter),
+                )
+
+        # NON_PYTHONIC_LOOP
+        for body_node in ast.walk(node):
+            if isinstance(body_node, ast.AugAssign) and isinstance(body_node.op, ast.Add):
+                if (
+                    isinstance(body_node.target, ast.Name)
+                    and isinstance(body_node.value, ast.Constant)
+                    and body_node.value.value == 1
+                ):
+                    self._report_issue(
+                        "NON_PYTHONIC_LOOP",
+                        body_node.lineno,
+                        f"Manual counter '{body_node.target.id} += 1' detected inside loop.",
+                        ast.unparse(body_node),
+                    )
+
+        self.generic_visit(node)
+
+    def _check_obsolete_api(self, node: ast.Call) -> None:
+        """Checks for obsolete API usage.
+
+        Args:
+            node: The call AST node.
+        """
+        if isinstance(node.func, ast.Attribute) and node.func.attr == "writeAsVectorFormat":
+            self._report_issue(
+                "OBSOLETE_API",
+                node.lineno,
+                "Obsolete writeAsVectorFormat() usage. Use writeAsVectorFormatV3().",
+                ast.unparse(node),
+            )
+
+    def _check_missing_i18n(self, node: ast.Call) -> None:
+        """Checks for missing i18n translations.
+
+        Args:
+            node: The call AST node.
+        """
+        if isinstance(node.func, ast.Attribute) and node.func.attr in self.i18n_methods:
+            if (
+                node.args
+                and isinstance(node.args[0], ast.Constant)
+                and isinstance(node.args[0].value, str)
+            ):
+                val = node.args[0].value
+                if val.strip() and not val.startswith("%"):
+                    self._report_issue(
+                        "MISSING_I18N",
+                        node.lineno,
+                        f"Untranslated UI text string in '{node.func.attr}': '{val}'. Use self.tr().",
+                        ast.unparse(node),
+                    )
+
+    def _check_missing_slot(self, node: ast.Call) -> None:
+        """Checks for potentially missing signal slots.
+
+        Args:
+            node: The call AST node.
+        """
+        if isinstance(node.func, ast.Attribute) and node.func.attr == "connect" and node.args:
+            arg = node.args[0]
+            if (
+                isinstance(arg, ast.Attribute)
+                and isinstance(arg.value, ast.Name)
+                and arg.value.id == "self"
+            ):
+                slot = arg.attr
+                if self.class_methods_stack and slot not in self.class_methods_stack[-1]:
+                    self._report_issue(
+                        "POTENTIAL_MISSING_SLOT",
+                        node.lineno,
+                        f"Connected slot 'self.{slot}' not found in class definitions.",
+                    )
+
+    def _check_unsafe_subprocess(self, node: ast.Call) -> None:
+        """Checks for unsafe subprocess usage.
+
+        Args:
+            node: The call AST node.
+        """
+        is_subprocess = False
+        if isinstance(node.func, ast.Attribute) and isinstance(node.func.value, ast.Name):
+            if node.func.value.id == "subprocess" and node.func.attr in {
+                "run",
+                "call",
+                "Popen",
+                "check_call",
+                "check_output",
+            }:
+                is_subprocess = True
+
+        if not is_subprocess:
+            return
+
+        shell_true = False
+        for kw in node.keywords:
+            if kw.arg == "shell" and isinstance(kw.value, ast.Constant) and kw.value.value is True:
+                shell_true = True
+                break
+
+        if shell_true:
+            self._report_issue(
+                "UNSAFE_SUBPROCESS",
+                node.lineno,
+                "Subprocess called with 'shell=True'.",
+                ast.unparse(node),
+            )
+            return
+
+        if node.args:
+            cmd_arg = node.args[0]
+            if isinstance(cmd_arg, (ast.JoinedStr, ast.BinOp)):
+                self._report_issue(
+                    "UNSAFE_SUBPROCESS",
+                    node.lineno,
+                    "Possible unquoted variable injection.",
+                    ast.unparse(node),
+                )
+
+    def _check_blocking_network(self, node: ast.Call) -> None:
+        """Checks for blocking network calls in UI files.
+
+        Args:
+            node: The call AST node.
+        """
+        is_network = False
+        if isinstance(node.func, ast.Attribute) and isinstance(node.func.value, ast.Name):
+            if node.func.value.id == "requests" and node.func.attr in {
+                "get",
+                "post",
+                "put",
+                "delete",
+                "patch",
+            }:
+                is_network = True
+
+        if not is_network:
+            # Heuristic for urlopen
+            attr_chain = []
+            curr = node.func
+            while isinstance(curr, ast.Attribute):
+                attr_chain.append(curr.attr)
+                curr = curr.value
+            if isinstance(curr, ast.Name):
+                attr_chain.append(curr.id)
+            if attr_chain == ["urlopen", "request", "urllib"]:
+                is_network = True
+
+        if is_network:
+            is_ui_file = any(
+                kw in self.rel_path.lower() for kw in ["gui", "ui", "dialog", "widget"]
+            )
+            if is_ui_file:
+                self._report_issue(
+                    "BLOCKING_NETWORK_CALL",
+                    node.lineno,
+                    "Synchronous network call detected in UI file.",
+                    ast.unparse(node),
+                )

{qgis_plugin_analyzer-1.5.0.dist-info → qgis_plugin_analyzer-1.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qgis-plugin-analyzer
-Version: 1.5.0
+Version: 1.6.0
 Summary: A professional static analysis tool for QGIS (PyQGIS) plugins
 Author-email: geociencio <juanbernales@gmail.com>
 License: GPL-3.0-or-later
@@ -62,20 +62,21 @@ The **QGIS Plugin Analyzer** is a static analysis tool designed specifically for
 
 | Feature | **QGIS Plugin Analyzer** | flake8-qgis | Ruff (Standard) | Official Repo Bot |
 | :--- | :---: | :---: | :---: | :---: |
+| **Run Locally / Offline**| ✅ (Your Machine) | ✅ | ✅ | ❌ (Upload Only) |
 | **Static Linting** | ✅ (Ruff + Custom) | ✅ (flake8) | ✅ (General) | ✅ (Limited) |
 | **QGIS-Specific Rules**| ✅ (Precise AST) | ✅ (Regex/AST) | ❌ | ✅ |
 | **Interactive Auto-Fix**| ✅ | ❌ | ❌ | ❌ |
 | **Semantic Analysis**  | ✅ | ❌ | ❌ | ❌ |
-| **Security Audit**     | ✅ (Bandit-style) | ❌ | ❌ | ❌ |
-| **Secret Scanning**    | ✅ (Entropy) | ❌ | ❌ | ❌ |
+| **Security Audit**     | ✅ (Bandit-style) | ❌ | ❌ | ✅ (Server-side) |
+| **Secret Scanning**    | ✅ (Entropy) | ❌ | ❌ | ✅ (Server-side) |
 | **HTML/MD Reports**    | ✅ | ❌ | ❌ | ❌ |
 | **AI Context Gen**      | ✅ (Project Brain) | ❌ | ❌ | ❌ |
 
 ### Key Differentiators
 
-1.  **High-Performance Hybrid Engine**: Combines multi-core AST processing with deep understanding of cross-file relationships and Qt-specific patterns.
-2.  **Safety-First Auto-Fixing**: AST-based transformations with Git status verification and interactive diff previews.
-3.  **Repository Compliance**: Local pre-checks to ensure your plugin passes the Official QGIS Repository policies.
+1.  **Shift Left (Run Locally)**: The biggest advantage is being able to run the **same high-standard checks** as the Official Repository *before* you upload your plugin. No more "reject-fix-upload" loops.
+2.  **High-Performance Hybrid Engine**: Combines multi-core AST processing with deep understanding of cross-file relationships and Qt-specific patterns.
+3.  **Safety-First Auto-Fixing**: AST-based transformations with Git status verification and interactive diff previews.
 4.  **Zero Runtime Stack**: Minimal footprint, ultra-fast execution, and easy CI integration.
 5.  **AI-Centric Design**: Built to help developers and AI agents understand complex QGIS plugins instantly.
 
@@ -131,7 +132,7 @@ You can run `qgis-plugin-analyzer` automatically before every commit to ensure q
 
 ```yaml
   - repo: https://github.com/geociencio/qgis-plugin-analyzer
-    rev: v1.5.0  # Use the latest tag
+    rev: main  # Use 'main' for latest features or a specific tag like v1.5.0
     hooks:
       - id: qgis-plugin-analyzer
 ```
@@ -190,6 +191,7 @@ Audits an existing QGIS plugin repository.
 | :--- | :--- | :--- |
 | `project_path` | **(Required)** Path to the plugin directory to analyze. | N/A |
 | `-o`, `--output` | Directory where HTML/Markdown reports will be saved. | `./analysis_results` |
+| `-r`, `--report` | Explicitly generate detailed HTML/Markdown reports. | `False` |
 | `-p`, `--profile`| Configuration profile from `pyproject.toml` (`default`, `release`). | `default` |
 
 ### `qgis-analyzer fix`
@@ -218,6 +220,7 @@ Performs a focused security scan on a file or directory.
 | Argument | Description | Default |
 | :--- | :--- | :--- |
 | `path` | **(Required)** Path to the file or directory to scan. | N/A |
+| `--deep` | Run more intensive (but slower) security checks. | `False` |
 | `-p`, `--profile`| Configuration profile. | `default` |
 
 ### `qgis-analyzer version`
@@ -258,6 +261,7 @@ The development of this analyzer is based on official QGIS community guidelines,
 - **[QGIS Plugin Repository Requirements](https://plugins.qgis.org/publish/)**: Mandatory criteria for plugin approval in the official repository.
 - **[QGIS Coding Standards](https://docs.qgis.org/latest/en/docs/developer_guide/codingstandards.html)**: Core style and organization guidelines for the QGIS project.
 - **[QGIS HIG (Human Interface Guidelines)](https://docs.qgis.org/latest/en/docs/developer_guide/hig.html)**: Standards for consistent and accessible user interface design.
+- **[QGIS Security Scanning Documentation](https://plugins.qgis.org/docs/security-scanning)**: Official guide on automated security analysis (Bandit, detect-secrets) for plugins.
 
 ### Industry & Community Standards
 - **[flake8-qgis Rules](https://github.com/qgis/flake8-qgis)**: Community-driven linting rules for PyQGIS (QGS101-106).
@@ -267,6 +271,11 @@ The development of this analyzer is based on official QGIS community guidelines,
 - **[Conventional Commits](https://www.conventionalcommits.org/)**: Standard for clear, machine-readable commit history.
 - **[Keep a Changelog](https://keepachangelog.com/)**: Best practices for maintainable version history.
 
+### Security Standards
+- **[Bandit (PyCQA)](https://bandit.readthedocs.io/)**: The security rules implemented (B1xx - B6xx) are directly derived from the Bandit project's rule set for identifying common security issues in Python code.
+- **[CWE (Common Weakness Enumeration)](https://cwe.mitre.org/)**: Security findings are mapped to standard CWE IDs (e.g., CWE-78 Command Injection, CWE-89 SQL Injection) for industry-standard classification.
+- **[OWASP Top 10](https://owasp.org/www-project-top-ten/)**: The "Hardcoded Secret" and "Injection" checks align with critical OWASP vulnerabilities.
+
 ### Internal Resources
 - **[Detailed Rules Catalog](RULES.md)**: Full documentation of all audit rules implemented in this analyzer.
 - **[Standardized Scoring Metrics](docs/SCORING_STANDARDS.md)**: Mathematical logic and thresholds for project evaluation.

qgis_plugin_analyzer-1.6.0.dist-info/RECORD

@@ -0,0 +1,52 @@
+__init__.py,sha256=m27nXDOFpStOzfg3Qqeaw7yj1wNmpnOH7xk5svlCprA,1185
+analyzer/__init__.py,sha256=4cVdHyVkLCwrgmcijSYhVDiKxMJJFTeK4SOJXNXWJwc,1129
+analyzer/cli.py,sha256=OKsc-fSI7mc7Grfirkt40G2WWYBmy5W6WZytVa6fZ_Q,1389
+analyzer/commands.py,sha256=-qFxiEsBW0nhQ01C4uvpejoSlKMtvg8NOUBxuMKrJ88,5256
+analyzer/engine.py,sha256=Hq3J7ivf4w3_VV2f1hi_YpkibfncGaddnrN582K_goQ,31108
+analyzer/fixer.py,sha256=fnU5nLEfrk2sd5aNftxNWySef2bPLthkz844Znc1mDk,12751
+analyzer/scanner.py,sha256=AzPWJnTAHFrnolqzV5kw56LYqWBKR4vIMXXoiiEUdog,10339
+analyzer/secrets.py,sha256=Ml-hRSFgLlAsi6KeD2V53OuQ1E8qWE_65yzDm_RD3AE,2899
+analyzer/security_checker.py,sha256=YXQeIvtrtwvqHm5xGW8zXNrPycdsLyavCnxFOltf8Rs,2839
+analyzer/security_rules.py,sha256=x95EweqgTOFNcM6In2aA37qOeqsv1PBYkCsRmwhpwGw,5182
+analyzer/semantic.py,sha256=cVmSiTmI-b4DFZ5Q6kZUdqd6ZPH92pJmNAE60MIiZRI,8192
+analyzer/transformers.py,sha256=8uAoYrzB1BeVCTGL4OjGd4RnKje4vxDJkgeVMKWlihA,7673
+analyzer/validators.py,sha256=f8eVnCEACSMCTaLNyRNHpQK1TJIgRHESyhRc_SaJE_c,9423
+analyzer/cli/__init__.py,sha256=_twmhOZ7hqLMGDyXmGYig03ajTxk7yCK6Efe4wEaUP8,238
+analyzer/cli/app.py,sha256=BEuoWN90IjiBJXq01kSuHol9v-lzoUwm_iB1ME0NPHA,4413
+analyzer/cli/base.py,sha256=tFo_MhaO1i3HN2uODHaRVW_AC3mRGDSIxL9o_cEJGeA,2604
+analyzer/cli/commands/__init__.py,sha256=AxhWDUrUdHtvRGC0tgLB5kUOSEKbXsBeFlIVgA7Zca0,439
+analyzer/cli/commands/analyze.py,sha256=6T9HubkqD76OeM5PLtU6-sjn3N7fuDKk74Koe4zIHWc,1218
+analyzer/cli/commands/fix.py,sha256=XM4s7H-CW_EzG-96pDqGKbgYG16i88FGExc1RBhjsXg,1644
+analyzer/cli/commands/init.py,sha256=6zU9iy8xlFlo8yVh-LM5T6H4B5AYOjTgBpwZ5b7M-oE,978
+analyzer/cli/commands/list_rules.py,sha256=UtaWpEsgelw_nSqRwVOmx_hwkeVhpZqFvH24qRDt4LI,997
+analyzer/cli/commands/security.py,sha256=B2RMUZuu-QBjen1Jc6uDwY-007qdPFCsPJUBrS8cDT0,1202
+analyzer/cli/commands/summary.py,sha256=UuQuAl39z898u_OHc75q8IvgORX_rPGXF8bmyH3msJE,1383
+analyzer/cli/commands/version.py,sha256=Ghn9TnEwnDvzqT25qxZihUa3UXvvo8RqAtKF_lLXDnk,997
+analyzer/models/__init__.py,sha256=NlDgdV1i9CoWJBgiENoJQuHnYCOzO6U_ui3wHOeT7xI,160
+analyzer/models/analysis_models.py,sha256=WXsYgbjD4ngBoyaY-YkwMMl2Jpbn96hue6zuSERZRb0,2362
+analyzer/reporters/__init__.py,sha256=fVsu2gCuBdDd_STD97Jku8otcO3j7NZrxxd_pGzf6Sw,280
+analyzer/reporters/html_reporter.py,sha256=j64KkjiRwwRBzIPZE7bBJGsbJEYIoSnZeho63tI4c5A,14919
+analyzer/reporters/markdown_reporter.py,sha256=GNklqb8vJcUCA79EICD4RR8idSLv_pAInQf7KYVnmGQ,10407
+analyzer/reporters/summary_reporter.py,sha256=RwmrQ6b8DOIFe9QUj2G2xx1CdZJsjjWlTgLPepICvU0,12270
+analyzer/rules/__init__.py,sha256=UNZoY89SFQoUKYGj_rjwvv8md6vXSSM2pGPV6MqC2Fg,261
+analyzer/rules/modernization_rules.py,sha256=IJw8c6v7Q_5z3xF9Dh0eBrproRFZFtIOyWcArAsSv18,1071
+analyzer/rules/qgis_rules.py,sha256=vpFkdC3RnlkcSHqJB_Ec1wYLn8qV8xMjXZCgitslRSc,2578
+analyzer/utils/__init__.py,sha256=_7xpeayVXOKp92a_ennR2HF1tKBNgbyQb7M5eyY2O_c,1064
+analyzer/utils/ast_utils.py,sha256=LZ9NLrbJlhFGM7LsX6YNexOi_avJ0Sxzf8GdZHvoXK4,3831
+analyzer/utils/config_utils.py,sha256=reNyUonmik8Tpwx0RbaslsiienIqPDeiXBfh4Pv23_E,4690
+analyzer/utils/logging_utils.py,sha256=V0z7XeF46tj2oI247j2fRRafClbtMDVscVmg2JFYHV4,1257
+analyzer/utils/path_utils.py,sha256=OfX0IwBnMk9fSO6GIU-iyxxPCCalIcEjxPiCh36SphY,5817
+analyzer/utils/performance_utils.py,sha256=M3mfMVrOvyfgQiCQB0R5IkkBnAx-L9er4fGR9UL5E-0,4253
+analyzer/visitors/__init__.py,sha256=icwHq0hFSFYOXYiQV0AE2ev9HE8y8nTs0cGJ5nax20M,527
+analyzer/visitors/base.py,sha256=sDa6C3-1Y4gZ5XT9Svq8-eZhiEXZB3InZvPIHwDd3gI,2513
+analyzer/visitors/composite_visitor.py,sha256=eA9kdG-8-59rRZwLgrUo8uB2yq6yhr3LIas7zHSyDtQ,2694
+analyzer/visitors/imports_visitor.py,sha256=jpthTiycxg7aMuXy-g2zO-sB82GXMfNYNj2pdM0gEbE,2883
+analyzer/visitors/metrics_visitor.py,sha256=xd9SMZjpATkwRcwqbNMBXwXwJNdSap9dUIRPytkDKDg,5439
+analyzer/visitors/security_visitor.py,sha256=ontmVz3Qxto-sk6oNnDKf1IzjBvDVIPm6jn4mI34KQI,1675
+analyzer/visitors/standards_visitor.py,sha256=RGmOMnS-yX_mEm2WTDFDsWY7cnk_agZhTBEk1gERUYE,9789
+qgis_plugin_analyzer-1.6.0.dist-info/licenses/LICENSE,sha256=bMxViCXCE9h3bzmw6oUvy4R_CvzOrV3aYhIvjBPx20A,35091
+qgis_plugin_analyzer-1.6.0.dist-info/METADATA,sha256=nWCMyJycFbXLEKz6Q7tuW5UGVx9LXIl7YRSW7WqrdOo,14757
+qgis_plugin_analyzer-1.6.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+qgis_plugin_analyzer-1.6.0.dist-info/entry_points.txt,sha256=1dwiqkZC4hGYExrOgyhZkxv7CbClSZqJkVk42nlw1IY,52
+qgis_plugin_analyzer-1.6.0.dist-info/top_level.txt,sha256=i9U1DboCuTuaYpS-5GcgUeKIlSI00PoxYtnrfQWD8wo,18
+qgis_plugin_analyzer-1.6.0.dist-info/RECORD,,