Have a look at more Python static analysis tools

[leandro-lucarella-frequenz]

• Lint: We are currently using pylint, but there is also the very popular flake8. We should see if it makes sense to switch or even use both. Some comparison.

  Recently @shsms discovered ruff too. Ruff seems to be mainly a replacement for flake8, not so much for pylint now. There seems to be able to replace or at least take on some docs checks from darglint, which is currently archived (abandoned).

  • pylint checks present in ruff: Implement Pylint astral-sh/ruff#970 (not that many)
  • Google-style docstrings: https://beta.ruff.rs/docs/faq/#does-ruff-support-numpy-or-google-style-docstrings

• Automatic upgrading:

  • Incorporate pyupgrade to upgrade to newer python syntax #30

• Add more security checks:

  • Dependency scanning:

    We are currently using dependabot in some repos, but something that can be run in the console as a regular tool might be nice too, like pip-audit.

    • pip-audit audits Python environments and dependency trees for known vulnerabilities.
    • Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. It seems to be a paid service with only free tiers for non-commercial project.
    • Configure dependabot #7
    • Snyk is a 3rd party service that can check for dependencies health, security and updates and the code for issues and vulnerabilities.

  • Static analysis (Add vulnerabilities/security scanning #29):

    • bandit is a Python specific tool to find common security issues in Python code.
    • CodeQL is a more general GitHub specific solution that supports many languages.

  • License checks:

    • Add license checking via FOSSA #26
    • Snyk also offers licensing scanning but only in paid plans

[llucax]

A nice summary of many linters and checking tools (including code complexity): https://inventwithpython.com/blog/2022/11/19/python-linter-comparison-2022-pylint-vs-pyflakes-vs-flake8-vs-autopep8-vs-bandit-vs-prospector-vs-pylama-vs-pyroma-vs-black-vs-mypy-vs-radon-vs-mccabe/