From 526d46cfc2e0032783422e5717f012fec773efe5 Mon Sep 17 00:00:00 2001 From: joke1196 Date: Tue, 17 Jun 2025 13:35:16 +0000 Subject: [PATCH 1/9] Create rule S7609 --- rules/S7609/metadata.json | 2 ++ rules/S7609/python/metadata.json | 25 ++++++++++++++++++ rules/S7609/python/rule.adoc | 44 ++++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 rules/S7609/metadata.json create mode 100644 rules/S7609/python/metadata.json create mode 100644 rules/S7609/python/rule.adoc diff --git a/rules/S7609/metadata.json b/rules/S7609/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7609/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7609/python/metadata.json b/rules/S7609/python/metadata.json new file mode 100644 index 00000000000..4c75dcf8d84 --- /dev/null +++ b/rules/S7609/python/metadata.json @@ -0,0 +1,25 @@ +{ + "title": "FIXME", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7609", + "sqKey": "S7609", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "HIGH", + "RELIABILITY": "MEDIUM", + "SECURITY": "LOW" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc new file mode 100644 index 00000000000..caae0d69054 --- /dev/null +++ b/rules/S7609/python/rule.adoc @@ -0,0 +1,44 @@ +FIXME: add a description + +// If you want to factorize the description uncomment the following line and create the file. +//include::../description.adoc[] + +== Why is this an issue? + +FIXME: remove the unused optional headers (that are commented out) + +//=== What is the potential impact? + +== How to fix it +//== How to fix it in FRAMEWORK NAME + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +FIXME +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +FIXME +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + + +//== Resources +//=== Documentation +//=== Articles & blog posts +//=== Conference presentations +//=== Standards +//=== External coding guidelines +//=== Benchmarks From 79ce01cd5d53cf1a4a2ab1a2f7db6a79aa6f13cc Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Mon, 23 Jun 2025 15:55:34 +0200 Subject: [PATCH 2/9] Create rule S7609 --- rules/S7609/python/rule.adoc | 117 ++++++++++++++++++++++++++++------- 1 file changed, 95 insertions(+), 22 deletions(-) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index caae0d69054..9ff453e2812 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -1,44 +1,117 @@ -FIXME: add a description - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +AWS service namespaces should not be used with CloudWatch put_metric_data == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +AWS CloudWatch has reserved namespaces that begin with 'AWS/' for its own internal services and metrics. These namespaces are used by AWS to publish official service metrics such as EC2 instance metrics, Lambda function metrics, S3 bucket metrics, and others. When you attempt to publish custom metrics using a namespace that begins with 'AWS/', you are essentially trying to use a reserved namespace that conflicts with AWS's own metric publishing system. + +=== What is the potential impact? -//=== What is the potential impact? +Using AWS service namespaces can lead to metric publishing failures, data corruption, or unexpected behavior in CloudWatch dashboards. It may also cause confusion between your custom metrics and official AWS service metrics, making monitoring and troubleshooting more difficult. Additionally, AWS may reject such metric publications or they may interfere with existing service metrics. == How to fix it -//== How to fix it in FRAMEWORK NAME -=== Code examples +=== How to fix it in boto3 -==== Noncompliant code example +Use a custom namespace that does not begin with 'AWS/' when publishing metrics with CloudWatch. Choose a meaningful namespace that reflects your application or service name, such as 'MyApp/', 'CustomService/', or your organization name. +==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- -FIXME +import boto3 + +cloudwatch = boto3.client('cloudwatch') + +# Publishing to AWS reserved namespace +cloudwatch.put_metric_data( + Namespace='AWS/MyCustomService', # Noncompliant + MetricData=[ + { + 'MetricName': 'CustomMetric', + 'Value': 123.0 + } + ] +) ---- ==== Compliant solution - [source,python,diff-id=1,diff-type=compliant] ---- -FIXME +import boto3 + +cloudwatch = boto3.client('cloudwatch') + +# Publishing to custom namespace +cloudwatch.put_metric_data( + Namespace='MyApp/CustomService', # Compliant + MetricData=[ + { + 'MetricName': 'CustomMetric', + 'Value': 123.0 + } + ] +) +---- + +=== How to fix it in aiobotocore + +When using aiobotocore for asynchronous CloudWatch operations, ensure you use a custom namespace that does not start with 'AWS/' to avoid conflicts with AWS reserved namespaces. + +==== Noncompliant code example +[source,python,diff-id=2,diff-type=noncompliant] +---- +import aiobotocore.session + +async def publish_metrics(): + session = aiobotocore.session.get_session() + async with session.create_client('cloudwatch') as client: + await client.put_metric_data( + Namespace='AWS/Lambda/Custom', # Noncompliant + MetricData=[ + { + 'MetricName': 'ProcessingTime', + 'Value': 45.2 + } + ] + ) ---- -//=== How does this work? +==== Compliant solution +[source,python,diff-id=2,diff-type=compliant] +---- +import aiobotocore.session + +async def publish_metrics(): + session = aiobotocore.session.get_session() + async with session.create_client('cloudwatch') as client: + await client.put_metric_data( + Namespace='MyLambda/Custom', # Compliant + MetricData=[ + { + 'MetricName': 'ProcessingTime', + 'Value': 45.2 + } + ] + ) +---- + +== Resources + +=== Documentation +* https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html[AWS CloudWatch PutMetricData API Reference] +* https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace[CloudWatch Concepts - Namespaces] + + +ifdef::env-github,rspecator-view[] + +== Implementation Specification +(visible only on this page) + +=== Message -//=== Pitfalls +Do not use AWS reserved namespace that begins with 'AWS/' for custom metrics. -//=== Going the extra mile +=== Highlighting +* Primary location: the 'Namespace' parameter value in the put_metric_data call -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines -//=== Benchmarks +endif::env-github,rspecator-view[] \ No newline at end of file From ba1fbde9c1ce2a080ea128264fb8e1dcc7c88608 Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Mon, 23 Jun 2025 16:18:06 +0200 Subject: [PATCH 3/9] Create rule S7609 --- rules/S7609/python/rule.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index 9ff453e2812..b9247bafe1f 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -15,6 +15,7 @@ Using AWS service namespaces can lead to metric publishing failures, data corrup Use a custom namespace that does not begin with 'AWS/' when publishing metrics with CloudWatch. Choose a meaningful namespace that reflects your application or service name, such as 'MyApp/', 'CustomService/', or your organization name. ==== Noncompliant code example + [source,python,diff-id=1,diff-type=noncompliant] ---- import boto3 @@ -34,6 +35,7 @@ cloudwatch.put_metric_data( ---- ==== Compliant solution + [source,python,diff-id=1,diff-type=compliant] ---- import boto3 @@ -57,6 +59,7 @@ cloudwatch.put_metric_data( When using aiobotocore for asynchronous CloudWatch operations, ensure you use a custom namespace that does not start with 'AWS/' to avoid conflicts with AWS reserved namespaces. ==== Noncompliant code example + [source,python,diff-id=2,diff-type=noncompliant] ---- import aiobotocore.session @@ -76,6 +79,7 @@ async def publish_metrics(): ---- ==== Compliant solution + [source,python,diff-id=2,diff-type=compliant] ---- import aiobotocore.session @@ -97,6 +101,7 @@ async def publish_metrics(): == Resources === Documentation + * https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html[AWS CloudWatch PutMetricData API Reference] * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace[CloudWatch Concepts - Namespaces] From 1d3baeec3d9698ebf60b6d2e505070875651ff4a Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Mon, 23 Jun 2025 16:28:16 +0200 Subject: [PATCH 4/9] Filled rule metadata --- rules/S7609/python/metadata.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/S7609/python/metadata.json b/rules/S7609/python/metadata.json index 4c75dcf8d84..872fa91925d 100644 --- a/rules/S7609/python/metadata.json +++ b/rules/S7609/python/metadata.json @@ -1,5 +1,5 @@ { - "title": "FIXME", + "title": "AWS CloudWatch metrics namespace should not begin with `AWS/`", "type": "CODE_SMELL", "status": "ready", "remediation": { @@ -16,9 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } From 3474a24f8bb96fc8dd77130f4a5c84d7be9b76c4 Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Mon, 23 Jun 2025 16:35:03 +0200 Subject: [PATCH 5/9] Fix main description --- rules/S7609/python/rule.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index b9247bafe1f..243284c5ea7 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -1,4 +1,4 @@ -AWS service namespaces should not be used with CloudWatch put_metric_data +This rule raises and issue when AWS CloudWatch `put_metric_data` namespace begins with `AWS/`. == Why is this an issue? @@ -119,4 +119,4 @@ Do not use AWS reserved namespace that begins with 'AWS/' for custom metrics. * Primary location: the 'Namespace' parameter value in the put_metric_data call -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[] From 00b13c5c26f6511e950144ae31c6f48d611225db Mon Sep 17 00:00:00 2001 From: Ghislain Piot Date: Tue, 24 Jun 2025 09:17:32 +0200 Subject: [PATCH 6/9] Create rule S7609 --- rules/S7609/python/rule.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index 243284c5ea7..b9247bafe1f 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -1,4 +1,4 @@ -This rule raises and issue when AWS CloudWatch `put_metric_data` namespace begins with `AWS/`. +AWS service namespaces should not be used with CloudWatch put_metric_data == Why is this an issue? @@ -119,4 +119,4 @@ Do not use AWS reserved namespace that begins with 'AWS/' for custom metrics. * Primary location: the 'Namespace' parameter value in the put_metric_data call -endif::env-github,rspecator-view[] +endif::env-github,rspecator-view[] \ No newline at end of file From d0aded031a390cb91ff3c1e15e61cb7202a365f9 Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Tue, 24 Jun 2025 09:26:41 +0200 Subject: [PATCH 7/9] Fix main description --- rules/S7609/python/rule.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index b9247bafe1f..c825daecc1e 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -1,4 +1,4 @@ -AWS service namespaces should not be used with CloudWatch put_metric_data +This rule raises and issue when AWS CloudWatch `put_metric_data` namespace begins with `AWS/` == Why is this an issue? @@ -119,4 +119,4 @@ Do not use AWS reserved namespace that begins with 'AWS/' for custom metrics. * Primary location: the 'Namespace' parameter value in the put_metric_data call -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[] From 2f63864dcafb284719ede1440e34d9200d4ca49c Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Tue, 24 Jun 2025 10:27:38 +0200 Subject: [PATCH 8/9] Fixed formatting --- rules/S7609/python/rule.adoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/S7609/python/rule.adoc b/rules/S7609/python/rule.adoc index c825daecc1e..d61ed9dc92a 100644 --- a/rules/S7609/python/rule.adoc +++ b/rules/S7609/python/rule.adoc @@ -8,12 +8,13 @@ AWS CloudWatch has reserved namespaces that begin with 'AWS/' for its own intern Using AWS service namespaces can lead to metric publishing failures, data corruption, or unexpected behavior in CloudWatch dashboards. It may also cause confusion between your custom metrics and official AWS service metrics, making monitoring and troubleshooting more difficult. Additionally, AWS may reject such metric publications or they may interfere with existing service metrics. -== How to fix it -=== How to fix it in boto3 +== How to fix it in boto3 Use a custom namespace that does not begin with 'AWS/' when publishing metrics with CloudWatch. Choose a meaningful namespace that reflects your application or service name, such as 'MyApp/', 'CustomService/', or your organization name. +=== Code examples + ==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] @@ -54,10 +55,12 @@ cloudwatch.put_metric_data( ) ---- -=== How to fix it in aiobotocore +== How to fix it in aiobotocore When using aiobotocore for asynchronous CloudWatch operations, ensure you use a custom namespace that does not start with 'AWS/' to avoid conflicts with AWS reserved namespaces. +=== Code examples + ==== Noncompliant code example [source,python,diff-id=2,diff-type=noncompliant] From 523d37b328fc02ab19449502d6b2140b2ba871ca Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Tue, 24 Jun 2025 10:27:52 +0200 Subject: [PATCH 9/9] Corrected allowed_framework_names --- docs/header_names/allowed_framework_names.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc index d91acac3d7a..2309b398ecc 100644 --- a/docs/header_names/allowed_framework_names.adoc +++ b/docs/header_names/allowed_framework_names.adoc @@ -101,11 +101,13 @@ * Mcrypt // Python * aiohttp +* aiobotocore * Amazon DynamoDB * Argon2-cffi * AnyIO * Asyncio * Bcrypt +* boto3 * Cryptodome * databases * Django