What Python/Django code checkers do you recommend?...

[Fred Stluka]

Python/Django programmers,

What code review tools do you use?  Do you run them automatically
when checking in new code?  Do you recommend them?

Details:

I'm working on a large Python/Django Web app (1,000 files, 200,000
lines of code, 3.5 years) and spend a good chunk of my time reviewing
code written by other team members.  I'd like to automate many of the
checks that I currently do manually:

- Coding standards violations
  -- Lack of logging
  -- Missing docstrings
  -- Hardcoded literals instead of named constants or utility functions
  -- Standard columns in all DB tables (create_user, create_date,
       update_user, update_date, status, etc.)
  -- etc.

- Architecture violations
  -- Doing things in the UI layer vs the business logic layer
  -- Respect the MVC boundaries
  -- etc.

- Logic errors

- Defensive coding
  -- Unchecked assumptions
  -- Missing else clauses on if statements
  -- Missing exception handlers
  -- Exception handlers that suppress errors
  -- etc.

- Security and data validation
  -- Vulnerability to injection attacks (SQL, JS, etc.)
  -- Data validation and security enforcement in browser vs. server
  -- etc.

- Massive inefficiencies
  -- Cursor loop vs more specific DB SELECT
  -- Caching opportunities
  -- etc.

- Reuse opportunities

- Lack of test cases

- DB migration issues
  -- Non-idempotent migrations
  -- Edited migrations
  -- Migrations that call non-migration code that might change

- User experience
  -- Show clear error messages in all cases of user error

- etc.

What tools do you recommend to automate such checks?  I'm currently
most interested in Python/Django, as well as JavaScript/CSS/HTML.

Some automation tools I've found include:
- Gerrit
  https://www.gerritcodereview.com/
- BitBucket Server (was Stash)
  https://www.atlassian.com/software/bitbucket/server/

Such automation tools support a workflow of human interactions for
manual code reviews (comments, replies, todos, etc.).  They also call
code review tools like the following to scan the code automatically:
- Sonar (multiple languages via plugins)
   http://www.sonarqube.org/
- JSHint (JavaScript)
   http://jshint.com/
- JSLint (JavaScript)
   http://www.jslint.com/
- TSLint (TypeScript)
   https://palantir.github.io/tslint/
- PMD (mostly Java/JS, some Python)
   https://pmd.github.io/
- Checkstyle (Java, not Python)
   http://checkstyle.sourceforge.net/
- FindBugs (Java, not Python)
   http://findbugs.sourceforge.net/
- CodeNarc (Groovy and Java, not Python)
   http://codenarc.sourceforge.net/

I've also done a quick Google for Python/Django-specific tools:
- http://google.com/search?q=python+code+checkers
- http://google.com/search?q=django+code+checkers

and found:
- code-checker
   https://pypi.python.org/pypi/code-checker/
- PyChecker
   https://pypi.python.org/pypi/PyChecker
- Pyflakes
   https://pypi.python.org/pypi/pyflakes
- PyLint
   https://pypi.python.org/pypi/pylint
- pep8
   https://pypi.python.org/pypi/pep8
- Flake8 (wraps Pyflakes, pep8 and others)
   https://pypi.python.org/pypi/flake8
- Django Lint
   https://chris-lamb.co.uk/projects/django-lint
- QuantifiedCode
   https://www.quantifiedcode.com/

My IDE is PyCharm, which has the ability to check some things, but
I haven't yet investigated or configured it much.

What do you recommend?  Any good or bad experiences to share?

Thanks!

--Fred

---

Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

---

[Avraham Serour]

I use all, specially because they are free for open source

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5707D5A0.8020408%40bristle.com.
For more options, visit https://groups.google.com/d/optout.

[Christian Ledermann]

A good start is running flake8 with various plugins on the CI, and/or
pre-commit.
As you have a large codebase do not try to fix everything at once,
you'd just get overwhelmed with all the violations reported.

> https://groups.google.com/d/msgid/django-users/CAFWa6t%2BuiasSxCOd4JgZe_wPbMudCwRxx%2BhFwziMEMzGUDRrPw%40mail.gmail.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
Best Regards,

Christian Ledermann

Newark-on-Trent - UK
Mobile : +44 7474997517

https://uk.linkedin.com/in/christianledermann
https://github.com/cleder/


<*)))>{

If you save the living environment, the biodiversity that we have left,
you will also automatically save the physical environment, too. But If
you only save the physical environment, you will ultimately lose both.

1) Don’t drive species to extinction

2) Don’t destroy a habitat that species rely on.

3) Don’t change the climate in ways that will result in the above.

}<(((*>