SCANPY-248 Auto detect test code

[guillaume-dequenne]

No description provided.

[hashicorp-vault-sonar-prod]

SCANPY-248

[sonar-review-alpha]

Summary

Adds automatic detection of test file paths from Python tooling configuration.

When sonar.tests is not explicitly set, the scanner now infers test directories from common sources: pyproject.toml (pytest config), pytest.ini, tox.ini, setup.cfg, or filesystem conventions (directories named "tests", "test", "testing"). This reduces reliance on sonar-python's heuristic that silences issues on test-like files.

New CLI flag --sonar-python-test-file-heuristic-disabled lets users disable this heuristic to treat all files as main code regardless of their path. If tooling declares testpaths but all paths are invalid (don't exist), the heuristic is automatically disabled since user intent was expressed.

What reviewers should know

Core Logic: Start with test_paths_loader.py — this is the new auto-detection module. It tries loaders in order (pyproject.toml → pytest.ini → tox.ini → setup.cfg → filesystem). The return value signals both what tests were found AND whether to disable the heuristic if declared paths were invalid.

Integration Point: configuration_loader.py now calls test_paths_loader.load() when sonar.tests is absent and the heuristic isn't disabled. The heuristic-disabling logic checks for an explicit CLI/env/config value before auto-detecting.

Tests: Extensive unit tests in test_test_paths_loader.py (923 lines) use pyfakefs to test all config formats and edge cases. test_auto_detect_tests.py is an integration test against real project structures.

Config Chain: New property SONAR_PYTHON_TEST_FILE_HEURISTIC_DISABLED was added to properties.py and wired through CLI args. Check the property's cli_getter to see how it handles both --sonar-python-test-file-heuristic-disabled and -Dsonar.python.testFileHeuristic.disabled variants.

Watch For: The distinction between "found nothing" (return False, fall through) and "declared but all invalid" (return True, set disable flag). Also check Windows path handling in _existing_paths() — it handles both absolute paths and drive-relative paths.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[Seppli11]

Overall, the cahnge looks good. It's really cool to see that we're finally parsing settings from the pyproject.toml file and co. (Hopefully the python version is next 🤞 )

One thing I'm not sure about is if it makes sense to also have a heuristic based on the folders in the scanner. It seems to create quite a few strange places where, IMO, the outcome isn't that straight forward.

The other, more nitpicky thing, python_project_loader doesn't seem like an appropriate name for this module, given how it is used and how closely tight it usage is to the present of the test property.

Let me know if you want to discuss anything

[Seppli11]

In a more holistic view, applying the properties from the python_project_loader only if sonar.tests is not set doesn't really make sense to me. If we for example extend the python_project_loader to also detect the python version, things become weird.

Maybe it could make sense renaming the module to python_project_test_source_loader or similar (maybe you find a catchier name 😅 )

[Seppli11]

Does it make sense to add this heuristic here as well, given that sonar-python itself has a more extensive set of heuristics.

[guillaume-dequenne]

I think the heuristic from sonar-python is a bit of a crutch in the sense that it will only disable rules and still report metrics based on the FileType, because we can't contradict the scanner for the file type classification.
This will reduce noise but ultimately still produce an "inconsistent" analysis.

Having it here makes the analysis more consistent because the rule execution is in sync with the metrics reporting. It's an argument to use pysonar instead of the generic sonar-scanner-cli because here, the manual setup of sonar.tests is truly optional (assuming what is inferred matches the user expectations).

[Seppli11]

That is a good point. Maybe it would make sense to only fall back to the heuristic if the user hasn't set anything, rather than we haven't found a valid test folder

[guillaume-dequenne]

In a way I'm wondering if analysis coming from pysonar shouldn't simply disable the heuristic by default?

[Seppli11]

Maybe that would make the most sense. It would certainly simplify the flow chart of how the heuristics apply.
And, even in the case where they don't specify anything in their respective configuration files, the file based heuristic should still pick up most cases.

[Seppli11]

This method does a lot of automatic checks and fallbacks. Is this really necessary for a test?

[Seppli11]

this seems to be never called. Same applies to search_projects and get_project_measures

[Seppli11]

If we keep the heuristic, this could lead to a weird behavior where the pyrpoject.tol loader returned an empty set, while the file heuristic loader found a folder. This would now override what the user set

[Seppli11]

A similar issue could appear here, where for whatever reason, all the user specified tests are not valid paths. If the heuristic picks them up, we're overriding what the user explicitly told us.

[guillaume-dequenne]

I made changes so that if we detect a legitimate attempt to set the test, even if invalid, we disable the test detection heuristic downstream.

[Seppli11]

nitpick: multiline strings would be nicer

[Seppli11]

Looks good. I think like this, it makes a lot of sense and seems IMO intuitive. Thanks for implementing this 😁

One thing, it would probably make sense to add the new parameter as a cli option, as well as running the generate_cli_documentation.py tool to regenerate the documentation.

[Seppli11]

This option should also be added to the configuration.cli module as an option, potentially as a switch

[sonarqube-next]

Quality Gate passed for 'Python Scanner'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
98.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

The or-based CLI getter bug for SONAR_PYTHON_TEST_FILE_HEURISTIC_DISABLED (previously flagged) is still present — False from --no-sonar-python-test-file-heuristic-disabled is silently discarded. That needs fixing before merge.

🗣️ Give feedback