Fix some bug risks and code quality issues

[sanketsaurav]

Changes:

• In hammer/library/aws/s3.py, use in operator to check if variable is equal to either of two values.
• In hammer/tools/ddb_inject_credentials.py, use is to compare with None.
• In hammer/reporting-remediation/bot/commands.py, remove unnecessary else used after raise.
• In hammer/library/aws/s3.py and hammer/library/ddb_issues.py, fix indentation not multiple of four.

---

This PR also adds .deepsource.toml configuration file to run Continuous Quality analysis on the repo with DeepSource. Upon enabling DeepSource, quality and security analysis will be run on every PR to detect 500+ types of problems in the changes — including bug risks, anti-patterns, security vulnerabilities, etc.

DeepSource is a free to use for open-source projects, and is used by teams at NASA, Uber, Slack among many others.

To enable DeepSource analysis after merging this PR, please follow these steps:

1. Sign up on DeepSource with your GitHub account and grant access to this repo.
2. Activate analysis on this repo here.

You can also look at the docs for more details. Do let me know if I can be of any help!

Cheers,

Sanket
Founder, DeepSource

[sanketsaurav]

You can look at all the existing issues on my fork of this repo here: https://deepsource.io/gh/sanketsaurav/hammer/issues/

[pranav1688]

Thanks @sanketsaurav ! How would Deepsource compare against the likes of Semmle? I reviewed the issues pointed out here: https://deepsource.io/gh/sanketsaurav/hammer/issues/ , Would it be possible to get actionable solutions which can help resolve the issues.

Example: Invalid escape sequence found| FLK-W605
MAJOR BUG RISK
As of Python 3.6, a backslash-character pair that is not a valid escape sequence now generates a DeprecationWarning. Although this will eventually become a SyntaxError, that will not be for several Python releases.

hammer/identification/lambdas/api/authorizer.py
invalid escape sequence ‘*‘

 62    # The policy version used for the evaluation. This should always be '2012-10-17'
 63    version = '2012-10-17'
 64    # The regular expression used to validate resource paths for the policy
 65    pathRegex = '^[/.a-zA-Z0-9-\*]+$'

[sanketsaurav]

Hey @pranav1688 — thanks for looking into this. Here are the differences, among many more, from other tools out there:

• The results are optimized for fewer false-positives. DeepSource filters out noise intelligently by looking at the context. e.g. if you've defined your test_patterns, you won't see issues that don't make sense in test files.
• It is easy to ignore issues for specific file patterns, test files, or the entire repo directly from the UI.
• On pull requests, the issues detected are granular and only shown for the changed lines (rather than all lines in the files touched, like other tools).
• You can track metrics like test coverage, documentation coverage, etc. all at one place with almost zero config.

About more actionable results: we currently have helpful descriptions for each issue raised. The ability to auto-fix issues is coming soon — so a lot of these trivial issues can be resolved with just a click. I'll keep you posted when we release it.

Would be happy to show you a demo and onboard the repo on DeepSource. Do let me know!

[pranav1688]

Thanks for the information @sanketsaurav , I will be keen to know the auto-remediation when its ready.

[sanketsaurav]

Sure @pranav1688! I'll keep you posted. You can start using DeepSource right away, though. I've added the configuration file for this repository in the PR. Do let me know if there's anything else that I can do to get you started. :)

[sanketsaurav]

Hey @pranav1688 — just wanted to check if we can get this merged. Would love to see the project use DeepSource. Please let me know! :)

[mohi7solanki]

Hey @pranav1688 Mohit from DeepSource here, We have autofix / auto-remediation in production now.