Description
We started writing this up but like to move gathered content here to allow contributors to work on it.
Never got around to compress the gathered info into something short and useful so below is quite random
related CWE: https://cwe.mitre.org/data/definitions/477.html
SEI CERT: [MET02-J. Do not use deprecated or obsolete classes or methods](https://wiki.sei.cmu.edu/confluence/display/java/MET02-J.+Do+not+use+deprecated+or+obsolete+classes+or+methods)
There is a relation between deprecated functions and unsafe functions. During an investigation we ended up adding deprecated functions in as a sub-set of unsafe functions as they typically match the definition of 'unsafe functions' by the NCSC see #646 .
Python libraries and frameworks evolve over time, and certain modules, classes, or functions may become deprecated or obsolete. Deprecated features are still available but are slated for removal in the future, while obsolete features are no longer supported and should not be used. Always check the official documentation for the version of Python you are using and avoid using deprecated or obsolete features. Each Python release gets a Release Schedule PEP which includes information about the planned lifespan.
Use the latest version of Python:
It is generally advisable to use the latest stable version of Python, as it includes bug fixes, performance improvements, and new features. Additionally, older versions of Python may have deprecated or obsolete features that are no longer recommended for use.
Be cautious with third-party libraries:
When using third-party libraries in Python, make sure to check their documentation and the release notes to ensure that you are using the latest version and to be aware of any deprecated or obsolete features. Keep your dependencies up to date to avoid potential vulnerabilities and compatibility issues.
Follow best practices and coding conventions:
Adhere to established Python best practices and coding conventions, such as those outlined in the official Python Style Guide (PEP 8). This will make your code more readable, maintainable, and less prone to errors. Avoid using outdated coding patterns or practices that have been deprecated in favor of more modern and preferred alternatives.
Utilize static analysis tools:
Python provides various static analysis tools that can help you identify deprecated or obsolete code in your projects. Tools like pylint, flake8, and pyflakes can detect and flag issues such as using deprecated modules or functions. Integrating these tools into your development workflow can help ensure that you catch and address such problems early on.
Stay informed about Python developments:
Keep yourself updated with the latest Python news, releases, and announcements. This will help you stay aware of any deprecated or obsolete features and enable you to make informed decisions when writing code.
Remember, these recommendations are general guidelines, and the specific needs of your project and the libraries you are using may vary. Always refer to the official documentation and resources for the versions of Python and its libraries that you are working with to ensure you are following the recommended practices.
The Python programming language follows a defined lifecycle (Python Software Foundation 2019) for its versions, support, deprecation, and backward compatibility policies. Here's a summary of the key aspects:
Python Versioning: Python releases are identified by version numbers in the format MAJOR.MINOR.MICRO. The MAJOR version indicates significant changes that may introduce backward incompatibilities, the MINOR version signifies new features and improvements, and the MICRO version includes bug fixes and maintenance updates.
Support Timeline: Python follows a support timeline for its versions, consisting of two phases:
Active: This phase includes regular bug fixes, security updates, and new feature releases. The duration of active support varies depending on the version but generally lasts for a few years.
Maintenance: After the active support phase ends, the version enters the maintenance phase, during which only critical bug fixes and security updates are provided. Maintenance support typically continues for a few more years.
Deprecation Policy: When a feature or functionality is deemed problematic or outdated, Python introduces a deprecation process to phase it out gradually. Deprecation involves marking the feature as obsolete and providing guidance on migrating to alternative solutions. Deprecated features typically remain available for one or more major releases before being removed.
Backward Compatibility: Python maintains a strong commitment to backward compatibility, striving to ensure that code written for older versions of Python continues to work in newer versions. Backward compatibility means that most well-written Python code should run without modifications on newer Python versions. However, certain rare cases may require adjustments due to backward-incompatible changes introduced in major version upgrades.
It's important to consult the official Python documentation and release notes for detailed information on specific versions, their support status, deprecation notices, and backward compatibility considerations. This will help you make informed decisions about Python versions and ensure the smooth transition and maintenance of your codebase.
https://peps.python.org/pep-0004/
See: "Item 89: Consider warnings to Refactor and Migrate Usage" [Slatkin 2020, pp 418]
Pylint can be used to detect
https://vald-phoenix.github.io/pylint-errors/plerr/errors/imports/W0402.html
W4903 https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-argument.html
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-class.html
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-decorator.html
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-method.html
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-module.html
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-typing-alias.html
https://pylint.pycqa.org/en/latest/user_guide/messages/information/deprecated-pragma.html
Problematic code:
import urllib2
Correct code:
import urllib
Example from
https://gerrit.ericsson.se/#/c/13101469/26/cbrs-domain-proxy-shell-cli-frontend/cbrs_cli/command_executor.py
completed_process = run(
["/usr/bin/bash", "-c", script_cmd],
universal_newlines=True,
shell=False, # nosec B603
check=False,
stdout=PIPE,
stderr=PIPE,
)
Changed in version 3.7: Added the text parameter, as a more understandable alias of universal_newlines. Added the capture_output parameter.
https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module
completed_process = run(
["/usr/bin/bash", "-c", script_cmd],
capture_output=True,
text=True,
shell=False, # nosec B603
check=False,
)
https://vald-phoenix.github.io/pylint-errors/
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/deprecated-method.html
https://pypi.org/project/flake8-warnings/
In python 3.12
https://peps.python.org/pep-0702/
The deprecation library https://pypi.org/project/deprecation/ provides a deprecated decorator and a fail_if_not_removed decorator for your tests. Together, the two enable the automation of several things:
Tools for user code
from deprecated import deprecated
@deprecated(version='1.2.1', reason="You should use another function")
def some_old_function(x, y):
return x + y
See also:
https://pypi.org/project/Deprecated/
https://pypi.org/project/flake8-warnings/
Python linter that warns you about using deprecated modules, classes, and functions. It provides a CLI as well as flake8 and pylint plugins.
It analyzes all imported modules, classes, and functions and detects the following:
warnings.warn function calls.
Deprecation decorators like deprecated or deprecation.
Deprecation messages in docstrings.
Stdlib modules deprecated by PEP 594.
https://learning.oreilly.com/library/view/python-in-a/9781098113544/ch17.html#the_warnings_module
https://docs.python.org/3/library/warnings.html
Item 89: Consider warnings to Refactor and Migrate Usage
https://learning.oreilly.com/library/view/effective-python-90/9780134854717/ch10.xhtml#item89
"While exceptions are primarily for automated error handling by machines ...warnings are all about communication between humans about what to expect in their collaboration with each other."
The warnings module can be used to notify callers of your API about deprecated usage. Warning messages encourage such callers to fix their code before later changes break their programs.
✦ Raise warnings as errors by using the -W error command-line argument to the Python interpreter. This is especially useful in automated tests to catch potential regressions of dependencies.
✦ In production, you can replicate warnings into the logging module to ensure that your existing error reporting systems will capture warnings at runtime.
✦ It’s useful to write tests for the warnings that your code generates to make sure that they’ll be triggered at the right time in any of your downstream dependencies.
https://docs.python.org/3/library/devmode.html
A pylint checker to detect and @deprecated decorators on classes and functions.
https://github.com/withakay/pylint-deprecated-decorator
A pylint checker to detect and @deprecated decorators on classes and functions. Warns when classes and functions are being called that are decorated with @deprecated. Intended to be used in conjunction with a library like https://pypi.org/project/deprecation/.