sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(validators): add noqa suppression support to security and performance validators
All checks were successful
CI / dependency-scanning (push) Successful in 27s
Details
CI / docs (push) Successful in 35s
Details
CI / ruff (push) Successful in 8s
Details
CI / pytest (push) Successful in 34m22s
Details
CI / validate (push) Successful in 19s
Details
CI / deploy (push) Successful in 2m25s
Details

Browse Source 
- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-14 22:56:56 +01:00
parent f84c5d903e
commit 1b8a40f1ff
75 changed files with 404 additions and 310 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scripts/validate/base_validator.py
View File

@@ -66,13 +66,14 @@ class BaseValidator(ABC):
"site", # mkdocs build output
]
# Regex for noqa comments: # noqa, # noqa: RULE-001, # noqa: RULE-001, RULE-002
# Regex for noqa comments. Supports both ruff-compatible (SEC001) and
# human-readable (SEC-001) formats: # noqa: SEC001, # noqa: SEC001
_NOQA_PATTERN = re.compile(
r"#\s*noqa(?::\s*([A-Z]+-\d+(?:\s*,\s*[A-Z]+-\d+)*))?",
r"#\s*noqa(?::\s*([A-Z]+-?\d+(?:\s*,\s*[A-Z]+-?\d+)*))?",
)
# Same for HTML comments: <!-- noqa: RULE-001 -->
# Same for HTML comments: <!-- noqa: SEC015 -->
_NOQA_HTML_PATTERN = re.compile(
r"<!--\s*noqa(?::\s*([A-Z]+-\d+(?:\s*,\s*[A-Z]+-\d+)*))?\s*-->",
r"<!--\s*noqa(?::\s*([A-Z]+-?\d+(?:\s*,\s*[A-Z]+-?\d+)*))?\s*-->",
)
def __init__(
@@ -191,23 +192,32 @@ class BaseValidator(ABC):
path_str = str(file_path)
return any(pattern in path_str for pattern in self.IGNORE_PATTERNS)
@staticmethod
def _normalize_rule_id(code: str) -> str:
"""Normalize rule ID by removing dashes: SEC-001 → SEC001."""
return code.replace("-", "")
def _is_noqa_suppressed(self, line: str, rule_id: str) -> bool:
"""Check if a line has a noqa comment suppressing the given rule.
Supports:
Supports both ruff-compatible and human-readable formats:
- ``# noqa`` — suppresses all rules
- ``# noqa: SEC-001`` — suppresses specific rule
- ``# noqa: SEC-001, SEC-002`` — suppresses multiple rules
- ``<!-- noqa: SEC-015 -->`` — HTML comment variant
- ``# noqa: SEC001`` — ruff-compatible (preferred)
- ``# noqa: SEC001`` — human-readable (also accepted)
- ``<!-- noqa: SEC015 -->`` — HTML comment variant
"""
normalized_id = self._normalize_rule_id(rule_id)
for pattern in (self._NOQA_PATTERN, self._NOQA_HTML_PATTERN):
match = pattern.search(line)
if match:
rule_list = match.group(1)
if not rule_list:
return True # bare # noqa → suppress everything
suppressed = [r.strip() for r in rule_list.split(",")]
if rule_id in suppressed:
suppressed = [
self._normalize_rule_id(r.strip())
for r in rule_list.split(",")
]
if normalized_id in suppressed:
return True
return False

8
scripts/validate/validate_architecture.py
View File

@@ -1747,7 +1747,7 @@ class ArchitectureValidator:
line_number=i,
message="Raw number input found - use number_stepper macro for consistent styling",
context=stripped[:70],
suggestion="{% from 'shared/macros/inputs.html' import number_stepper %}\n{{ number_stepper(model='fieldName', min=1, max=100) }}\nOr add {# noqa: FE-008 #} if this is intentional (e.g., ID field)",
suggestion="{% from 'shared/macros/inputs.html' import number_stepper %}\n{{ number_stepper(model='fieldName', min=1, max=100) }}\nOr add {# noqa: FE008 #} if this is intentional (e.g., ID field)",
)
return # Only report once per file
@@ -2618,7 +2618,7 @@ class ArchitectureValidator:
continue
for i, line in enumerate(lines, 1):
if re.match(r"\s*except\s+Exception\s*(as\s+\w+)?\s*:", line):
if "noqa: EXC-003" in line or "noqa: exc-003" in line:
if "noqa: EXC003" in line or "noqa: EXC-003" in line:
continue
self._add_violation(
rule_id="EXC-003",
@@ -2628,7 +2628,7 @@ class ArchitectureValidator:
line_number=i,
message="Broad 'except Exception' catches too many error types",
context=line.strip(),
suggestion="Catch specific exceptions instead, or add '# noqa: EXC-003' to suppress",
suggestion="Catch specific exceptions instead, or add '# noqa: EXC003' to suppress",
)
# EXC-004: Check exception inheritance in exceptions module
@@ -4901,7 +4901,7 @@ class ArchitectureValidator:
match = exception_class_pattern.match(line)
if match:
# Check for noqa suppression
if "noqa: MOD-025" in line or "noqa: mod-025" in line:
if "noqa: MOD025" in line or "noqa: MOD-025" in line:
continue
exception_classes.append((match.group(1), exc_file, i))

4
scripts/validate/validate_audit.py
View File

@@ -196,7 +196,7 @@ class AuditValidator(BaseValidator):
r"logger\.\w+\(.*password\s*[=:]\s*['\"]?%", # password=%s
r"logger\.\w+\(.*password\s*[=:]\s*\{", # password={var}
r"logging\.\w+\(.*password\s*[=:]\s*['\"]?%", # password=%s
r"print\(.*password\s*=", # print(password=xxx) # noqa: SEC-021
r"print\(.*password\s*=", # print(password=xxx) # noqa: SEC021
r"logger.*credit.*card.*\d", # credit card with numbers
r"logger.*\bssn\b.*\d", # SSN with numbers
],
@@ -390,7 +390,7 @@ class AuditValidator(BaseValidator):
pyproject = self.project_root / "pyproject.toml"
if pyproject.exists():
content = pyproject.read_text()
if "http://" in content and "https://" not in content:
if "http://" in content and "https://" not in content: # noqa: SEC034
self.add_error(
"THIRD-VEND-001",
"Only HTTPS sources allowed for packages",

12
scripts/validate/validate_security.py
View File

@@ -357,9 +357,9 @@ class SecurityValidator(BaseValidator):
def _check_command_injection(self, file_path: Path, content: str, lines: list[str]):
"""SEC-012: Check for command injection vulnerabilities"""
patterns = [
(r"subprocess.*shell\s*=\s*True", "shell=True in subprocess"), # noqa: SEC-012
(r"os\.system\s*\(", "os.system()"), # noqa: SEC-012
(r"os\.popen\s*\(", "os.popen()"), # noqa: SEC-012
(r"subprocess.*shell\s*=\s*True", "shell=True in subprocess"), # noqa: SEC012
(r"os\.system\s*\(", "os.system()"), # noqa: SEC012
(r"os\.popen\s*\(", "os.popen()"), # noqa: SEC012
]
for i, line in enumerate(lines, 1):
@@ -514,7 +514,7 @@ class SecurityValidator(BaseValidator):
def _check_https_enforcement(self, file_path: Path, content: str, lines: list[str]):
"""SEC-034: Check for HTTP instead of HTTPS"""
for i, line in enumerate(lines, 1):
if re.search(r"http://(?!localhost|127\.0\.0\.1|0\.0\.0\.0|\$)", line):
if re.search(r"http://(?!localhost|127\.0\.0\.1|0\.0\.0\.0|\$)", line): # noqa: SEC034
if self._is_noqa_suppressed(line, "SEC-034") or "example.com" in line or "schemas" in line:
continue
if "http://www.w3.org" in line:
@@ -527,7 +527,7 @@ class SecurityValidator(BaseValidator):
line_number=i,
message="HTTP URL found - use HTTPS for security",
context=line.strip()[:80],
suggestion="Replace http:// with https://",
suggestion="Replace http:// with https://", # noqa: SEC034
)
def _check_timeout_configuration(self, file_path: Path, content: str, lines: list[str]):
@@ -648,7 +648,7 @@ class SecurityValidator(BaseValidator):
"""SEC-047: Check for disabled certificate verification"""
patterns = [
(r"verify\s*=\s*False", "SSL verification disabled"),
(r"CERT_NONE", "Certificate verification disabled"),
(r"CERT_NONE", "Certificate verification disabled"), # noqa: SEC047
(r"check_hostname\s*=\s*False", "Hostname verification disabled"),
]