docs: update validator noqa proposal with current results
Reflect resolved architecture warnings, performance warnings, and current info-only findings (3127) from validate_all output. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,8 @@
|
||||
# Validator Noqa Suppressions & Remaining Findings
|
||||
|
||||
**Date:** 2026-02-14
|
||||
**Status:** Implemented (noqa mechanism + initial suppressions)
|
||||
**Updated:** 2026-02-16
|
||||
**Status:** Implemented — noqa mechanism complete, errors and warnings resolved, info findings remain
|
||||
|
||||
## What Was Done
|
||||
|
||||
@@ -12,15 +13,27 @@
|
||||
3. **Consistent noqa wiring** — all check functions in `validate_security.py` (21 locations) and `validate_performance.py` (18 locations) now respect noqa
|
||||
4. **`site/` added to `IGNORE_PATTERNS`** — excludes mkdocs build output from scanning
|
||||
|
||||
### Validator Results After Suppressions
|
||||
### Follow-up Fixes (Since Initial Implementation)
|
||||
|
||||
| Validator | Errors | Warnings | Info |
|
||||
|-----------|--------|----------|------|
|
||||
| Architecture | 0 | 4 | 0 |
|
||||
| Security | 0 | 0 | 1600 |
|
||||
| Performance | 0 | 77 | 1530 |
|
||||
| Audit | 0 | 0 | 0 |
|
||||
| Ruff | 0 | 0 | — |
|
||||
5. **4 architecture warnings resolved** (`3ec58c1`) — fixed catalog→inventory cross-module imports
|
||||
6. **77 performance warnings resolved** (`1cb659e`) — addressed all PERF-006 `db.add()` in loop warnings
|
||||
7. **SEC-015 proposal written** (`0b701fb`) — see `fix-1600-sec015-xhtml-findings.md` for plan to tune Alpine.js `x-html` false positives
|
||||
|
||||
### Current Validator Results
|
||||
|
||||
| Validator | Files | Errors | Warnings | Info |
|
||||
|-----------|-------|--------|----------|------|
|
||||
| Architecture | 607 | 0 | 0 | 0 |
|
||||
| Security | 1323 | 0 | 0 | 1600 |
|
||||
| Performance | 1195 | 0 | 0 | 1527 |
|
||||
| Audit | 0 | 0 | 2 | 0 |
|
||||
|
||||
**Total: 0 errors, 2 warnings, 3127 info**
|
||||
|
||||
The 2 audit warnings are configuration recommendations (not code issues):
|
||||
|
||||
- `COMP-POL-001` — Pull request template recommended (`.github/PULL_REQUEST_TEMPLATE.md`)
|
||||
- `THIRD-VULN-002` — Dependency scanning recommended (`.github/dependabot.yml`)
|
||||
|
||||
---
|
||||
|
||||
@@ -49,33 +62,31 @@
|
||||
|
||||
---
|
||||
|
||||
## Remaining Findings & Recommendations
|
||||
## Remaining Info Findings (3127)
|
||||
|
||||
### Performance Warnings (77 PERF-006)
|
||||
All errors and warnings (except 2 audit config recommendations) are resolved. What remains are **info-level** findings only.
|
||||
|
||||
These flag `db.add()` inside loops and suggest `db.add_all()`.
|
||||
### Security Info (1600 SEC-015)
|
||||
|
||||
- **~50 in tests/fixtures/seeds** — Leave alone. Performance is irrelevant in test setup.
|
||||
- **~25 in production services** — Most have conditional logic inside the loop preventing simple `add_all()`. Useful as a backlog for anyone optimizing a specific service.
|
||||
| Rule | Count | What | Status | Effort |
|
||||
|------|-------|------|--------|--------|
|
||||
| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Proposal written** — see `fix-1600-sec015-xhtml-findings.md` | Medium |
|
||||
|
||||
**Recommendation: Leave as warnings. They serve as a useful improvement backlog.**
|
||||
|
||||
### Info Findings (1600 SEC-015 + 1530 PERF)
|
||||
### Performance Info (1527)
|
||||
|
||||
| Rule | Count | What | Recommendation | Effort |
|
||||
|------|-------|------|----------------|--------|
|
||||
| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Tune the rule** — add exception for Alpine.js `x-html` with server-rendered content | Medium |
|
||||
| **PERF-048** | 633 | "Consider chunked processing" | Leave as info | — |
|
||||
| **PERF-009** | 583 | Loop updates | Leave as info | — |
|
||||
| **PERF-048** | 630 | "Consider chunked processing" | Leave as info | — |
|
||||
| **PERF-009** | 580 | Loop updates | Leave as info | — |
|
||||
| **PERF-067** | 145 | `<script>` without `defer`/`async` | **Add `defer` to script tags** — actual UX improvement | Low |
|
||||
| **PERF-046** | 55 | "Use generators" | Leave as info | — |
|
||||
| **PERF-046** | 56 | "Use generators" | Leave as info | — |
|
||||
| **PERF-051** | 47 | String concatenation | Leave as info | — |
|
||||
| **PERF-003** | 46 | Query limiting | Leave as info (most have pagination) | — |
|
||||
| **PERF-003** | 47 | Query limiting | Leave as info (most have pagination) | — |
|
||||
| **PERF-058** | 22 | Images without `loading="lazy"` | **Add `loading="lazy"`** — actual UX improvement | Low |
|
||||
|
||||
### Priority Order
|
||||
|
||||
1. **Do nothing more now** — validators are clean where it matters (0 errors, 0 security warnings)
|
||||
2. **Quick wins when convenient**: add `defer` to scripts (PERF-067) and `loading="lazy"` to images (PERF-058)
|
||||
3. **Tune SEC-015** to recognize Alpine.js patterns — eliminates 1600 noise findings at the source
|
||||
4. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
|
||||
1. **Tune SEC-015** to recognize Alpine.js patterns — eliminates 1600 noise findings at the source (proposal ready)
|
||||
2. **Quick wins**: add `defer` to scripts (PERF-067, 145 findings) and `loading="lazy"` to images (PERF-058, 22 findings)
|
||||
3. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
|
||||
4. **Audit config**: add PR template and dependabot config to eliminate 2 remaining warnings
|
||||
|
||||
Reference in New Issue
Block a user