sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
orion/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md
Samir Boulahtit eaab47f2f8 fix: eliminate all 1600 SEC-015 security info findings 
Add safe-pattern exceptions to the x-html check in validate_security.py
for $icon(), $store methods, and window.icons lookups. Suppress remaining
8 legitimate x-html uses (admin-authored content, app-controlled JS) with
noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 18:02:59 +01:00

4.9 KiB
Raw Permalink Blame History

Validator Noqa Suppressions & Remaining Findings

Date: 2026-02-14 Updated: 2026-02-16 Status: Implemented — noqa mechanism complete, all security findings resolved, performance info remains

What Was Done

Noqa Infrastructure

  1. Centralized _is_noqa_suppressed() in BaseValidator — supports both ruff-compatible (# noqa: SEC001) and human-readable (# noqa: SEC-001) formats via normalization
  2. Ruff external configexternal = ["SEC", "PERF", "MOD", "EXC"] in pyproject.toml prevents ruff from stripping our custom noqa comments
  3. Consistent noqa wiring — all check functions in validate_security.py (21 locations) and validate_performance.py (18 locations) now respect noqa
  4. site/ added to IGNORE_PATTERNS — excludes mkdocs build output from scanning

Follow-up Fixes (Since Initial Implementation)

  1. 4 architecture warnings resolved (3ec58c1) — fixed catalog→inventory cross-module imports
  2. 77 performance warnings resolved (1cb659e) — addressed all PERF-006 db.add() in loop warnings
  3. SEC-015 proposal written (0b701fb) — see fix-1600-sec015-xhtml-findings.md for plan to tune Alpine.js x-html false positives

Current Validator Results

Validator Files Errors Warnings Info
Architecture 607 0 0 0
Security 1323 0 0 0
Performance 1195 0 0 1527
Audit 0 0 2 0

Total: 0 errors, 2 warnings, 1527 info

The 2 audit warnings are configuration recommendations (not code issues):

  • COMP-POL-001 — Pull request template recommended (.github/PULL_REQUEST_TEMPLATE.md)
  • THIRD-VULN-002 — Dependency scanning recommended (.github/dependabot.yml)

Noqa Inventory: 152 Suppressions in Python Files

Rule Count Where Verdict
SEC001 81 Test passwords/keys in test files, fixtures, seeds Permanent — test data will always have fake credentials
SEC034 26 HTTP URLs in test assertions, schema validators, seed scripts Permanenthttp:// strings in tests/validation logic are not security issues
SEC042 24 random.randint() in dummy order script (22) + store code collision handler (2) 22 permanent (dummy script), 2 fixablestore_sync_service.py could use secrets.token_hex()
SEC021 12 PII logging in seed scripts (8), password reset log messages (2), validator patterns (2) 10 permanent (scripts/validators), 2 reviewable — customer service log messages could be less specific
SEC012 3 Security validator flagging its own regex patterns Permanent — meta-false-positive
SEC011 2 TRUNCATE TABLE in conftest, DELETE FROM in test fixture Permanent — test cleanup SQL
SEC040 2 requests.get() without timeout in test script Fixable — add timeout=30
SEC047 1 Validator flagging its own CERT_NONE pattern Permanent — meta-false-positive
SEC041 1 SHA1 in Apple Wallet service Permanent — required by Apple Wallet spec
PERF040 2 Same test script HTTP requests Same as SEC040

~145 are permanent/correct suppressions, ~6 could be properly fixed.

The 6 Fixable Suppressions (Low Priority)

  1. app/modules/marketplace/services/letzshop/store_sync_service.py (2x SEC042) — replace random.randint() with secrets module
  2. app/modules/customers/services/customer_service.py + routes/api/storefront.py (2x SEC021) — make log messages less specific about "password"
  3. scripts/test_auth_complete.py (2x SEC040/PERF040) — add timeout=30 to requests calls

Remaining Info Findings (1527)

All errors resolved. All security findings resolved (SEC-015 fix implemented — see fix-1600-sec015-xhtml-findings.md). What remains are performance info and 2 audit config warnings.

Performance Info (1527)

Rule Count What Recommendation Effort
PERF-048 630 "Consider chunked processing" Leave as info
PERF-009 580 Loop updates Leave as info
PERF-067 145 <script> without defer/async Add defer to script tags — actual UX improvement Low
PERF-046 56 "Use generators" Leave as info
PERF-051 47 String concatenation Leave as info
PERF-003 47 Query limiting Leave as info (most have pagination)
PERF-058 22 Images without loading="lazy" Add loading="lazy" — actual UX improvement Low

Priority Order

  1. Quick wins: add defer to scripts (PERF-067, 145 findings) and loading="lazy" to images (PERF-058, 22 findings)
  2. Fix the 6 fixable noqa — minor cleanup, do whenever touching those files
  3. Audit config: add PR template and dependabot config to eliminate 2 remaining warnings
Reference in New Issue View Git Blame Copy Permalink