sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
orion/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md
Samir Boulahtit eaab47f2f8 fix: eliminate all 1600 SEC-015 security info findings 
Add safe-pattern exceptions to the x-html check in validate_security.py
for $icon(), $store methods, and window.icons lookups. Suppress remaining
8 legitimate x-html uses (admin-authored content, app-controlled JS) with
noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 18:02:59 +01:00

86 lines
4.9 KiB
Markdown
Raw Permalink Blame History

# Validator Noqa Suppressions & Remaining Findings
**Date:** 2026-02-14
**Updated:** 2026-02-16
**Status:** Implemented — noqa mechanism complete, all security findings resolved, performance info remains
## What Was Done
### Noqa Infrastructure
1. **Centralized `_is_noqa_suppressed()` in `BaseValidator`** — supports both ruff-compatible (`# noqa: SEC001`) and human-readable (`# noqa: SEC-001`) formats via normalization
2. **Ruff `external` config**`external = ["SEC", "PERF", "MOD", "EXC"]` in `pyproject.toml` prevents ruff from stripping our custom noqa comments
3. **Consistent noqa wiring** — all check functions in `validate_security.py` (21 locations) and `validate_performance.py` (18 locations) now respect noqa
4. **`site/` added to `IGNORE_PATTERNS`** — excludes mkdocs build output from scanning
### Follow-up Fixes (Since Initial Implementation)
5. **4 architecture warnings resolved** (`3ec58c1`) — fixed catalog→inventory cross-module imports
6. **77 performance warnings resolved** (`1cb659e`) — addressed all PERF-006 `db.add()` in loop warnings
7. **SEC-015 proposal written** (`0b701fb`) — see `fix-1600-sec015-xhtml-findings.md` for plan to tune Alpine.js `x-html` false positives
### Current Validator Results
| Validator | Files | Errors | Warnings | Info |
|-----------|-------|--------|----------|------|
| Architecture | 607 | 0 | 0 | 0 |
| Security | 1323 | 0 | 0 | 0 |
| Performance | 1195 | 0 | 0 | 1527 |
| Audit | 0 | 0 | 2 | 0 |
**Total: 0 errors, 2 warnings, 1527 info**
The 2 audit warnings are configuration recommendations (not code issues):
- `COMP-POL-001` — Pull request template recommended (`.github/PULL_REQUEST_TEMPLATE.md`)
- `THIRD-VULN-002` — Dependency scanning recommended (`.github/dependabot.yml`)
---
## Noqa Inventory: 152 Suppressions in Python Files
| Rule | Count | Where | Verdict |
|------|-------|-------|---------|
| **SEC001** | 81 | Test passwords/keys in test files, fixtures, seeds | **Permanent** — test data will always have fake credentials |
| **SEC034** | 26 | HTTP URLs in test assertions, schema validators, seed scripts | **Permanent**`http://` strings in tests/validation logic are not security issues |
| **SEC042** | 24 | `random.randint()` in dummy order script (22) + store code collision handler (2) | **22 permanent** (dummy script), **2 fixable**`store_sync_service.py` could use `secrets.token_hex()` |
| **SEC021** | 12 | PII logging in seed scripts (8), password reset log messages (2), validator patterns (2) | **10 permanent** (scripts/validators), **2 reviewable** — customer service log messages could be less specific |
| **SEC012** | 3 | Security validator flagging its own regex patterns | **Permanent** — meta-false-positive |
| **SEC011** | 2 | `TRUNCATE TABLE` in conftest, `DELETE FROM` in test fixture | **Permanent** — test cleanup SQL |
| **SEC040** | 2 | `requests.get()` without timeout in test script | **Fixable** — add `timeout=30` |
| **SEC047** | 1 | Validator flagging its own `CERT_NONE` pattern | **Permanent** — meta-false-positive |
| **SEC041** | 1 | SHA1 in Apple Wallet service | **Permanent** — required by Apple Wallet spec |
| **PERF040** | 2 | Same test script HTTP requests | Same as SEC040 |
**~145 are permanent/correct suppressions, ~6 could be properly fixed.**
### The 6 Fixable Suppressions (Low Priority)
1. `app/modules/marketplace/services/letzshop/store_sync_service.py` (2x SEC042) — replace `random.randint()` with `secrets` module
2. `app/modules/customers/services/customer_service.py` + `routes/api/storefront.py` (2x SEC021) — make log messages less specific about "password"
3. `scripts/test_auth_complete.py` (2x SEC040/PERF040) — add `timeout=30` to requests calls
---
## Remaining Info Findings (1527)
All errors resolved. All security findings resolved (SEC-015 fix implemented — see `fix-1600-sec015-xhtml-findings.md`). What remains are **performance info** and 2 audit config warnings.
### Performance Info (1527)
| Rule | Count | What | Recommendation | Effort |
|------|-------|------|----------------|--------|
| **PERF-048** | 630 | "Consider chunked processing" | Leave as info | — |
| **PERF-009** | 580 | Loop updates | Leave as info | — |
| **PERF-067** | 145 | `<script>` without `defer`/`async` | **Add `defer` to script tags** — actual UX improvement | Low |
| **PERF-046** | 56 | "Use generators" | Leave as info | — |
| **PERF-051** | 47 | String concatenation | Leave as info | — |
| **PERF-003** | 47 | Query limiting | Leave as info (most have pagination) | — |
| **PERF-058** | 22 | Images without `loading="lazy"` | **Add `loading="lazy"`** — actual UX improvement | Low |
### Priority Order
1. **Quick wins**: add `defer` to scripts (PERF-067, 145 findings) and `loading="lazy"` to images (PERF-058, 22 findings)
2. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
3. **Audit config**: add PR template and dependabot config to eliminate 2 remaining warnings
Reference in New Issue View Git Blame Copy Permalink