sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6458ab13d74b82f05fea70360f2beecb60eaeb5e
orion/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md
Samir Boulahtit 6458ab13d7 docs: update validator noqa proposal with current results 
Reflect resolved architecture warnings, performance warnings, and
current info-only findings (3127) from validate_all output.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 14:25:45 +01:00

5.2 KiB
Raw Blame History

Validator Noqa Suppressions & Remaining Findings

Date: 2026-02-14 Updated: 2026-02-16 Status: Implemented — noqa mechanism complete, errors and warnings resolved, info findings remain

What Was Done

Noqa Infrastructure

  1. Centralized _is_noqa_suppressed() in BaseValidator — supports both ruff-compatible (# noqa: SEC001) and human-readable (# noqa: SEC-001) formats via normalization
  2. Ruff external configexternal = ["SEC", "PERF", "MOD", "EXC"] in pyproject.toml prevents ruff from stripping our custom noqa comments
  3. Consistent noqa wiring — all check functions in validate_security.py (21 locations) and validate_performance.py (18 locations) now respect noqa
  4. site/ added to IGNORE_PATTERNS — excludes mkdocs build output from scanning

Follow-up Fixes (Since Initial Implementation)

  1. 4 architecture warnings resolved (3ec58c1) — fixed catalog→inventory cross-module imports
  2. 77 performance warnings resolved (1cb659e) — addressed all PERF-006 db.add() in loop warnings
  3. SEC-015 proposal written (0b701fb) — see fix-1600-sec015-xhtml-findings.md for plan to tune Alpine.js x-html false positives

Current Validator Results

Validator Files Errors Warnings Info
Architecture 607 0 0 0
Security 1323 0 0 1600
Performance 1195 0 0 1527
Audit 0 0 2 0

Total: 0 errors, 2 warnings, 3127 info

The 2 audit warnings are configuration recommendations (not code issues):

  • COMP-POL-001 — Pull request template recommended (.github/PULL_REQUEST_TEMPLATE.md)
  • THIRD-VULN-002 — Dependency scanning recommended (.github/dependabot.yml)

Noqa Inventory: 152 Suppressions in Python Files

Rule Count Where Verdict
SEC001 81 Test passwords/keys in test files, fixtures, seeds Permanent — test data will always have fake credentials
SEC034 26 HTTP URLs in test assertions, schema validators, seed scripts Permanenthttp:// strings in tests/validation logic are not security issues
SEC042 24 random.randint() in dummy order script (22) + store code collision handler (2) 22 permanent (dummy script), 2 fixablestore_sync_service.py could use secrets.token_hex()
SEC021 12 PII logging in seed scripts (8), password reset log messages (2), validator patterns (2) 10 permanent (scripts/validators), 2 reviewable — customer service log messages could be less specific
SEC012 3 Security validator flagging its own regex patterns Permanent — meta-false-positive
SEC011 2 TRUNCATE TABLE in conftest, DELETE FROM in test fixture Permanent — test cleanup SQL
SEC040 2 requests.get() without timeout in test script Fixable — add timeout=30
SEC047 1 Validator flagging its own CERT_NONE pattern Permanent — meta-false-positive
SEC041 1 SHA1 in Apple Wallet service Permanent — required by Apple Wallet spec
PERF040 2 Same test script HTTP requests Same as SEC040

~145 are permanent/correct suppressions, ~6 could be properly fixed.

The 6 Fixable Suppressions (Low Priority)

  1. app/modules/marketplace/services/letzshop/store_sync_service.py (2x SEC042) — replace random.randint() with secrets module
  2. app/modules/customers/services/customer_service.py + routes/api/storefront.py (2x SEC021) — make log messages less specific about "password"
  3. scripts/test_auth_complete.py (2x SEC040/PERF040) — add timeout=30 to requests calls

Remaining Info Findings (3127)

All errors and warnings (except 2 audit config recommendations) are resolved. What remains are info-level findings only.

Security Info (1600 SEC-015)

Rule Count What Status Effort
SEC-015 1600 x-html in Alpine.js templates Proposal written — see fix-1600-sec015-xhtml-findings.md Medium

Performance Info (1527)

Rule Count What Recommendation Effort
PERF-048 630 "Consider chunked processing" Leave as info
PERF-009 580 Loop updates Leave as info
PERF-067 145 <script> without defer/async Add defer to script tags — actual UX improvement Low
PERF-046 56 "Use generators" Leave as info
PERF-051 47 String concatenation Leave as info
PERF-003 47 Query limiting Leave as info (most have pagination)
PERF-058 22 Images without loading="lazy" Add loading="lazy" — actual UX improvement Low

Priority Order

  1. Tune SEC-015 to recognize Alpine.js patterns — eliminates 1600 noise findings at the source (proposal ready)
  2. Quick wins: add defer to scripts (PERF-067, 145 findings) and loading="lazy" to images (PERF-058, 22 findings)
  3. Fix the 6 fixable noqa — minor cleanup, do whenever touching those files
  4. Audit config: add PR template and dependabot config to eliminate 2 remaining warnings
Reference in New Issue View Git Blame Copy Permalink