kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): resolve Snyk/bandit code analysis findings
Aegis CI / lint-and-test (push) Has been cancelled
Details
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Details
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Details
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Details

Browse Source 
- config.py: move REPORT_OUTPUT_DIR from /tmp (world-writable) to /app/reports
  to prevent CWE-377 symlink attack vector (B108, only real security issue)
- main.py: log startup seed failures instead of silently swallowing them (B110)
- Add # nosec annotations to intentional try/except patterns that are by design:
  Jira integration errors, email failures, DetachedInstanceError, storage errors,
  and Jira session timeout (all B110/B112 false positives)
- Add # nosec B105 to false positives where bandit misidentifies config key
  names and masking strings as hardcoded passwords
- Add .bandit config to skip B311 in seed_demo.py (random used for fake
  demo data generation, not cryptographic purposes)
This commit is contained in:
kitos
2026-06-12 12:59:11 +02:00
parent 709a810775
commit 6d3617938e
10 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/tests.py
+5 -5
View File
@@ -281,7 +281,7 @@ def create_test(
from app.services.jira_service import auto_create_test_issue
auto_create_test_issue(db, test, current_user)
db.commit()
except Exception:
except Exception: # nosec B110
pass # jira_service already logs warnings internally
return test
@@ -374,8 +374,8 @@ def create_test_from_template(
from app.services.jira_service import auto_create_test_issue
auto_create_test_issue(db, test, current_user)
db.commit()
except Exception:
pass
except Exception: # nosec B110
pass # jira_service already logs warnings internally
return test
@@ -1485,7 +1485,7 @@ def import_rt(
continue
try:
img_bytes = base64.b64decode(ev.data)
except Exception:
except Exception: # nosec B112
continue # malformed base64 — skip
if len(img_bytes) > _MAX_EVIDENCE_BYTES:
continue # over size limit — skip
@@ -1493,7 +1493,7 @@ def import_rt(
key = f"{test.id}/{uuid.uuid4()}_{safe_name}"
try:
upload_file(img_bytes, key)
except Exception:
except Exception: # nosec B112
continue # storage error — skip but don't abort
evidence_obj = Evidence(
test_id=test.id,