[Security] Fix audit report capture and duplicate-scan noise #243

Closed
opened 2026-07-11 12:51:12 +02:00 by zemion · 1 comment
Owner

The first full audit showed two tooling issues: Xenon wrote threshold failures to stderr while xenon.txt captured only stdout, and jscpd spent most of its report on .git, lockfiles, generated translations, and label JSON.

Classification: immediate local fix.

Report evidence:

  • scripts/check-security-audit.sh Xenon capture.
  • scripts/check-security-audit.sh jscpd ignore list.
  • Attached Xenon output listed D/E/F-ranked functions while xenon.txt was empty.

Suggested next steps:

  • Capture Xenon stderr into xenon.txt.
  • Ignore .git, lockfiles, generated translations, generated label JSON, build output, and audit reports in jscpd.
  • Re-run full audit to produce cleaner complexity/duplication reports.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-audit-toolchain-reporting --> The first full audit showed two tooling issues: Xenon wrote threshold failures to stderr while `xenon.txt` captured only stdout, and jscpd spent most of its report on `.git`, lockfiles, generated translations, and label JSON. Classification: **immediate local fix**. Report evidence: - `scripts/check-security-audit.sh` Xenon capture. - `scripts/check-security-audit.sh` jscpd ignore list. - Attached Xenon output listed D/E/F-ranked functions while `xenon.txt` was empty. Suggested next steps: - Capture Xenon stderr into `xenon.txt`. - Ignore `.git`, lockfiles, generated translations, generated label JSON, build output, and audit reports in jscpd. - Re-run full audit to produce cleaner complexity/duplication reports. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
bug
priority
p2
status
ready
module/core
codex/ready
labels 2026-07-11 12:51:12 +02:00
Author
Owner

Codex state update: Implemented locally: Xenon output is now captured with stderr, and jscpd ignores VCS/generated/build/report artifacts. Verified with bash -n scripts/check-security-audit.sh tools/security-audit/run.sh.

Codex state update: Implemented locally: Xenon output is now captured with stderr, and jscpd ignores VCS/generated/build/report artifacts. Verified with `bash -n scripts/check-security-audit.sh tools/security-audit/run.sh`.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#243
No description provided.