[Audit] Burndown: 2026-07-11 full GovOPlaN security and quality report #4

Closed
opened 2026-07-11 16:14:03 +02:00 by zemion · 4 comments
Owner

Full audit baseline from /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529.

Scanner Summary

  • Gitleaks: clean across scanned repositories.
  • OSV-Scanner: clean for govoplan, govoplan-core, and addideas-govoplan-website manifests scanned in this run.
  • npm audit: clean for govoplan-core WebUI release lockfile.
  • Bandit: 224 total findings; 12 high/medium non-test findings remain.
  • Ruff security rules: 143 findings, mostly overlapping with Bandit/test fixture noise.
  • Semgrep: 54 findings before the local fixes in this burndown batch.
  • Trivy: 1 Dockerfile misconfiguration before the local website fix.
  • Xenon: 53 complexity threshold findings.
  • jscpd: 377 duplicate blocks, 5,046 duplicated lines, 2.709% duplicated lines.

Fixed / Closed In This Batch

Open Child Issues

Next Reduction Order

  1. Re-run the audit after the local meta and website fixes are pushed/available to the audit container.
  2. Fix high-signal security issues: shell boundaries, URL policy, SQL/text helpers, dynamic imports.
  3. Narrow or document false positives in tests only after production findings are handled.
  4. Split duplication triage into child issues only where the duplicate code crosses ownership boundaries or causes real maintenance risk.
  5. Use SECURITY_AUDIT_FAIL_ON_FINDINGS=1 only after the baseline is intentionally clean or explicitly waived.
Full audit baseline from `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529`. ## Scanner Summary - Gitleaks: clean across scanned repositories. - OSV-Scanner: clean for `govoplan`, `govoplan-core`, and `addideas-govoplan-website` manifests scanned in this run. - npm audit: clean for `govoplan-core` WebUI release lockfile. - Bandit: 224 total findings; 12 high/medium non-test findings remain. - Ruff security rules: 143 findings, mostly overlapping with Bandit/test fixture noise. - Semgrep: 54 findings before the local fixes in this burndown batch. - Trivy: 1 Dockerfile misconfiguration before the local website fix. - Xenon: 53 complexity threshold findings. - jscpd: 377 duplicate blocks, 5,046 duplicated lines, 2.709% duplicated lines. ## Fixed / Closed In This Batch - add-ideas/govoplan#2: workflow action references pinned to immutable SHAs. - add-ideas/addideas-govoplan-website#7: website nginx container/header findings fixed locally. - add-ideas/govoplan-core#244: OSV audit-toolbox dependency finding is clean in the new report. - add-ideas/govoplan-core#241 and #238: closed as superseded by meta-owned issues after the script move. ## Open Child Issues - add-ideas/govoplan#1: meta release/Gitea command and URL trust boundaries. - add-ideas/govoplan#3: jscpd duplicate-code baseline triage. - add-ideas/govoplan-core#232: module installer shell hook trust boundary. - add-ideas/govoplan-core#239: core outbound URL policy. - add-ideas/govoplan-core#240: dynamic SQL/text safe identifier review. - add-ideas/govoplan-core#242: dynamic module import trust boundary. - add-ideas/govoplan-core#245: core complexity refactor. - add-ideas/govoplan-calendar#8 and #13: calendar URL policy and complexity. - add-ideas/govoplan-files#27 and #28: SMB connector container/root and files complexity. - add-ideas/govoplan-mail#11 and #12: mail SQL/regex and mail complexity. - add-ideas/govoplan-campaign#53 and #54: campaign WebUI security patterns and complexity. - add-ideas/govoplan-access#13, govoplan-admin#5, govoplan-audit#6, govoplan-docs#18, govoplan-idm#4, govoplan-policy#7, govoplan-tenancy#4: complexity issues from Xenon. ## Next Reduction Order 1. Re-run the audit after the local meta and website fixes are pushed/available to the audit container. 2. Fix high-signal security issues: shell boundaries, URL policy, SQL/text helpers, dynamic imports. 3. Narrow or document false positives in tests only after production findings are handled. 4. Split duplication triage into child issues only where the duplicate code crosses ownership boundaries or causes real maintenance risk. 5. Use `SECURITY_AUDIT_FAIL_ON_FINDINGS=1` only after the baseline is intentionally clean or explicitly waived.
Author
Owner

Codex State: progress

Summary

Security burn-down batch completed locally:

  • Closed govoplan#1: meta release/Gitea tooling shell and URL trust boundaries fixed.
  • Closed govoplan-core#232: module installer shell hook execution replaced with argv execution and shell syntax rejection.
  • Closed govoplan-core#239: core outbound URL policy hardened.
  • Closed govoplan-core#240: dynamic SQL identifier paths guarded and narrowly documented.
  • Closed govoplan-calendar#8: calendar/CalDAV outbound URL policy hardened.
  • Closed govoplan-mail#11: mail dynamic SQL and wildcard regex findings fixed.
  • Closed govoplan-campaign#53: campaign dynamic regex/prototype-pollution findings fixed.
  • Left govoplan-files#27 open: SMB dev container needs a deliberate non-root testbed redesign or narrow documented exception.

Verification

  • Python compile checks passed for touched meta/core/calendar/mail files.
  • npm run test:mail-ui passed.
  • npm run test:import-utils passed.
  • npm run test:template-preview passed.
  • Full Python unit tests were attempted but blocked in this shell by missing cryptography / defusedxml dependencies.

Remaining Security Work

  • govoplan-core#242: dynamic module import trust boundary remains open.
  • govoplan-files#27: SMB dev container root behavior remains open.
  • Complexity/duplication issues remain separate from this security burn-down.
## Codex State: progress ### Summary Security burn-down batch completed locally: - Closed `govoplan#1`: meta release/Gitea tooling shell and URL trust boundaries fixed. - Closed `govoplan-core#232`: module installer shell hook execution replaced with argv execution and shell syntax rejection. - Closed `govoplan-core#239`: core outbound URL policy hardened. - Closed `govoplan-core#240`: dynamic SQL identifier paths guarded and narrowly documented. - Closed `govoplan-calendar#8`: calendar/CalDAV outbound URL policy hardened. - Closed `govoplan-mail#11`: mail dynamic SQL and wildcard regex findings fixed. - Closed `govoplan-campaign#53`: campaign dynamic regex/prototype-pollution findings fixed. - Left `govoplan-files#27` open: SMB dev container needs a deliberate non-root testbed redesign or narrow documented exception. ### Verification - Python compile checks passed for touched meta/core/calendar/mail files. - `npm run test:mail-ui` passed. - `npm run test:import-utils` passed. - `npm run test:template-preview` passed. - Full Python unit tests were attempted but blocked in this shell by missing `cryptography` / `defusedxml` dependencies. ### Remaining Security Work - `govoplan-core#242`: dynamic module import trust boundary remains open. - `govoplan-files#27`: SMB dev container root behavior remains open. - Complexity/duplication issues remain separate from this security burn-down.
Author
Owner

Security burn-down update: govoplan-core#242 is implemented and closed locally/Gitea pending push. govoplan-files#27 has a non-root SMB dev-container attempt implemented locally, but remains open until Docker runtime validation confirms Samba works under the non-root image.

Security burn-down update: `govoplan-core#242` is implemented and closed locally/Gitea pending push. `govoplan-files#27` has a non-root SMB dev-container attempt implemented locally, but remains open until Docker runtime validation confirms Samba works under the non-root image.
Author
Owner

Security burn-down update: govoplan-files#27 runtime validation passed on the Docker host and the issue is now closed pending push. The SMB dev container runs as non-root and the signed authenticated SMB connector smoke passed.

Security burn-down update: `govoplan-files#27` runtime validation passed on the Docker host and the issue is now closed pending push. The SMB dev container runs as non-root and the signed authenticated SMB connector smoke passed.
Author
Owner

Closing after the first security burn-down batch was implemented, validated, and pushed.

Pushed fixes:

  • govoplan audit tooling / release helper hardening
  • govoplan-calendar CalDAV sync hardening
  • govoplan-campaign import/path handling hardening
  • govoplan-core module install/import trust-boundary hardening
  • govoplan-files non-root SMB dev connector
  • govoplan-mail mail profile validation hardening

Validation:

  • Latest full report: audit-reports/govoplan-full-20260711-1857
  • mode=full, scope=govoplan, repositories scanned: 63
  • Unsuppressed Semgrep findings: 0
  • Gitleaks findings: 0
  • Trivy findings: 0
  • npm audit vulnerabilities: 0
  • OSV vulnerabilities: 0

Remaining Bandit/Ruff/Xenon/jscpd baseline quality findings are better tracked as follow-up issue groups rather than keeping this initial burn-down tracker open.

Closing after the first security burn-down batch was implemented, validated, and pushed. Pushed fixes: - `govoplan` audit tooling / release helper hardening - `govoplan-calendar` CalDAV sync hardening - `govoplan-campaign` import/path handling hardening - `govoplan-core` module install/import trust-boundary hardening - `govoplan-files` non-root SMB dev connector - `govoplan-mail` mail profile validation hardening Validation: - Latest full report: `audit-reports/govoplan-full-20260711-1857` - `mode=full`, `scope=govoplan`, repositories scanned: `63` - Unsuppressed Semgrep findings: `0` - Gitleaks findings: `0` - Trivy findings: `0` - npm audit vulnerabilities: `0` - OSV vulnerabilities: `0` Remaining Bandit/Ruff/Xenon/jscpd baseline quality findings are better tracked as follow-up issue groups rather than keeping this initial burn-down tracker open.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan#4
No description provided.