Skip to content

fix: resolve 47 code scanning alerts#102

Merged
imran-siddique merged 1 commit intomainfrom
fix/code-scanning-v1.1
Mar 8, 2026
Merged

fix: resolve 47 code scanning alerts#102
imran-siddique merged 1 commit intomainfrom
fix/code-scanning-v1.1

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Mar 8, 2026

Summary

Addresses all actionable code scanning alerts from CodeQL and OpenSSF Scorecard.

CodeQL Fixes (12 alerts)

  • py/incomplete-url-substring-sanitization (2 alerts): Use urlparse for proper domain validation instead of substring check
  • py/clear-text-logging-sensitive-data (10 alerts): Rewrote _redact() in 4 example files to use SHA-256 hash-based identifiers, breaking the taint chain

OpenSSF Scorecard Fixes (35+ alerts)

  • CI workflows (8 alerts): Pinned pip packages to version ranges in ci.yml, publish.yml, policy-validation.yml
  • Dockerfiles (20+ alerts): Added upper-bound version constraints to all requirements.txt files consumed by Dockerfiles
  • Shell scripts (4 alerts): Pinned package versions in quickstart.sh, build_and_publish.sh, gh-agent-os, run-demo.sh

Not Fixable via Code (6 alerts)

  • BranchProtectionID, CIIBestPracticesID, CodeReviewID, FuzzingID, MaintainedID, SASTID - repo-level settings requiring admin configuration

Testing

  • All 28 integrity/verify tests pass
  • Full suite: 2,762 passed, 43 skipped, 1 pre-existing failure (unrelated test_layer4_intelligence.py)

32 files changed across packages.

@imran-siddique
fix: resolve code scanning alerts — URL sanitization, clear-text logg…
f16d892 
…ing, dependency pinning

- Fix py/incomplete-url-substring-sanitization (2 alerts): Use urlparse for
  proper domain validation instead of substring check in test assertions
- Fix py/clear-text-logging-sensitive-data (10 alerts): Replace _redact()
  with hash-based redaction using SHA-256 digests to break taint chain while
  preserving correlation capability across 4 example files
- Fix PinnedDependenciesID in CI workflows (8 alerts): Pin ruff, pytest,
  pytest-asyncio, safety, build, pyyaml to version ranges in ci.yml,
  publish.yml, and policy-validation.yml
- Fix PinnedDependenciesID in Dockerfiles (20+ alerts): Add upper-bound
  version constraints to all requirements.txt files used by Dockerfiles
- Fix PinnedDependenciesID in shell scripts (4 alerts): Pin package versions
  in quickstart.sh, build_and_publish.sh, gh-agent-os, run-demo.sh

32 files changed, 47 alerts addressed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique imran-siddique merged commit fb230bb into main Mar 8, 2026
22 of 25 checks passed
@imran-siddique imran-siddique deleted the fix/code-scanning-v1.1 branch March 8, 2026 18:21
@github-actions github-actions bot added dependencies Pull requests that update a dependency file tests agent-mesh agent-mesh package agent-hypervisor agent-hypervisor package agent-sre agent-sre package ci/cd CI/CD and workflows labels Mar 8, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 8, 2026

Dependency Review

The following issues were found:
  • ❌ 2 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 43 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

packages/agent-os/modules/caas/requirements.txt

NameVersionVulnerabilitySeverity
pypdf>= 4.0.0,< 5.0.0PyPDF's Manipulated FlateDecode streams can exhaust RAMmoderate
pypdf possibly loops infinitely when reading DCT inline images without EOF markermoderate
pypdf can exhaust RAM via manipulated LZWDecode streamsmoderate
pypdf's LZWDecode streams be manipulated to exhaust RAMmoderate
pypdf has possible Infinite Loop when processing outlines/bookmarksmoderate
pypdf has a possible infinite loop when processing TreeObjectmoderate
pypdf has possible long runtimes/large memory usage for large /ToUnicode streamsmoderate
pypdf possibly has long runtimes for malformed FlateDecode streamsmoderate
pypdf: Manipulated FlateDecode XFA streams can exhaust RAMmoderate
pypdf: Manipulated RunLengthDecode streams can exhaust RAMmoderate
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streamsmoderate

packages/agent-os/services/cloud-board/requirements.txt

NameVersionVulnerabilitySeverity
pypdf>= 4.0.0,< 5.0.0PyPDF's Manipulated FlateDecode streams can exhaust RAMmoderate
pypdf possibly loops infinitely when reading DCT inline images without EOF markermoderate
pypdf can exhaust RAM via manipulated LZWDecode streamsmoderate
pypdf's LZWDecode streams be manipulated to exhaust RAMmoderate
pypdf has possible Infinite Loop when processing outlines/bookmarksmoderate
pypdf has a possible infinite loop when processing TreeObjectmoderate
pypdf has possible long runtimes/large memory usage for large /ToUnicode streamsmoderate
pypdf possibly has long runtimes for malformed FlateDecode streamsmoderate
pypdf: Manipulated FlateDecode XFA streams can exhaust RAMmoderate
pypdf: Manipulated RunLengthDecode streams can exhaust RAMmoderate
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streamsmoderate
cryptography>= 42.0.0,< 45.0.0cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curveshigh
Only included vulnerabilities with severity moderate or higher.

License Issues

packages/agent-os/modules/caas/requirements.txt

PackageVersionLicenseIssue Type
pypdf>= 4.0.0,< 5.0.0NullUnknown License
aiofiles>= 23.2.1,< 24.0.0NullUnknown License
beautifulsoup4>= 4.12.2,< 5.0.0NullUnknown License
fastapi>= 0.115.0,< 1.0.0NullUnknown License
lxml>= 4.9.3,< 6.0.0NullUnknown License
numpy>= 1.26.2,< 2.0.0NullUnknown License
pydantic>= 2.5.0,< 3.0.0NullUnknown License
python-multipart>= 0.0.22,< 1.0.0NullUnknown License
scikit-learn>= 1.6.1,< 2.0.0NullUnknown License
tiktoken>= 0.5.1,< 1.0.0NullUnknown License
uvicorn>= 0.27.0,< 1.0.0NullUnknown License

packages/agent-os/modules/cmvk/requirements.txt

PackageVersionLicenseIssue Type
numpy>= 1.24.0,< 2.0.0NullUnknown License
scipy>= 1.11.0,< 2.0.0NullUnknown License

packages/agent-os/modules/iatp/requirements.txt

PackageVersionLicenseIssue Type
agent-primitives>= 0.1.0,< 1.0.0NullUnknown License
fastapi>= 0.109.1,< 1.0.0NullUnknown License

packages/agent-os/modules/scak/requirements.txt

PackageVersionLicenseIssue Type
langchain-core>= 0.1.0,< 1.0.0NullUnknown License
agent-primitives>= 0.1.0,< 1.0.0NullUnknown License
anthropic>= 0.7.0,< 1.0.0NullUnknown License
jupyter>= 1.0.0,< 2.0.0NullUnknown License
langchain>= 0.1.0,< 1.0.0NullUnknown License
openai>= 1.0.0,< 2.0.0NullUnknown License
pydantic>= 2.0.0,< 3.0.0NullUnknown License
pytest>= 7.4.0,< 9.0.0NullUnknown License
pytest-asyncio>= 0.21.0,< 1.0.0NullUnknown License
pyyaml>= 6.0,< 7.0.0NullUnknown License
streamlit>= 1.37.0,< 2.0.0NullUnknown License

packages/agent-os/services/cloud-board/requirements.txt

PackageVersionLicenseIssue Type
cryptography>= 42.0.0,< 45.0.0NullUnknown License
aiohttp>= 3.13.3,< 4.0.0NullUnknown License
black>= 24.3.0,< 25.0.0NullUnknown License
fastapi>= 0.109.0,< 1.0.0NullUnknown License
httpx>= 0.26.0,< 1.0.0NullUnknown License
mypy>= 1.8.0,< 2.0.0NullUnknown License
opentelemetry-api>= 1.22.0,< 2.0.0NullUnknown License
opentelemetry-instrumentation-fastapi>= 0.43b0,< 1.0NullUnknown License
opentelemetry-sdk>= 1.22.0,< 2.0.0NullUnknown License
pydantic>= 2.5.0,< 3.0.0NullUnknown License
pynacl>= 1.5.0,< 2.0.0NullUnknown License
pytest>= 7.4.0,< 9.0.0NullUnknown License
pytest-asyncio>= 0.23.0,< 1.0.0NullUnknown License
pytest-cov>= 4.1.0,< 6.0.0NullUnknown License
ruff>= 0.1.0,< 1.0.0NullUnknown License
structlog>= 24.1.0,< 25.0.0NullUnknown License
uvicorn>= 0.27.0,< 1.0.0NullUnknown License
Allowed Licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, PSF-2.0, Python-2.0, 0BSD, Unlicense, CC0-1.0, CC-BY-4.0, Zlib, BSL-1.0, MPL-2.0

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
pip/pypdf >= 4.0.0,< 5.0.0 UnknownUnknown
pip/aiofiles >= 23.2.1,< 24.0.0 UnknownUnknown
pip/beautifulsoup4 >= 4.12.2,< 5.0.0 UnknownUnknown
pip/fastapi >= 0.115.0,< 1.0.0 UnknownUnknown
pip/lxml >= 4.9.3,< 6.0.0 UnknownUnknown
pip/numpy >= 1.26.2,< 2.0.0 UnknownUnknown
pip/pydantic >= 2.5.0,< 3.0.0 UnknownUnknown
pip/python-multipart >= 0.0.22,< 1.0.0 UnknownUnknown
pip/scikit-learn >= 1.6.1,< 2.0.0 UnknownUnknown
pip/tiktoken >= 0.5.1,< 1.0.0 UnknownUnknown
pip/uvicorn >= 0.27.0,< 1.0.0 UnknownUnknown
pip/numpy >= 1.24.0,< 2.0.0 UnknownUnknown
pip/scipy >= 1.11.0,< 2.0.0 UnknownUnknown
pip/agent-primitives >= 0.1.0,< 1.0.0 UnknownUnknown
pip/fastapi >= 0.109.1,< 1.0.0 UnknownUnknown
pip/langchain-core >= 0.1.0,< 1.0.0 UnknownUnknown
pip/agent-primitives >= 0.1.0,< 1.0.0 UnknownUnknown
pip/anthropic >= 0.7.0,< 1.0.0 UnknownUnknown
pip/jupyter >= 1.0.0,< 2.0.0 UnknownUnknown
pip/langchain >= 0.1.0,< 1.0.0 UnknownUnknown
pip/openai >= 1.0.0,< 2.0.0 UnknownUnknown
pip/pydantic >= 2.0.0,< 3.0.0 UnknownUnknown
pip/pytest >= 7.4.0,< 9.0.0 UnknownUnknown
pip/pytest-asyncio >= 0.21.0,< 1.0.0 UnknownUnknown
pip/pyyaml >= 6.0,< 7.0.0 UnknownUnknown
pip/streamlit >= 1.37.0,< 2.0.0 UnknownUnknown
pip/cryptography >= 42.0.0,< 45.0.0 UnknownUnknown
pip/aiohttp >= 3.13.3,< 4.0.0 UnknownUnknown
pip/black >= 24.3.0,< 25.0.0 UnknownUnknown
pip/fastapi >= 0.109.0,< 1.0.0 UnknownUnknown
pip/httpx >= 0.26.0,< 1.0.0 UnknownUnknown
pip/mypy >= 1.8.0,< 2.0.0 UnknownUnknown
pip/opentelemetry-api >= 1.22.0,< 2.0.0 UnknownUnknown
pip/opentelemetry-instrumentation-fastapi >= 0.43b0,< 1.0 UnknownUnknown
pip/opentelemetry-sdk >= 1.22.0,< 2.0.0 UnknownUnknown
pip/pydantic >= 2.5.0,< 3.0.0 UnknownUnknown
pip/pynacl >= 1.5.0,< 2.0.0 UnknownUnknown
pip/pytest >= 7.4.0,< 9.0.0 UnknownUnknown
pip/pytest-asyncio >= 0.23.0,< 1.0.0 UnknownUnknown
pip/pytest-cov >= 4.1.0,< 6.0.0 UnknownUnknown
pip/ruff >= 0.1.0,< 1.0.0 UnknownUnknown
pip/structlog >= 24.1.0,< 25.0.0 UnknownUnknown
pip/uvicorn >= 0.27.0,< 1.0.0 UnknownUnknown

Scanned Files

  • packages/agent-os/modules/caas/requirements.txt
  • packages/agent-os/modules/cmvk/requirements.txt
  • packages/agent-os/modules/iatp/requirements.txt
  • packages/agent-os/modules/scak/requirements.txt
  • packages/agent-os/services/cloud-board/requirements.txt

@github-actions github-actions bot added the size/M Medium PR (< 200 lines) label Mar 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

agent-hypervisor agent-hypervisor package agent-mesh agent-mesh package agent-sre agent-sre package ci/cd CI/CD and workflows dependencies Pull requests that update a dependency file size/M Medium PR (< 200 lines) tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@imran-siddique