fix: аудит — 19 фиксов безопасности, надёжности, UI и 16 новых тестов

- S4: bump jinja2>=3.1.4, python-multipart>=0.0.18, httpx>=0.28.0 - S5: _detect_ecosystem — DEFAULT_ECOSYSTEM для неизвестных форматов - S6: harvester — log.exception() вместо log.error() - S8: _scan_component — urlencode параметров - P1: scanner — proc.kill() при таймауте - P3: api_packages — selectinload(Scan.findings), убран N+1 - P4+P5: утечка _url_locks и _llm_locks при early return - P6: DB reaper — сброс {'status':'analyzing'} при старте - UI: htmx-пагинация, фильтры не теряют flagged, 404 с layout - UI: мобильные таблицы overflow-x, полная стата на дашборде - UI: i18n статусов в _status_badge, urlencode package_name - 16 новых тестов: analyze endpoint (6), scanner errors (4), webhook signature (2), llm client (4)
2026-05-10 10:45:44 +03:00
parent d483a8b21d
commit 1341404568
31 changed files with 575 additions and 152 deletions
--- a/guarddog_nexus/core/harvester.py
+++ b/guarddog_nexus/core/harvester.py
@@ -60,6 +60,8 @@ async def harvest(
    lock = _url_locks[download_url]
    if lock.locked():
        log.info("URL already being processed, skipping: %s", download_url)
+        async with _url_lock:
+            _url_locks.pop(download_url, None)
        return None

    async with lock:
@@ -191,7 +193,7 @@ async def harvest(
        return scan

    except Exception as e:
-        log.error("Scan failed for %s==%s: %s", package_name, package_version, e)
+        log.exception("Scan failed for %s==%s", package_name, package_version)
        scan.status = ScanStatus.FAILED.value
        scan.error_message = str(e)[:ERROR_MESSAGE_MAX_LENGTH]
        scan.finished_at = datetime.datetime.now(datetime.timezone.utc)
--- a/guarddog_nexus/core/llm.py
+++ b/guarddog_nexus/core/llm.py
@@ -23,11 +23,7 @@ def _build_user_message(finding: dict) -> str:
    location = finding.get("location", "")
    code = finding.get("code", "")

-    prompt = (
-        f"Rule: {rule}\n"
-        f"Severity: {severity}\n"
-        f"Message: {message}\n"
-    )
+    prompt = f"Rule: {rule}\nSeverity: {severity}\nMessage: {message}\n"
    if location:
        prompt += f"Location: {location}\n"
    if code:
@@ -66,9 +62,7 @@ async def analyze_finding(finding_data: dict) -> dict | None:

    try:
        async with _llm_semaphore:
-            async with httpx.AsyncClient(
-                timeout=config.llm_timeout, headers=headers
-            ) as client:
+            async with httpx.AsyncClient(timeout=config.llm_timeout, headers=headers) as client:
                resp = await client.post(url, json=payload)
                resp.raise_for_status()
                body = resp.json()
--- a/guarddog_nexus/core/nexus.py
+++ b/guarddog_nexus/core/nexus.py
@@ -116,9 +116,7 @@ def _write_file(path: str, content: bytes) -> None:
 async def nexus_get(path: str) -> httpx.Response:
    """Make an authenticated GET request to Nexus REST API."""
    auth = httpx.BasicAuth(config.nexus_username, config.nexus_password)
-    async with httpx.AsyncClient(
-        auth=auth, timeout=config.nexus_api_timeout
-    ) as client:
+    async with httpx.AsyncClient(auth=auth, timeout=config.nexus_api_timeout) as client:
        return await client.get(f"{config.nexus_url.rstrip('/')}{path}")


--- a/guarddog_nexus/core/scanner.py
+++ b/guarddog_nexus/core/scanner.py
@@ -34,6 +34,11 @@ async def scan_package(filepath: str, ecosystem: str = DEFAULT_ECOSYSTEM) -> dic
        )
    except asyncio.TimeoutError:
        log.error("GuardDog scan timed out for %s", filepath)
+        try:
+            proc.kill()
+            await proc.wait()
+        except (ProcessLookupError, Exception):
+            pass
        return {"findings": [], "errors": [SCAN_ERROR_TIMEOUT]}
    except FileNotFoundError:
        log.error("GuardDog binary not found at %s", guarddog_bin)