fix: race conditions in lock pop, CSV formula injection, serialize_finding None leak, consolidate plans, update docs

2026-05-11 22:31:41 +03:00
parent 3f44de1d98
commit 56786c7aef
11 changed files with 251 additions and 488 deletions
--- a/README.en.md
+++ b/README.en.md
@@ -4,12 +4,13 @@ Integration of [GuardDog](https://github.com/DataDog/guarddog) (package vulnerab

 ## Features

- **Automatic scanning** via Nexus webhooks on package cache updates
- **Multi-ecosystem support** — PyPI, Go, npm (any format via proxy repositories)
+- **Automatic scanning** via Nexus webhooks on package updates (`UPDATED` only)
+- **Multi-ecosystem support** — PyPI, Go, npm (including scoped packages `@scope/name`); unknown ecosystems explicitly rejected
 - **REST API** for scan results, findings, statistics, and CSV export
 - **Web dashboard** with scan tables, filtering, and LLM-powered analysis
- **LLM analysis** — automated security analysis of each finding via OpenAI-compatible APIs (optional, configurable)
+- **LLM analysis** — automated security analysis of each finding via OpenAI-compatible APIs (optional, configurable); parallel analysis via `asyncio.gather`
 - **Deduplication** by URL and SHA256 — identical content scanned only once
+- **SSRF protection** — download URL validation via `NEXUS_ALLOWED_HOSTS`
 - **Structured JSON logging** with optional syslog output
 - **Docker Compose** — full stack deployment with Nexus in one command

@@ -155,8 +156,18 @@ curl -X POST http://localhost:8080/webhooks/nexus \
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | `/health` | Health check |
+| GET | `/health/dependencies` | DB and Nexus API connectivity check |
 | GET | `/metrics` | Prometheus-compatible metrics |

+## Security
+
+- Webhooks support HMAC-SHA256 signature validation via `WEBHOOK_SECRET`
+- Nexus client uses anonymous access (no BasicAuth) — ensure Nexus allows anonymous read access
+- SSRF protection: download URLs validated against `NEXUS_ALLOWED_HOSTS`
+- Security headers on all responses: `X-Content-Type-Options`, `X-Frame-Options`, `X-XSS-Protection`, `Referrer-Policy`, `Permissions-Policy`
+- Scan results stored in local SQLite database
+- Temporary package files deleted after scanning
+
 ## LLM Analysis

 GuardDog Nexus can analyze findings through an LLM. When enabled (`LLM_ENABLED=1`), flagged findings receive an AI breakdown: threat assessment, code analysis, and recommendations.
@@ -226,7 +237,7 @@ guarddog-nexus/
 │   ├── i18n.py               # RU/EN translations
 │   ├── logging_setup.py      # JSON structured logging
 │   └── main.py               # FastAPI app entry point
-├── tests/                    # pytest tests (85 tests)
+├── tests/                    # pytest tests (137 tests: 101 unit + 36 e2e)
 ├── scripts/                  # Setup scripts
 ├── docker-compose.yml
 ├── Dockerfile