fix: race conditions in lock pop, CSV formula injection, serialize_finding None leak, consolidate plans, update docs

2026-05-11 22:31:41 +03:00
parent 3f44de1d98
commit 56786c7aef
11 changed files with 251 additions and 488 deletions
--- a/guarddog_nexus/core/harvester.py
+++ b/guarddog_nexus/core/harvester.py
@@ -76,21 +76,24 @@ async def harvest(
            _url_locks.pop(download_url, None)
        return None

+    active_found = False
    async with lock:
-        try:
-            # Re-check DB in case another task already created and finished a scan
-            active = await session.scalar(
-                select(Scan.id).where(
-                    Scan.nexus_asset_url == download_url,
-                    Scan.status.in_([ScanStatus.PENDING.value, ScanStatus.SCANNING.value]),
-                )
+        # Re-check DB in case another task already created and finished a scan
+        active = await session.scalar(
+            select(Scan.id).where(
+                Scan.nexus_asset_url == download_url,
+                Scan.status.in_([ScanStatus.PENDING.value, ScanStatus.SCANNING.value]),
            )
-            if active:
-                log.info("Already scanning this URL, skipping")
-                return None
-        finally:
-            async with _url_lock:
-                _url_locks.pop(download_url, None)
+        )
+        if active:
+            log.info("Already scanning this URL, skipping")
+            active_found = True
+
+    async with _url_lock:
+        _url_locks.pop(download_url, None)
+
+    if active_found:
+        return None

    scan = Scan(
        package_name=package_name,