refactor: вынос хардкода + LLM-анализ finding'ов

## Часть A: Вынос хардкода - Новый модуль constants.py — все magic strings, лимиты, severity, ключи (104 хардкод-значения централизованы) - Новый модуль queries.py — общие SQL-запросы (build_scan_list_query, build_package_list_query, get_dashboard_stats) Убрана дупликация между api/*.py и web/routes.py (~90%) - config.py: добавлены NLP_ENABLED, nexus_timeout, guarddog_binary, log_syslog_facility, LLM-переменные - nexus_client.py: таймауты из конфига, SHA256_CHUNK_SIZE из constants - scanner.py: error-ключи из constants, GUARDDOG_OUTPUT_FORMAT из constants - webhooks.py: RELEVANT_WEBHOOK_ACTIONS, METADATA_PATTERNS, ignore-строки из constants - logging_setup.py: конфигурируемый syslog facility, APP_PACKAGE из constants - main.py: APP_NAME, APP_DESCRIPTION, APP_PACKAGE из constants - models.py: поле report: JSON | None в Finding для LLM-отчётов - harvester.py: авто-очистка tmpdir через finally; ERROR_MESSAGE_MAX_LENGTH из constants; PACKAGE_EXTENSIONS вместо SUPPORTED_EXTENSIONS (с .gem) - api/*.py + web/routes.py: используют build_*_query из queries.py, константы для лимитов и сортировок - tests/conftest.py: SEVERITY_WARNING, DEFAULT_ECOSYSTEM из constants ## Часть B: LLM-анализ finding'ов - llm.py: клиент для OpenAI-совместимых API с промптом security-аналитика - harvester.py: авто-триггер после flagged scan, сохранение report в БД - api/findings.py: POST /{id}/analyze — ручной триггер - web/routes.py: POST /api/v1/findings/{id}/analyze — HTMX-фрагмент - _llm_report_fragment.html: шаблон фрагмента с вердиктом - scan_detail.html, package_detail.html: кнопка Analyze with LLM (htmx-post, spinner, inline-замена на LLM-отчёт) - style.css: стили для .llm-report .verdict-safe/suspicious/malicious ## Часть C: Тесты - 50 тестов, все зелёные - Линтер чистый - Тесты используют constants где нужно
2026-05-10 04:37:07 +03:00
parent c43e7c4c9b
commit 834138368a
21 changed files with 1094 additions and 476 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -17,44 +17,12 @@ os.environ["NEXUS_PASSWORD"] = "admin123"
 os.environ["LOG_SYSLOG_HOST"] = ""
 os.environ["TEMP_DIR"] = "/tmp/guarddog-nexus-test"

+from guarddog_nexus.constants import DEFAULT_ECOSYSTEM, SEVERITY_WARNING  # noqa: E402
 from guarddog_nexus.database import Base, get_session  # noqa: E402
 from guarddog_nexus.main import app  # noqa: E402
 from guarddog_nexus.models import Finding, Scan, ScanStatus  # noqa: E402


-@pytest_asyncio.fixture
-async def sample_flagged_scan(db_session):
-    scan = Scan(
-        package_name="test-pkg",
-        package_version="1.0",
-        ecosystem="pypi",
-        repository="pypi-proxy",
-        nexus_asset_url="http://nexus:8081/repository/pypi-proxy/packages/test-pkg/1.0/test-pkg-1.0.tar.gz",
-        sha256="abc123",
-        status=ScanStatus.COMPLETED.value,
-        total_findings=1,
-        flagged=True,
-    )
-    db_session.add(scan)
-    await db_session.commit()
-    await db_session.refresh(scan)
-
-    finding = Finding(
-        scan_id=scan.id,
-        data={
-            "rule": "test_rule",
-            "severity": "WARNING",
-            "message": "Test finding",
-            "location": "test.py:1",
-            "code": "print('test')",
-        },
-    )
-    db_session.add(finding)
-    await db_session.commit()
-    await db_session.refresh(scan)
-    return scan
-
-
@pytest_asyncio.fixture
 async def db_engine():
    engine = create_async_engine(
@@ -92,6 +60,39 @@ async def client(db_engine):
    app.dependency_overrides.clear()


+@pytest_asyncio.fixture
+async def sample_flagged_scan(db_session):
+    scan = Scan(
+        package_name="test-pkg",
+        package_version="1.0",
+        ecosystem=DEFAULT_ECOSYSTEM,
+        repository="pypi-proxy",
+        nexus_asset_url="http://nexus:8081/repository/pypi-proxy/packages/test-pkg/1.0/test-pkg-1.0.tar.gz",
+        sha256="abc123",
+        status=ScanStatus.COMPLETED.value,
+        total_findings=1,
+        flagged=True,
+    )
+    db_session.add(scan)
+    await db_session.commit()
+    await db_session.refresh(scan)
+
+    finding = Finding(
+        scan_id=scan.id,
+        data={
+            "rule": "test_rule",
+            "severity": SEVERITY_WARNING,
+            "message": "Test finding",
+            "location": "test.py:1",
+            "code": "print('test')",
+        },
+    )
+    db_session.add(finding)
+    await db_session.commit()
+    await db_session.refresh(scan)
+    return scan
+
+
@pytest.fixture
 def sample_nexus_webhook():
    return {
@@ -178,21 +179,21 @@ def guarddog_normalized_flagged():
        "findings": [
            {
                "rule": "shady-links",
-                "severity": "WARNING",
+                "severity": SEVERITY_WARNING,
                "message": "Package contains URL to suspicious domain",
                "location": "setup.py:15",
                "code": "url = 'http://evil.com'",
            },
            {
                "rule": "exec-base64",
-                "severity": "WARNING",
+                "severity": SEVERITY_WARNING,
                "message": "Base64-encoded code execution detected",
                "location": "core.py:42",
                "code": "exec(base64.b64decode(...))",
            },
            {
                "rule": "empty_information",
-                "severity": "WARNING",
+                "severity": SEVERITY_WARNING,
                "message": "Package description is empty",
                "location": "",
                "code": "",