834138368a
## Часть A: Вынос хардкода
- Новый модуль constants.py — все magic strings, лимиты, severity, ключи
(104 хардкод-значения централизованы)
- Новый модуль queries.py — общие SQL-запросы (build_scan_list_query,
build_package_list_query, get_dashboard_stats)
Убрана дупликация между api/*.py и web/routes.py (~90%)
- config.py: добавлены NLP_ENABLED, nexus_timeout, guarddog_binary,
log_syslog_facility, LLM-переменные
- nexus_client.py: таймауты из конфига, SHA256_CHUNK_SIZE из constants
- scanner.py: error-ключи из constants, GUARDDOG_OUTPUT_FORMAT из constants
- webhooks.py: RELEVANT_WEBHOOK_ACTIONS, METADATA_PATTERNS, ignore-строки
из constants
- logging_setup.py: конфигурируемый syslog facility, APP_PACKAGE из constants
- main.py: APP_NAME, APP_DESCRIPTION, APP_PACKAGE из constants
- models.py: поле report: JSON | None в Finding для LLM-отчётов
- harvester.py: авто-очистка tmpdir через finally; ERROR_MESSAGE_MAX_LENGTH
из constants; PACKAGE_EXTENSIONS вместо SUPPORTED_EXTENSIONS (с .gem)
- api/*.py + web/routes.py: используют build_*_query из queries.py,
константы для лимитов и сортировок
- tests/conftest.py: SEVERITY_WARNING, DEFAULT_ECOSYSTEM из constants
## Часть B: LLM-анализ finding'ов
- llm.py: клиент для OpenAI-совместимых API с промптом security-аналитика
- harvester.py: авто-триггер после flagged scan, сохранение report в БД
- api/findings.py: POST /{id}/analyze — ручной триггер
- web/routes.py: POST /api/v1/findings/{id}/analyze — HTMX-фрагмент
- _llm_report_fragment.html: шаблон фрагмента с вердиктом
- scan_detail.html, package_detail.html: кнопка Analyze with LLM
(htmx-post, spinner, inline-замена на LLM-отчёт)
- style.css: стили для .llm-report .verdict-safe/suspicious/malicious
## Часть C: Тесты
- 50 тестов, все зелёные
- Линтер чистый
- Тесты используют constants где нужно
87 lines
2.4 KiB
Python
87 lines
2.4 KiB
Python
"""REST API for findings (across all scans)."""
|
|
|
|
from fastapi import APIRouter, Depends, Query
|
|
from sqlalchemy import func, select
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
|
|
from guarddog_nexus.config import config
|
|
from guarddog_nexus.constants import (
|
|
DEFAULT_OFFSET,
|
|
DEFAULT_PAGE_SIZE,
|
|
JSON_PATH_RULE,
|
|
JSON_PATH_SEVERITY,
|
|
MAX_PAGE_SIZE,
|
|
)
|
|
from guarddog_nexus.database import get_session
|
|
from guarddog_nexus.models import Finding
|
|
|
|
router = APIRouter(prefix="/api/v1/findings", tags=["findings"])
|
|
|
|
|
|
@router.get("")
|
|
async def list_findings(
|
|
limit: int = Query(DEFAULT_PAGE_SIZE, le=MAX_PAGE_SIZE),
|
|
offset: int = Query(DEFAULT_OFFSET, ge=0),
|
|
rule: str | None = Query(None),
|
|
severity: str | None = Query(None),
|
|
scan_id: int | None = Query(None),
|
|
session: AsyncSession = Depends(get_session),
|
|
):
|
|
q = select(Finding)
|
|
if rule:
|
|
q = q.where(func.json_extract(Finding.data, JSON_PATH_RULE) == rule)
|
|
if severity:
|
|
q = q.where(func.json_extract(Finding.data, JSON_PATH_SEVERITY) == severity)
|
|
if scan_id:
|
|
q = q.where(Finding.scan_id == scan_id)
|
|
|
|
total = await session.scalar(select(func.count()).select_from(q.subquery()))
|
|
findings = (await session.execute(q.offset(offset).limit(limit))).scalars().all()
|
|
|
|
return {
|
|
"total": total,
|
|
"limit": limit,
|
|
"offset": offset,
|
|
"findings": [
|
|
{
|
|
"id": f.id,
|
|
"scan_id": f.scan_id,
|
|
**f.data,
|
|
"report": f.report,
|
|
"created_at": f.created_at.isoformat() if f.created_at else None,
|
|
}
|
|
for f in findings
|
|
],
|
|
}
|
|
|
|
|
|
@router.post("/{finding_id}/analyze")
|
|
async def analyze_finding_endpoint(
|
|
finding_id: int,
|
|
session: AsyncSession = Depends(get_session),
|
|
):
|
|
"""Manually trigger LLM analysis for a single finding."""
|
|
if not config.llm_enabled:
|
|
return {"detail": "LLM analysis is disabled"}
|
|
|
|
finding = await session.scalar(
|
|
select(Finding).where(Finding.id == finding_id)
|
|
)
|
|
if not finding:
|
|
return {"detail": "Not found"}
|
|
|
|
from guarddog_nexus.llm import analyze_finding
|
|
|
|
report = await analyze_finding(finding.data)
|
|
if report is None:
|
|
return {"detail": "LLM analysis failed"}
|
|
|
|
finding.report = report
|
|
await session.commit()
|
|
|
|
return {
|
|
"id": finding.id,
|
|
**finding.data,
|
|
"report": report,
|
|
}
|