# Bambuddy Python Security & Quality Suite # # Extends the standard python-security-and-quality suite, excluding # accepted-risk findings documented below. # # All excluded findings have been reviewed and either: # - Fixed in code (validation added) but CodeQL still traces taint # - Confirmed false positive after code inspection # - Accepted risk for a local-network admin tool - description: "Bambuddy Python security and quality" - import: codeql-suites/python-security-and-quality.qls from: codeql/python-queries # ── Accepted Risk ───────────────────────────────────────────── # Log injection (131): All logging uses %s parameterized style. # Remaining findings are CodeQL taint-tracking printer/device data # to parameterized log args. Accepted risk for local network tool. - exclude: id: py/log-injection # Cyclic imports (70+2): SQLAlchemy ORM pattern — models import # database base class, database imports models for migrations. - exclude: id: py/cyclic-import - exclude: id: py/unsafe-cyclic-import # Unused local variables (11): Python _ prefix convention for # intentional discards (tuple unpacking, test fixture side effects). - exclude: id: py/unused-local-variable # Path injection (11): All paths validated — extension whitelists, # traversal checks (rejects .. / \), UUID-based naming, or # constructed from integer IDs in controlled base directories. - exclude: id: py/path-injection # Stack trace exposure (5): str(e) replaced with generic messages # in HTTP responses. Remaining findings are CodeQL tracing through # _update_status dict returns, not actual new exposures. - exclude: id: py/stack-trace-exposure # Socket bind to 0.0.0.0 (4): Virtual printer SSDP/discovery # services must bind all interfaces for LAN discoverability. - exclude: id: py/bind-socket-all-network-interfaces # SSRF (3+1): URLs come from admin-configured settings (external # cameras, Home Assistant, Tasmota). Validation added for scheme, # hostname, and metadata-service blocking. CodeQL still traces # taint through the validated URLs. - exclude: id: py/partial-ssrf - exclude: id: py/full-ssrf # Unused global variables (2): False positives — module-level # cache variables written via `global` in one function, read in # another. CodeQL doesn't track cross-function global reads. - exclude: id: py/unused-global-variable # Clear-text logging sensitive data (2): False positive — # `api_key` in firmware_check.py is a printer model identifier # string ("x1", "p1", "a1-mini"), not a secret. - exclude: id: py/clear-text-logging-sensitive-data # Clear-text storage sensitive data (1): JWT secret stored in # SQLite config with 0600 file permissions. Standard approach # for single-host deployment. - exclude: id: py/clear-text-storage-sensitive-data # Weak hashing on sensitive data (1): MD5 in bambu_mqtt.py used # with usedforsecurity=False for AMS tray fingerprinting, not # for security purposes. - exclude: id: py/weak-sensitive-data-hashing # Catch base exception (1): In frontend/node_modules third-party # code (flatted/python/flatted.py), outside our control. - exclude: id: py/catch-base-exception