yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
							# Bambuddy Python Security & Quality Suite
#
# Extends the standard python-security-and-quality suite, excluding
# accepted-risk findings documented below.
#
# All excluded findings have been reviewed and either:
#   - Fixed in code (validation added) but CodeQL still traces taint
#   - Confirmed false positive after code inspection
#   - Accepted risk for a local-network admin tool

- description: "Bambuddy Python security and quality"

- import: codeql-suites/python-security-and-quality.qls
  from: codeql/python-queries

# ── Accepted Risk ─────────────────────────────────────────────

# Log injection (131): All logging uses %s parameterized style.
# Remaining findings are CodeQL taint-tracking printer/device data
# to parameterized log args. Accepted risk for local network tool.
- exclude:
    id: py/log-injection

# Cyclic imports (70+2): SQLAlchemy ORM pattern — models import
# database base class, database imports models for migrations.
- exclude:
    id: py/cyclic-import
- exclude:
    id: py/unsafe-cyclic-import

# Unused local variables (11): Python _ prefix convention for
# intentional discards (tuple unpacking, test fixture side effects).
- exclude:
    id: py/unused-local-variable

# Path injection (11): All paths validated — extension whitelists,
# traversal checks (rejects .. / \), UUID-based naming, or
# constructed from integer IDs in controlled base directories.
- exclude:
    id: py/path-injection

# Stack trace exposure (5): str(e) replaced with generic messages
# in HTTP responses. Remaining findings are CodeQL tracing through
# _update_status dict returns, not actual new exposures.
- exclude:
    id: py/stack-trace-exposure

# Socket bind to 0.0.0.0 (4): Virtual printer SSDP/discovery
# services must bind all interfaces for LAN discoverability.
- exclude:
    id: py/bind-socket-all-network-interfaces

# SSRF (3+1): URLs come from admin-configured settings (external
# cameras, Home Assistant, Tasmota). Validation added for scheme,
# hostname, and metadata-service blocking. CodeQL still traces
# taint through the validated URLs.
- exclude:
    id: py/partial-ssrf
- exclude:
    id: py/full-ssrf

# Unused global variables (2): False positives — module-level
# cache variables written via `global` in one function, read in
# another. CodeQL doesn't track cross-function global reads.
- exclude:
    id: py/unused-global-variable

# Clear-text logging sensitive data (2): False positive —
# `api_key` in firmware_check.py is a printer model identifier
# string ("x1", "p1", "a1-mini"), not a secret.
- exclude:
    id: py/clear-text-logging-sensitive-data

# Clear-text storage sensitive data (1): JWT secret stored in
# SQLite config with 0600 file permissions. Standard approach
# for single-host deployment.
- exclude:
    id: py/clear-text-storage-sensitive-data

# Weak hashing on sensitive data (1): MD5 in bambu_mqtt.py used
# with usedforsecurity=False for AMS tray fingerprinting, not
# for security purposes.
- exclude:
    id: py/weak-sensitive-data-hashing

# Catch base exception (1): In frontend/node_modules third-party
# code (flatted/python/flatted.py), outside our control.
- exclude:
    id: py/catch-base-exception