apme: L047 no_log fixes + post-sweep review doc #5
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "apme/l047-l098-fp"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up to PR #4 after re-scanning main with APME (scan 230db6093e86… on commit
ef35440).L047 fixes (2 high-severity):
roles/satellite_lookup/tasks/main.yml:no_log: false→no_log: trueroles/satellite_lookup/tasks/paginate.yml: addedno_log: trueBoth tasks pass
password: {{ satellite_password }}touri:and were leaking the auth header into job stdout.Documentation:
docs/APME_REVIEW.mdnow has the post-sweep scan analysis with the proper severity-based triage (vs raw count). Real engineering work is ~76 findings of error+high+medium-security severity; the other 1559 are style/info noise.msg: |content parsed as YAML, Jinja{% set %}lines read as YAML mapping entries).M005 (59 high — 2.19 untrusted-template) deferred for a separate PR that tests the trust-marker patterns against an ansible-core 2.19 EE.
L047 high-severity fixes (2 instances, both real and actionable): * roles/satellite_lookup/tasks/main.yml: `no_log: false` (worse than missing — explicit "log everything") flipped to `no_log: true` on the `uri:` task that passes `password: "{{ satellite_password }}"`. * roles/satellite_lookup/tasks/paginate.yml: added `no_log: true` to the paginating uri: call (same password param). Downside is GET response (package data) is also masked; operator can flip flag and re-run with -vvv on failure. docs/APME_REVIEW.md: updated with the 2026-05-22 post-sweep scan (230db6093e86…) findings. Highlights: - Total dropped 1871 → 1635 (-236) — matches PR #4's predicted sweep exactly (L067 -67, L025 -86, L070 -64, L057 -19). - Severity breakdown is the right lens: 13 error + 61 high + 167 medium + 1179 low + 215 info. The 1394 low/info are noise; real engineering work is the ~76 error+high+medium-security findings. - All 13 L098 "errors" are FALSE POSITIVES from APME's YAML parser (same-named keys under different parents flagged as duplicates; block-literal `msg: |` content parsed as YAML; Jinja `{% set %}` /`{# comment #}` parsed as mapping entries). Filed in the doc. - M005 (59 high) deferred to a separate PR after we test the trust- marker patterns against an ansible-core 2.19 EE. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>