apme: L047 no_log fixes + post-sweep review doc #5

Merged
anaeem merged 1 commit from apme/l047-l098-fp into main 2026-05-22 20:07:14 +00:00
Owner

Follow-up to PR #4 after re-scanning main with APME (scan 230db6093e86… on commit ef35440).

L047 fixes (2 high-severity):

  • roles/satellite_lookup/tasks/main.yml: no_log: falseno_log: true
  • roles/satellite_lookup/tasks/paginate.yml: added no_log: true

Both tasks pass password: {{ satellite_password }} to uri: and were leaking the auth header into job stdout.

Documentation:

  • docs/APME_REVIEW.md now has the post-sweep scan analysis with the proper severity-based triage (vs raw count). Real engineering work is ~76 findings of error+high+medium-security severity; the other 1559 are style/info noise.
  • All 13 L098 "errors" are documented as false positives from APME parser bugs (same-named keys at same indent under different parents, block-literal msg: | content parsed as YAML, Jinja {% set %} lines read as YAML mapping entries).

M005 (59 high — 2.19 untrusted-template) deferred for a separate PR that tests the trust-marker patterns against an ansible-core 2.19 EE.

Follow-up to PR #4 after re-scanning main with APME (scan 230db6093e86… on commit ef35440). **L047 fixes (2 high-severity):** - `roles/satellite_lookup/tasks/main.yml`: `no_log: false` → `no_log: true` - `roles/satellite_lookup/tasks/paginate.yml`: added `no_log: true` Both tasks pass `password: {{ satellite_password }}` to `uri:` and were leaking the auth header into job stdout. **Documentation:** - `docs/APME_REVIEW.md` now has the post-sweep scan analysis with the proper severity-based triage (vs raw count). Real engineering work is ~76 findings of error+high+medium-security severity; the other 1559 are style/info noise. - All 13 L098 "errors" are documented as false positives from APME parser bugs (same-named keys at same indent under different parents, block-literal `msg: |` content parsed as YAML, Jinja `{% set %}` lines read as YAML mapping entries). M005 (59 high — 2.19 untrusted-template) deferred for a separate PR that tests the trust-marker patterns against an ansible-core 2.19 EE.
apme L047 fix + post-sweep review
Some checks failed
APME static analysis / apme-check (pull_request) Has been cancelled
cc6cb5b200
L047 high-severity fixes (2 instances, both real and actionable):

* roles/satellite_lookup/tasks/main.yml: `no_log: false` (worse than
  missing — explicit "log everything") flipped to `no_log: true` on the
  `uri:` task that passes `password: "{{ satellite_password }}"`.
* roles/satellite_lookup/tasks/paginate.yml: added `no_log: true` to
  the paginating uri: call (same password param). Downside is GET
  response (package data) is also masked; operator can flip flag and
  re-run with -vvv on failure.

docs/APME_REVIEW.md: updated with the 2026-05-22 post-sweep scan
(230db6093e86…) findings. Highlights:

- Total dropped 1871 → 1635 (-236) — matches PR #4's predicted sweep
  exactly (L067 -67, L025 -86, L070 -64, L057 -19).
- Severity breakdown is the right lens: 13 error + 61 high + 167
  medium + 1179 low + 215 info. The 1394 low/info are noise; real
  engineering work is the ~76 error+high+medium-security findings.
- All 13 L098 "errors" are FALSE POSITIVES from APME's YAML parser
  (same-named keys under different parents flagged as duplicates;
  block-literal `msg: |` content parsed as YAML; Jinja `{% set %}`
  /`{# comment #}` parsed as mapping entries). Filed in the doc.
- M005 (59 high) deferred to a separate PR after we test the trust-
  marker patterns against an ansible-core 2.19 EE.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
anaeem merged commit eb46b491fc into main 2026-05-22 20:07:14 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
anaeem/ansible-collection-discovery!5
No description provided.