dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

docs(code-review): resolve InboundAPI-026/027/028/029 + record InboundAPI-030

Browse Source 
Records the remediation in commit b3c90143: Database helper authorized + secured
(parameterized, writes allowed, async/deadline-bound), WaitForAttribute bound by the
wait timeout, and the newly-surfaced compile-surface-mirror gap (030) fixed. InboundAPI
drops to 0 open findings; aggregate README regenerated (0 pending / 568 total).
This commit is contained in:
Joseph Doherty
2026-06-23 22:03:47 -04:00
parent b3c9014379
commit 1f9de8a2b5
2 changed files with 128 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
code-reviews/README.md
+11 -18
View File
@@ -40,10 +40,10 @@ module file and counted in **Total**.
| Severity | Open findings |
|----------|---------------|
| Critical | 0 |
| High | 1 |
| Medium | 1 |
| Low | 2 |
| **Total** | **4** |
| High | 0 |
| Medium | 0 |
| Low | 0 |
| **Total** | **0** |
## Module Status
@@ -61,7 +61,7 @@ module file and counted in **Total**.
| [ExternalSystemGateway](ExternalSystemGateway/findings.md) | 2026-06-20 | `4307c381` | 0/0/0/0 | 0 | 26 |
| [HealthMonitoring](HealthMonitoring/findings.md) | 2026-06-20 | `4307c381` | 0/0/0/0 | 0 | 25 |
| [Host](Host/findings.md) | 2026-06-20 | `4307c381` | 0/0/0/0 | 0 | 26 |
| [InboundAPI](InboundAPI/findings.md) | 2026-06-20 | `4307c381` | 0/1/1/2 | 4 | 29 |
| [InboundAPI](InboundAPI/findings.md) | 2026-06-20 | `4307c381` | 0/0/0/0 | 0 | 30 |
| [KpiHistory](KpiHistory/findings.md) | 2026-06-20 | `4307c381` | 0/0/0/0 | 0 | 6 |
| [ManagementService](ManagementService/findings.md) | 2026-06-19 | `d6ead8ae` | 0/0/0/0 | 0 | 26 |
| [NotificationOutbox](NotificationOutbox/findings.md) | 2026-06-19 | `d6ead8ae` | 0/0/0/0 | 0 | 13 |
@@ -86,21 +86,14 @@ description, location, recommendation — lives in the module's `findings.md`.
_None open._
### High (1)
### High (0)
| ID | Module | Title |
|----|--------|-------|
| InboundAPI-026 | [InboundAPI](InboundAPI/findings.md) | `InboundDatabaseHelper` gives inbound scripts arbitrary raw SQL (not read-only); contradicts the design doc's "No direct database access" decision and regresses InboundAPI-007 |
_None open._
### Medium (1)
### Medium (0)
| ID | Module | Title |
|----|--------|-------|
| InboundAPI-027 | [InboundAPI](InboundAPI/findings.md) | `InboundDatabaseHelper` is sync-over-async and ignores the method-deadline token — thread-pool starvation and an unbounded slow query |
_None open._
### Low (2)
### Low (0)
| ID | Module | Title |
|----|--------|-------|
| InboundAPI-028 | [InboundAPI](InboundAPI/findings.md) | `InboundDatabaseHelper` has no negative-path tests; `Database`/`WaitForAttribute` are not exercised end-to-end through the endpoint |
| InboundAPI-029 | [InboundAPI](InboundAPI/findings.md) | Routed `WaitForAttribute` is cancelled by the method-level deadline, contradicting spec §6 (wait bounded by the wait timeout, not the method timeout) |
_None open._