fix: clean up sonar cube medium high and critical security

src/aiperf/common/models/sequence_distribution.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 """
 Sequence length distribution models for AIPerf benchmarking.
@@ -266,11 +266,14 @@ class DistributionParser:
     """Parser for various sequence length distribution string formats."""
 
     # Regex patterns for different formats (allow whitespace and optional stddev)
+    # Use unambiguous numeric pattern to avoid ReDoS: (?:\d+(?:\.\d+)?|\.\d+)
+    # This matches: integers (123), decimals (123.45), or leading-dot decimals (.45)
+    _NUM = r"(?:\d+(?:\.\d+)?|\.\d+)"
     SEMICOLON_PATTERN = re.compile(
-        r"(\d+)(?:\|([0-9]*\.?[0-9]+))?\s*,\s*(\d+)(?:\|([0-9]*\.?[0-9]+))?\s*:\s*([0-9]*\.?[0-9]+)"
+        rf"(\d+)(?:\|({_NUM}))?\s*,\s*(\d+)(?:\|({_NUM}))?\s*:\s*({_NUM})"
     )
     BRACKET_PATTERN = re.compile(
-        r"\(\s*(\d+)(?:\|([0-9]*\.?[0-9]+))?\s*,\s*(\d+)(?:\|([0-9]*\.?[0-9]+))?\s*\)\s*:\s*([0-9]*\.?[0-9]+)"
+        rf"\(\s*(\d+)(?:\|({_NUM}))?\s*,\s*(\d+)(?:\|({_NUM}))?\s*\)\s*:\s*({_NUM})"
     )
 
     @classmethod

src/aiperf/gpu_telemetry/metrics_config.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 """GPU telemetry metrics configuration utilities."""
@@ -136,7 +136,9 @@ def _infer_unit_from_help(self, help_msg: str) -> MetricUnitT:
             GenericMetricUnit.PERCENT
         """
         # Extract unit from "(in UNIT)" pattern
-        match = re.search(r"\(in\s+([^)]+)\)", help_msg, re.IGNORECASE)
+        # Use [^\s)]+ instead of [^)]+ to avoid ReDoS from overlapping quantifiers
+        # (whitespace matches both \s+ and [^)]+, causing O(n²) backtracking)
+        match = re.search(r"\(in\s+([^\s)]+)\)", help_msg, re.IGNORECASE)
         if not match:
             return GenericMetricUnit.COUNT
 

src/aiperf/server_metrics/units.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 """Detect units from prometheus metric descriptions and names"""
 
@@ -267,7 +267,8 @@ def _parse_unit_from_metric_name(metric_name: str) -> BaseMetricUnit | None:
 
 # Regex to match "(in <unit>)" pattern and capture the unit.
 # Examples: "(in MiB)", "(in W)", "(in mJ)", "(in C)"
-_PARENTHETICAL_IN_UNIT_PATTERN = re.compile(r"\(in\s+([^)]+)\)")
+# Use [^\s)]+ instead of [^)]+ to avoid ReDoS from overlapping quantifiers
+_PARENTHETICAL_IN_UNIT_PATTERN = re.compile(r"\(in\s+([^\s)]+)\)")
 
 
 def _parse_parenthetical_unit(description: str | None) -> BaseMetricUnit | None:

tests/ci/test_docs_end_to_end/parser.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 """
 Markdown parser for extracting server setup and AIPerf run commands.
@@ -55,7 +55,9 @@ def _parse_file(self, file_path: str):
 
             # Look for HTML comment tags
             if line.startswith("<!--") and line.endswith("-->"):
-                tag_match = re.match(r"<!--\s*([^-\s]+.*?)\s*-->", line)
+                # Use [^-\s]\S* instead of [^-\s]+.*? to avoid ReDoS
+                # (both quantifiers can match the same chars, causing O(n²) backtracking)
+                tag_match = re.match(r"<!--\s*([^-\s]\S*)\s*-->", line)
                 if tag_match:
                     tag_name = tag_match.group(1).strip()