fix: Resolve CI build and security scan issues

florath · florath · commit c84aca0997f6 · 2025-11-19T16:17:39.000Z
- Fix build dependency installation verification in build job
- Fix bandit B324: Use usedforsecurity=False for MD5 cache keys
- Fix bandit B608: Add nosec comments for parameterized SQL queries
- Make bandit fail on high/medium severity issues (remove || true)
- Bandit already runs on all branches, now properly enforced

These SQL queries use parameterized placeholders (?) and are safe
from SQL injection. MD5 is only used for cache key generation, not
cryptographic security.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -113,7 +113,8 @@ jobs:
 
     - name: Run bandit security scan
       run: |
-        bandit -r src/ -f json -o bandit-report.json || true
+        bandit -r src/ -ll -f json -o bandit-report.json
+        echo "Bandit scan completed. Check bandit-report.json for details."
 
     - name: Run safety check
       run: |
@@ -143,7 +144,8 @@ jobs:
     - name: Install build dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install build twine
+        pip install --upgrade build twine
+        python -m pip list | grep -E "(build|twine)"
 
     - name: Build package
       run: |
diff --git a/src/aletheia_probe/backends/base.py b/src/aletheia_probe/backends/base.py
@@ -269,7 +269,7 @@ def _generate_cache_key(self, query_input: QueryInput) -> str:
             query_input.identifiers.get("doi", ""),
         ]
         key_string = "|".join(key_parts)
-        return hashlib.md5(key_string.encode()).hexdigest()
+        return hashlib.md5(key_string.encode(), usedforsecurity=False).hexdigest()  # nosec B324 - MD5 used for cache key, not security
 
     async def query_with_timeout(
         self, query_input: QueryInput, timeout: int = 10
diff --git a/src/aletheia_probe/cache.py b/src/aletheia_probe/cache.py
@@ -464,6 +464,7 @@ def search_journals(
             if rows:
                 journal_ids = [dict(row)["id"] for row in rows]
                 placeholders = ",".join("?" * len(journal_ids))
+                # nosec B608 - SQL uses parameterized placeholders, not string interpolation
                 url_cursor = conn.execute(
                     f"""
                     SELECT journal_id, url FROM journal_urls
diff --git a/src/aletheia_probe/cache_sync.py b/src/aletheia_probe/cache_sync.py
@@ -182,6 +182,7 @@ def _batch_write_journals(
                 existing_journals = {}
                 if normalized_names:
                     placeholders = ",".join("?" * len(normalized_names))
+                    # nosec B608 - SQL uses parameterized placeholders, not string interpolation
                     cursor.execute(
                         f"SELECT id, normalized_name FROM journals WHERE normalized_name IN ({placeholders})",
                         normalized_names,

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ def _generate_cache_key(self, query_input: QueryInput) -> str:`
`269`	`269`	`query_input.identifiers.get("doi", ""),`
`270`	`270`	`]`
`271`	`271`	`key_string = "\|".join(key_parts)`
`272`		`- return hashlib.md5(key_string.encode()).hexdigest()`
	`272`	`+ return hashlib.md5(key_string.encode(), usedforsecurity=False).hexdigest() # nosec B324 - MD5 used for cache key, not security`
`273`	`273`
`274`	`274`	`async def query_with_timeout(`
`275`	`275`	`self, query_input: QueryInput, timeout: int = 10`