Merge branch 'security-fixes/ash-suppressions' into 'develop'

rstrahan · rstrahan · commit c3c29ed2f2c6 · 2025-10-31T21:52:36.000Z
Security fixes: Add suppressions for AJV and unsafe format string vulnerabilities

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!397
diff --git a/scripts/codebuild_deployment.py b/scripts/codebuild_deployment.py
@@ -39,7 +39,7 @@
 def run_command(cmd, check=True):
     """Run shell command and return result"""
     print(f"Running: {cmd}")
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    result = subprocess.run(cmd, shell=True, capture_output=True, text=True) # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true - Reviewed: command input is controlled and sanitized
     if result.stdout:
         print(result.stdout)
     if result.stderr:
diff --git a/scripts/integration_test_deployment.py b/scripts/integration_test_deployment.py
@@ -16,7 +16,7 @@
 def run_command(cmd, check=True):
     """Run shell command and return result"""
     print(f"Running: {cmd}")
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)  # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true - Reviewed: command input is controlled and sanitized
     if check and result.returncode != 0:
         print(f"Error: {result.stderr}")
         sys.exit(1)
diff --git a/src/ui/src/hooks/useSchemaDesigner.js b/src/ui/src/hooks/useSchemaDesigner.js
@@ -481,7 +481,7 @@ export const useSchemaDesigner = (initialSchema = []) => {
 
               if (!refClass) {
                 console.log(
-                  `      ❌ No class found with name "${refName}". Available classes:`,
+                  `      ❌ No class found with name "${refName}". Available classes:`, // nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring - Controlled input from schema validation, not user input
                   classes.map((c) => c.name),
                 );
               } else {
@@ -507,7 +507,7 @@ export const useSchemaDesigner = (initialSchema = []) => {
 
               if (!refClass) {
                 console.log(
-                  `      ❌ No class found with name "${refName}". Available classes:`,
+                  `      ❌ No class found with name "${refName}". Available classes:`, // nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring - Controlled input from schema validation, not user input
                   classes.map((c) => c.name),
                 );
               } else {
diff --git a/src/ui/src/hooks/useSchemaValidation.js b/src/ui/src/hooks/useSchemaValidation.js
@@ -29,7 +29,7 @@ export const useSchemaValidation = () => {
 
   const ajv = useMemo(() => {
     const instance = new Ajv({
-      allErrors: true,
+      allErrors: true, // nosemgrep: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true - allErrors required for comprehensive validation feedback for user created schemas in UI
       strict: false,
       validateFormats: true,
       discriminator: true,
