Skip to content

v3.1.0: Security hardening, robustness fixes, BSON chunking, and OPA compatibility#741

Merged
farchide merged 2 commits intomasterfrom
release/v3.1.0
Mar 2, 2026
Merged

v3.1.0: Security hardening, robustness fixes, BSON chunking, and OPA compatibility#741
farchide merged 2 commits intomasterfrom
release/v3.1.0

Conversation

@farchide
Copy link
Collaborator

@farchide farchide commented Feb 28, 2026
edited
Loading

Summary

  • Security: Fixed 16 critical vulnerabilities — replaced eval()/exec() with safe alternatives, eliminated command injection via os.system() and shell=True, replaced unsafe yaml.load(), removed hardcoded credentials from config/logs, added Kubernetes SSL verification, replaced random with secrets for ID generation
  • Robustness: Added HTTP request timeouts (30s) across all connectors, fixed 59 bare except: clauses with proper exception handling and logging, replaced deprecated datetime.utcnow() with datetime.now(timezone.utc), fixed mutable default arguments, fixed file handle leaks, added thread-safe MongoDB connections with query sanitization
  • BSON fix: Resolved crash when master snapshot documents exceed MongoDB's 16MB BSON limit (e.g., 100+ IAM policies). Large documents are now automatically split into chunks on write and merged back on read
  • OPA v1.x compatibility: Added --v0-compatible flag to OPA eval subprocess calls so Rego v0 syntax compliance rules work correctly with OPA 1.8+
  • Filesystem mode fix: Guarded update_crawler_run_status from MongoDB calls when running with database=NONE
  • Tests: Added 988+ unit tests preserving contracts for JSON schemas, snapshot structures, validation pipelines, template detection, and round-trip chunk split/merge
  • Version: Bumped from 3.0.28 → 3.1.0

Files Changed

64 files changed across source code (52 files), tests (11 new + 1 updated), and audit documentation (1 new).

See CRITICAL_ISSUES_AUDIT.md for the full issue inventory and remediation details.

Test plan

  • Build succeeds (python setup.py sdist bdist_wheel)
  • 988 unit tests pass, 0 regressions (2 pre-existing terraform failures unchanged)
  • Round-trip tests verify snapshot split/merge preserves all nodes
  • Full end-to-end AWS compliance run validated: crawler snapshots 91 nodes across 34 regions, 2444 OPA/Rego tests executed (2165 passed, 279 compliance findings)
  • No BSON size limit crashes in filesystem mode
  • OPA v1.8.0 with --v0-compatible flag correctly evaluates all Rego v0 rules

🤖 Generated with Claude Code

farchide and others added 2 commits February 28, 2026 15:59
@claude
v3.1.0: Security hardening, robustness fixes, and BSON chunking
7b7a499 
- Fix 38 critical/high severity issues across 50+ source files
- Replace eval/exec/yaml.load with safe alternatives (ast.literal_eval, importlib, yaml.safe_load)
- Eliminate command injection via os.system and shell=True Popen
- Add HTTP request timeouts, fix bare excepts, replace deprecated datetime.utcnow
- Add thread-safe MongoDB connections with query sanitization
- Fix MongoDB BSON 16MB limit crash by splitting/merging large snapshot documents
- Replace hardcoded /tmp paths with tempfile, remove credentials from config/logs
- Add 988+ unit tests preserving contracts for JSON schemas, snapshots, and validation
- Bump version to 3.1.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix OPA compatibility
e88de92
@farchide farchide changed the title v3.1.0: Security hardening, robustness fixes, and BSON chunking v3.1.0: Security hardening, robustness fixes, BSON chunking, and OPA compatibility Mar 2, 2026
@farchide farchide merged commit 08718cf into master Mar 2, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@farchide