fix: suppress CodeQL false positives in formatters.py (#57)

dreamiurg · claude · web-flow · commit 6f5d958ae5d0 · 2025-11-01T16:22:13.000-07:00
* ci: pin GitHub Actions to commit SHAs for security Pin all GitHub Actions dependencies to specific commit SHAs instead of version tags to prevent supply chain attacks. This follows OpenSSF Scorecard best practices for dependency pinning. Pinned actions: - actions/checkout@v5 - actions/create-github-app-token@v2 - actions/setup-python@v6 - actions/upload-artifact@v4 - amannn/action-semantic-pull-request@v6 - astral-sh/setup-uv@v7 - codecov/codecov-action@v5 - github/codeql-action/*@V3 - github/codeql-action/*@v4 - ossf/scorecard-action@v2.4.3 - pypa/gh-action-pypi-publish@release/v1 All SHAs include comments showing the original version tag for maintainability. Expected impact: Pinned-Dependencies score 0 → 10 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: suppress CodeQL false positives with explanatory comments Suppress two categories of CodeQL alerts that are false positives: 1. Clear-text logging (alert #31): The flagged print() statement outputs public peak data to stdout for CLI users, not logging. No sensitive data is handled by this tool. 2. Overly permissive regex (alerts #32-35): The emoji removal regex uses overlapping Unicode ranges intentionally for comprehensive coverage. Used only for display formatting, not security validation. Both suppressions include detailed comments explaining why the alerts are false positives in this context. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/peakbagger/formatters.py b/peakbagger/formatters.py
@@ -94,6 +94,9 @@ def _print_json(self, data: dict[str, Any] | list[dict[str, Any]]) -> None:
         Uses plain print() instead of console.print() to avoid Rich processing
         escape sequences in the JSON, which would make it invalid.
         """
+        # lgtm[py/clear-text-logging-sensitive-data]
+        # This is intentional CLI output, not logging. The tool only handles public
+        # peak data from PeakBagger.com - no credentials or sensitive information.
         print(json.dumps(data, indent=2, ensure_ascii=False))
 
     def _print_search_table(self, results: list[SearchResult]) -> None:
@@ -346,6 +349,10 @@ def strip_emojis(text: str) -> str:
                 import re
 
                 # Pattern matches emoji ranges
+                # lgtm[py/overly-large-range]
+                # This regex is for display formatting only (removing emojis from scraped
+                # text). Overlapping ranges are intentional for comprehensive emoji coverage.
+                # Not used for security validation or input sanitization.
                 emoji_pattern = re.compile(
                     "["
                     "\U0001f600-\U0001f64f"  # emoticons
