Skip to content

fix(ci): annotate test CSRF disables for SonarCloud S4502#58

Merged
AlexanderWagnerDev merged 1 commit into
mainfrom
cursor/ci-autofix-automation-5e8f
Jul 15, 2026
Merged

fix(ci): annotate test CSRF disables for SonarCloud S4502#58
AlexanderWagnerDev merged 1 commit into
mainfrom
cursor/ci-autofix-automation-5e8f

Conversation

@cursor

@cursor cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

SonarCloud failed on main after commit b15de15 because new pytest coverage set WTF_CSRF_ENABLED = False without # NOSONAR annotations. SonarCloud rule python:S4502 treats those as new security vulnerabilities and fails the new_security_rating quality gate.

Changes

Verification

  • python3 -m pytest -m "not integration" — 81 passed locally.
Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Commit b15de15 added pytest coverage that sets WTF_CSRF_ENABLED=False
without NOSONAR comments, which SonarCloud flags as new security
vulnerabilities and fails the new_security_rating quality gate on main.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@sonarqubecloud

Copy link
Copy Markdown

@AlexanderWagnerDev AlexanderWagnerDev marked this pull request as ready for review July 15, 2026 13:44
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Annotate test-only CSRF disables to satisfy SonarCloud S4502

🐞 Bug fix 🧪 Tests 🕐 Less than 5 minutes

Grey Divider

AI Description

• Add NOSONAR annotations to test-only CSRF disables flagged by SonarCloud S4502.
• Prevent SonarCloud quality gate failures on new_security_rating for recent pytest additions.
Diagram

graph TD
  Dev["Test config disables CSRF"] --> Pytest["pytest run"] --> Sonar{{"SonarCloud"}} --> Gate{"Quality gate (S4502)"} --> Merge["Main green"]
  Gate --> Block["CI fails"]
  subgraph Legend
    direction LR
    _p["Process"] ~~~ _e{{"External"}} ~~~ _d{"Decision"}
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Keep CSRF enabled and post with valid CSRF tokens in tests
  • ➕ Avoids suppressing a security rule
  • ➕ Exercises realistic request/CSRF behavior
  • ➖ More test setup complexity (token extraction, session handling)
  • ➖ May add boilerplate across many tests
2. Centralize the CSRF disable + suppression in a shared fixture
  • ➕ Removes repeated per-test config lines/comments
  • ➕ Makes intent explicit and consistent across the suite
  • ➖ Requires refactoring test setup patterns
  • ➖ Fixture scope mistakes could unintentionally affect tests that should keep CSRF on

Recommendation: The current approach (inline NOSONAR with an explicit test-only rationale) is a pragmatic CI unblocking fix with minimal behavioral risk. If CSRF disables continue to spread, consider a shared fixture to reduce repetition and keep the suppression localized.

Files changed (2) +6 / -6

Tests (2) +6 / -6
test_app.pyAdd NOSONAR rationale to test-only CSRF disables +5/-5

Add NOSONAR rationale to test-only CSRF disables

• Annotates multiple instances of 'application.config["WTF_CSRF_ENABLED"] = False' with a NOSONAR comment explaining test client form posts without tokens. This prevents SonarCloud python:S4502 from being counted as new security issues.

tests/test_app.py

test_login_routes.pySuppress SonarCloud S4502 for CSRF disable in login route test +1/-1

Suppress SonarCloud S4502 for CSRF disable in login route test

• Adds a NOSONAR comment to the test configuration disabling CSRF. This keeps SonarCloud from failing the quality gate on a test-only security rule violation.

tests/test_login_routes.py

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@AlexanderWagnerDev AlexanderWagnerDev merged commit f2cbe8e into main Jul 15, 2026
10 checks passed
@AlexanderWagnerDev AlexanderWagnerDev deleted the cursor/ci-autofix-automation-5e8f branch July 15, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants