carverauto/serviceradar

Fork 0

linting srql #2661

Merged

mfreeman451 merged 2 commits from refs/pull/2661/head into staging

2026-01-14 03:56:27 +00:00

mfreeman451 commented

2026-01-14 03:41:26 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2281
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2281
Original created: 2026-01-14T03:41:26Z
Original updated: 2026-01-14T03:56:29Z
Original head: carverauto/serviceradar:update/linter_fix
Original base: staging
Original merged: 2026-01-14T03:56:27Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Refactored SRQL translation execution for improved code clarity
Extracted parameter decoding and schema handling into separate functions
Introduced helper functions for SQL execution and response building
Simplified control flow using pipe operators and case expressions

Diagram Walkthrough

flowchart LR
  A["execute_translation"] -->|"decode params"| B["execute_translation_with_params"]
  B -->|"check schema"| C["run_sql or run_sql_in_schema"]
  C -->|"build response"| D["build_translation_response"]
  D -->|"return result"| E["final response"]

File Walkthrough

Relevant files

Enhancement

srql.ex

Extract and refactor SRQL translation execution logic

web-ng/lib/serviceradar_web_ng/srql.ex

Refactored execute_translation/2 to use pipe operators and extracted
parameter handling
Created new execute_translation_with_params/4 function to handle
schema-based query execution
Added run_sql/2 helper function for direct SQL queries without schema
Added run_sql_in_schema/3 helper function for transactional
schema-based queries
Added build_translation_response/2 helper function to standardize
response building

+44/-22

Imported from GitHub pull request. Original GitHub pull request: #2281 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2281 Original created: 2026-01-14T03:41:26Z Original updated: 2026-01-14T03:56:29Z Original head: carverauto/serviceradar:update/linter_fix Original base: staging Original merged: 2026-01-14T03:56:27Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Refactored SRQL translation execution for improved code clarity - Extracted parameter decoding and schema handling into separate functions - Introduced helper functions for SQL execution and response building - Simplified control flow using pipe operators and case expressions ___ ### Diagram Walkthrough ```mermaid flowchart LR A["execute_translation"] -->|"decode params"| B["execute_translation_with_params"] B -->|"check schema"| C["run_sql or run_sql_in_schema"] C -->|"build response"| D["build_translation_response"] D -->|"return result"| E["final response"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>srql.ex<dd><code>Extract and refactor SRQL translation execution logic</code>        </dd></summary> <hr> web-ng/lib/serviceradar_web_ng/srql.ex <ul><li>Refactored <code>execute_translation/2</code> to use pipe operators and extracted parameter handling <li> Created new <code>execute_translation_with_params/4</code> function to handle schema-based query execution <li> Added <code>run_sql/2</code> helper function for direct SQL queries without schema <li> Added <code>run_sql_in_schema/3</code> helper function for transactional schema-based queries <li> Added <code>build_translation_response/2</code> helper function to standardize response building</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1">+44/-22</a>  </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-01-14 03:41:58 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2281#issuecomment-3747546888
Original created: 2026-01-14T03:41:58Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logging: The refactored SQL execution path adds no audit log entries for query execution, so it is unclear whether critical actions are captured with user/tenant context elsewhere. Referred Code defp execute_translation(%{"sql" => sql} = translation, scope) when is_binary(sql) do translation \|> Map.get("params", []) \|> decode_params() \|> case do {:ok, params} -> execute_translation_with_params(sql, params, translation, scope) {:error, reason} -> {:error, reason} end end defp execute_translation(_translation, _scope) do {:error, :invalid_srql_translation} end defp execute_translation_with_params(sql, params, translation, scope) do scope \|> tenant_schema_for_scope() \|> case do ... (clipped 9 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Error context unclear: Database and transaction errors are returned directly (`{:error, reason}`) without additional context or logging, and it is unclear whether upstream handling adds actionable context and monitoring. Referred Code defp run_sql(sql, params) do Ecto.Adapters.SQL.query(Repo, sql, params) end defp run_sql_in_schema(sql, params, schema) do Repo.transaction(fn -> run_query_in_schema(sql, params, schema) end) \|> case do {:ok, {:ok, result}} -> {:ok, result} {:ok, {:error, reason}} -> {:error, reason} {:error, reason} -> {:error, reason} end end defp build_translation_response({:ok, result}, translation) do {:ok, build_response(translation, result)} end defp build_translation_response({:error, reason}, _translation) do {:error, reason} end Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: DB errors surfaced: The new helpers propagate raw adapter/transaction error reasons (`{:error, reason}`) which may expose internal database details to callers depending on how these errors are presented to end users. Referred Code defp run_sql(sql, params) do Ecto.Adapters.SQL.query(Repo, sql, params) end defp run_sql_in_schema(sql, params, schema) do Repo.transaction(fn -> run_query_in_schema(sql, params, schema) end) \|> case do {:ok, {:ok, result}} -> {:ok, result} {:ok, {:error, reason}} -> {:error, reason} {:error, reason} -> {:error, reason} end end defp build_translation_response({:ok, result}, translation) do {:ok, build_response(translation, result)} end defp build_translation_response({:error, reason}, _translation) do {:error, reason} end Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Raw SQL execution: The refactor continues to execute `sql` received from `translation` via `Ecto.Adapters.SQL.query/3`, so compliance depends on whether `translation["sql"]` is guaranteed to be generated server-side and not user-controlled. Referred Code defp execute_translation(%{"sql" => sql} = translation, scope) when is_binary(sql) do translation \|> Map.get("params", []) \|> decode_params() \|> case do {:ok, params} -> execute_translation_with_params(sql, params, translation, scope) {:error, reason} -> {:error, reason} end end defp execute_translation(_translation, _scope) do {:error, :invalid_srql_translation} end defp execute_translation_with_params(sql, params, translation, scope) do scope \|> tenant_schema_for_scope() \|> case do ... (clipped 8 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2281#issuecomment-3747546888 Original created: 2026-01-14T03:41:58Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td>🟢</td><td><details><summary>No security concerns identified</summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=2>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=4>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R264-R293'>No audit logging</a>: The refactored SQL execution path adds no audit log entries for query execution, so it is unclear whether critical actions are captured with user/tenant context elsewhere. <details open><summary>Referred Code</summary> ```elixir defp execute_translation(%{"sql" => sql} = translation, scope) when is_binary(sql) do translation |> Map.get("params", []) |> decode_params() |> case do {:ok, params} -> execute_translation_with_params(sql, params, translation, scope) {:error, reason} -> {:error, reason} end end defp execute_translation(_translation, _scope) do {:error, :invalid_srql_translation} end defp execute_translation_with_params(sql, params, translation, scope) do scope |> tenant_schema_for_scope() |> case do ... (clipped 9 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R337-R356'>Error context unclear</a>: Database and transaction errors are returned directly (<code>{:error, reason}</code>) without additional context or logging, and it is unclear whether upstream handling adds actionable context and monitoring. <details open><summary>Referred Code</summary> ```elixir defp run_sql(sql, params) do Ecto.Adapters.SQL.query(Repo, sql, params) end defp run_sql_in_schema(sql, params, schema) do Repo.transaction(fn -> run_query_in_schema(sql, params, schema) end) |> case do {:ok, {:ok, result}} -> {:ok, result} {:ok, {:error, reason}} -> {:error, reason} {:error, reason} -> {:error, reason} end end defp build_translation_response({:ok, result}, translation) do {:ok, build_response(translation, result)} end defp build_translation_response({:error, reason}, _translation) do {:error, reason} end ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R337-R356'>DB errors surfaced</a>: The new helpers propagate raw adapter/transaction error reasons (<code>{:error, reason}</code>) which may expose internal database details to callers depending on how these errors are presented to end users. <details open><summary>Referred Code</summary> ```elixir defp run_sql(sql, params) do Ecto.Adapters.SQL.query(Repo, sql, params) end defp run_sql_in_schema(sql, params, schema) do Repo.transaction(fn -> run_query_in_schema(sql, params, schema) end) |> case do {:ok, {:ok, result}} -> {:ok, result} {:ok, {:error, reason}} -> {:error, reason} {:error, reason} -> {:error, reason} end end defp build_translation_response({:ok, result}, translation) do {:ok, build_response(translation, result)} end defp build_translation_response({:error, reason}, _translation) do {:error, reason} end ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R264-R292'>Raw SQL execution</a>: The refactor continues to execute <code>sql</code> received from <code>translation</code> via <code>Ecto.Adapters.SQL.query/3</code>, so compliance depends on whether <code>translation["sql"]</code> is guaranteed to be generated server-side and not user-controlled. <details open><summary>Referred Code</summary> ```elixir defp execute_translation(%{"sql" => sql} = translation, scope) when is_binary(sql) do translation |> Map.get("params", []) |> decode_params() |> case do {:ok, params} -> execute_translation_with_params(sql, params, translation, scope) {:error, reason} -> {:error, reason} end end defp execute_translation(_translation, _scope) do {:error, :invalid_srql_translation} end defp execute_translation_with_params(sql, params, translation, scope) do scope |> tenant_schema_for_scope() |> case do ... (clipped 8 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2026-01-14 03:42:49 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2281#issuecomment-3747549351
Original created: 2026-01-14T03:42:49Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Fix SQL injection in search_path Fix a SQL injection vulnerability by using a parameterized query instead of string interpolation when setting the `search_path`. web-ng/lib/serviceradar_web_ng/srql.ex [331-334] `-case Ecto.Adapters.SQL.query(Repo, "SET LOCAL search_path = #{search_path}", []) do +case Ecto.Adapters.SQL.query(Repo, "SET LOCAL search_path = $1, ag_catalog, pg_catalog, \"$user\", public", [schema]) do {:ok, _} -> Ecto.Adapters.SQL.query(Repo, sql, params) {:error, reason} -> {:error, {:search_path_failed, reason}} end` `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical SQL injection vulnerability in setting the `search_path` and provides an appropriate fix using parameterized queries.	High
Possible issue	Handle SQL call exceptions Improve error handling in `run_sql/2` by wrapping the `Ecto.Adapters.SQL.query/3` call in a `try/rescue` block to catch and return any unexpected exceptions as an error tuple. web-ng/lib/serviceradar_web_ng/srql.ex [337-339] `defp run_sql(sql, params) do - Ecto.Adapters.SQL.query(Repo, sql, params) + try do + Ecto.Adapters.SQL.query(Repo, sql, params) + rescue + exception -> {:error, exception} + end end` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion improves robustness by catching potential exceptions from the database adapter, but `Ecto` functions typically return error tuples rather than raising, so the impact is moderate.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2281#issuecomment-3747549351 Original created: 2026-01-14T03:42:49Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>Security</td> <td> <details><summary>Fix SQL injection in search_path</summary> ___ **Fix a SQL injection vulnerability by using a parameterized query instead of string interpolation when setting the <code>search_path</code>.** [web-ng/lib/serviceradar_web_ng/srql.ex [331-334]](https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R331-R334) ```diff -case Ecto.Adapters.SQL.query(Repo, "SET LOCAL search_path = #{search_path}", []) do +case Ecto.Adapters.SQL.query(Repo, "SET LOCAL search_path = $1, ag_catalog, pg_catalog, \"$user\", public", [schema]) do {:ok, _} -> Ecto.Adapters.SQL.query(Repo, sql, params) {:error, reason} -> {:error, {:search_path_failed, reason}} end ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 10</summary> __ Why: The suggestion correctly identifies a critical SQL injection vulnerability in setting the `search_path` and provides an appropriate fix using parameterized queries. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Handle SQL call exceptions</summary> ___ **Improve error handling in <code>run_sql/2</code> by wrapping the <code>Ecto.Adapters.SQL.query/3</code> call in a <code>try/rescue</code> block to catch and return any unexpected exceptions as an error tuple.** [web-ng/lib/serviceradar_web_ng/srql.ex [337-339]](https://github.com/carverauto/serviceradar/pull/2281/files#diff-dffa2e7586a9d96fb5dcadde453dae7f3b09624e84b0878da10f57706781aba1R337-R339) ```diff defp run_sql(sql, params) do - Ecto.Adapters.SQL.query(Repo, sql, params) + try do + Ecto.Adapters.SQL.query(Repo, sql, params) + rescue + exception -> {:error, exception} + end end ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion improves robustness by catching potential exceptions from the database adapter, but `Ecto` functions typically return error tuples rather than raising, so the impact is moderate. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>