Background
While setting up the bandit/vulture pre-commit hooks (see the recent audit commit on main), an initial pass of LLM-driven code readers found a batch of real semantic bugs in the lib that the deterministic static analyzers (ruff F/B, bandit low/low, vulture confidence 80) do not catch - they are correctness issues that depend on understanding intent.
They should be triaged and either fixed or explicitly marked as "works as intended" with a short comment. Until then they remain latent bugs.
Findings
Acceptance criteria
Each item is either fixed with a short smoke test, or closed with a comment explaining why the static reader was wrong. When a behavior change touches a public helper (human.bytes2human, shell.shell_exec, cache.get), the change should be called out in the lib CHANGELOG so plugins that depend on the old behavior can be checked.
Context
The monitoring-plugins-side semantic audit backlog is tracked separately on Linuxfabrik/monitoring-plugins.
Background
While setting up the bandit/vulture pre-commit hooks (see the recent audit commit on
main), an initial pass of LLM-driven code readers found a batch of real semantic bugs in the lib that the deterministic static analyzers (ruff F/B, bandit low/low, vulture confidence 80) do not catch - they are correctness issues that depend on understanding intent.They should be triaged and either fixed or explicitly marked as "works as intended" with a short comment. Until then they remain latent bugs.
Findings
cache.py:91- expiration check usesresult['timestamp'] != 0 and result['timestamp'] <= now. An entry written in the same second as the current read (timestamp == now) is immediately considered expired and deleted. Off-by-one; should probably be<instead of<=.human.py:160-_to_human()usesif n >= thresholdto pick the unit. Negative values never satisfyn >= positive_threshold, so-1048576returns-1048576.0Binstead of-1.0 MiB. Sizes and deltas can legitimately be negative (counter resets, reclaim metrics).shell.py:185- pipeline path creates a chain ofsubprocess.Popenprocesses and passesp.stdoutto the next stage viastdin=p.stdout if p else subprocess.PIPE, but never closes the previousp.stdoutafter the next process inherits it. Under Python this leaks a file descriptor per pipeline stage until the garbage collector catches up.url.py:158-timeout=timeout if digest_auth_user else timeoutis a dead ternary - both branches evaluate to the same value. Either the digest-auth branch was supposed to use a different timeout and the edit was lost, or the ternary can simply becometimeout=timeout(and the ternary on the next line forcontextshould be reviewed for the same issue).Acceptance criteria
Each item is either fixed with a short smoke test, or closed with a comment explaining why the static reader was wrong. When a behavior change touches a public helper (
human.bytes2human,shell.shell_exec,cache.get), the change should be called out in the lib CHANGELOG so plugins that depend on the old behavior can be checked.Context
The monitoring-plugins-side semantic audit backlog is tracked separately on Linuxfabrik/monitoring-plugins.