fix: CodeQL alert -- clear-text storage of sensitive information in plugin_parser.py

[sergio-sisternes-epam]

Context

Surfaced by CodeQL during #999 (code quality guardrails PR). The alert is pre-existing -- not introduced by #999 (which only reformatted the file).

Alert

• Rule: py/clear-text-storage-sensitive-data
• File: src/apm_cli/deps/plugin_parser.py:534
• Details: https://github.com/microsoft/apm/security/code-scanning/81

CodeQL flags an expression that stores sensitive data (a secret/token) as clear text.

Action needed

1. Review the flagged line to determine if the sensitive data handling is intentional (e.g., passing a token to a subprocess) or if it should be masked/redacted
2. If intentional, suppress with an inline comment explaining why
3. If a genuine issue, refactor to avoid storing the credential in a plain variable longer than necessary

References

• Discovered during: feat: add Ruff code quality guardrails (replaces black + isort) #999
• CodeQL alert: https://github.com/microsoft/apm/security/code-scanning/81

[github-actions]

Triage decision

accept

Proposed labels

theme/security
area/content-security
type/bug
status/accepted
priority/high

Milestone

null -- open milestones could not be verified via API at triage time. A maintainer should assign the current patch milestone directly; this is a security bug that warrants a prompt patch release.

Suggested next action

Review src/apm_cli/deps/plugin_parser.py:534 against the CodeQL alert detail (https://github.com/microsoft/apm/security/code-scanning/81), and either refactor the credential handling to minimize the variable's lifetime (preferred) or add an inline suppression comment with a documented justification if the handling is intentionally safe.

Suggested issue comment

Thanks for surfacing this, @sergio-sisternes-epam -- and for the clear write-up linking the alert, the file, and the originating PR.

CodeQL rule `py/clear-text-storage-sensitive-data` (CWE-312) is a legitimate signal: if a token or credential is stored in a plain Python variable inside the plugin parser, it can surface in debug logs, tracebacks, or exception messages longer than necessary, which conflicts with APM's security model (https://github.com/microsoft/apm/blob/main/docs/src/content/docs/enterprise/security.md).

APM's canonical auth flow (AuthResolver in `src/apm_cli/core/auth.py`) is the sanctioned credential source; no app code should hold a raw token in a local variable outside that boundary.

**Recommended path forward:**

1. Open `src/apm_cli/deps/plugin_parser.py:534` and check whether the flagged expression reads a credential into a plain local variable.
2. If the value is only used to pass to a subprocess via env var and is never logged or stored, add an inline `# nosec` comment with a one-line rationale (e.g., `# nosec: token passed as env var to subprocess, never logged or persisted`).
3. If the credential could end up in a log call, an exception message, or a data structure that outlives the call, refactor to shorten the variable's lifetime -- or route through `AuthResolver` if that path is not already used.

Path 3 / refactor is preferred from a defense-in-depth standpoint and keeps the codebase consistent with the security model. A PR with either path would be welcome; the implementing PR should reference this issue and the CodeQL alert link above.

Per-lens notes (collapsed)

DevX UX Expert -- User-Need Reviewer

No user-facing CLI surface is involved. This is a maintainer-level security task triggered by CodeQL static analysis. The issue body is exemplary -- it cites the rule name, the exact file and line, the CodeQL alert URL, the originating PR, and three concrete resolution paths. No command, flag, error message, or output format is affected. The only relevant taxonomy mapping is area/content-security (credential handling within the plugin parser). No UX concerns to surface.

Supply Chain Security Expert -- Risk-Surface Reviewer

This directly hits threat model item 6 (credential exfiltration). py/clear-text-storage-sensitive-data (CWE-312, CWE-315, CWE-359) in plugin_parser.py -- the file responsible for parsing plugin and package dependency metadata -- means a token or credential string may be stored in a plain Python variable during dependency resolution. Consequences: exposure via debug logs, unhandled exception messages, or tracebacks that propagate to CI output. The alert is pre-existing (not introduced by #999), meaning it has been in production across all installs since the file was written. APM's security model (enterprise/security.md) and AuthResolver pattern (src/apm_cli/core/auth.py) prohibit raw os.getenv("...TOKEN...") calls in app code outside the auth boundary; if plugin_parser.py is handling a raw credential, that is a boundary violation. Primary theme: theme/security. Area: area/content-security. Priority: priority/high -- credential exposure bugs should land in the next patch release. All three action paths in the issue body are valid; path 3 (refactor) is recommended over inline suppression for long-term hygiene.

OSS Growth Hacker -- Contributor-Tone Reviewer

Not activated -- author is a COLLABORATOR with an established project relationship; standard technical tone is appropriate and no onboarding warmth or first-contribution pointer-set is needed.

Python Architect -- Architecture Reviewer

Not activated -- the fix is scoped to a single expression in plugin_parser.py:534; no cross-cutting design decision, new interface, schema change, or module boundary is required before code can land safely.

Doc Writer -- Documentation Reviewer

Not activated -- this is an internal security code fix with no user-facing documentation surface; no new pages in docs/src/content/docs/ are implied, and the security model doc (enterprise/security.md) does not need updating for a suppression or local refactor.

APM CEO -- Triage Arbiter

Unanimous panel: accept as a security bug. The CodeQL alert is legitimate, the issue is well-scoped, and the fix is clear enough to land without a design doc. theme/security + area/content-security + type/bug + priority/high is the correct label set. Milestone: null at triage time (open milestones not accessible via API); a maintainer should stamp the current patch milestone since security bugs deserve prompt patch releases. Reply tone: direct and technical -- collaborator author who already understands the codebase.

{
  "decision": "accept",
  "decision_detail": "",
  "theme": "theme/security",
  "areas": ["area/content-security"],
  "type": "type/bug",
  "status": "status/accepted",
  "priority": "priority/high",
  "preserved_labels": [],
  "milestone": null,
  "next_action": "Review plugin_parser.py:534 against CodeQL alert 81; refactor to minimize credential lifetime or add a nosec comment with documented justification.",
  "comment_markdown": "Thanks for surfacing this, @sergio-sisternes-epam -- and for the clear write-up linking the alert, the file, and the originating PR.\n\nCodeQL rule `py/clear-text-storage-sensitive-data` (CWE-312) is a legitimate signal: if a token or credential is stored in a plain Python variable inside the plugin parser, it can surface in debug logs, tracebacks, or exception messages longer than necessary, which conflicts with APM's security model (https://github.com/microsoft/apm/blob/main/docs/src/content/docs/enterprise/security.md).\n\nAPM's canonical auth flow (AuthResolver in `src/apm_cli/core/auth.py`) is the sanctioned credential source; no app code should hold a raw token in a local variable outside that boundary.\n\n**Recommended path forward:**\n\n1. Open `src/apm_cli/deps/plugin_parser.py:534` and check whether the flagged expression reads a credential into a plain local variable.\n2. If the value is only used to pass to a subprocess via env var and is never logged or stored, add an inline `# nosec` comment with a one-line rationale.\n3. If the credential could end up in a log call, an exception message, or a data structure that outlives the call, refactor to shorten the variable's lifetime -- or route through `AuthResolver` if that path is not already used.\n\nPath 3 / refactor is preferred from a defense-in-depth standpoint. A PR with either path would be welcome; the implementing PR should reference this issue and the CodeQL alert link."
}

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Generated by Triage Panel for issue #1001 · ● 1.3M · ◷