From 05c10278f5d31b9aa19ce7e12f24f7c132f3a412 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Thu, 4 Dec 2025 16:24:40 -0500
Subject: [PATCH] Improve QA script accuracy - fix false positives
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

QA SCRIPT IMPROVEMENTS:

1. CHECK 12 (Dangerous rm) - Skip echo/comment lines
   - Added filter to skip lines starting with 'echo' or '#'
   - Prevents false positives on documentation/examples
   - Example: "echo 'run: rm -rf \$DIR'" is now correctly ignored

2. CHECK 18 (Parameter validation) - Accept variable name patterns
   - Old pattern: Only detected [ -z "$1" ] or [ -n "$1" ]
   - New pattern: Also accepts [ -z "$var_name" ] after assignment
   - Regex: \[\s*-[nz]\s*"\$([1-9]|[a-zA-Z_][a-zA-Z0-9_]*)"\s*\]
   - This recognizes both direct ($1) and indirect ($db_name) validation

BENEFITS:
- Reduces false positives in rm command detection
- More flexible parameter validation detection
- Better matches real-world bash coding patterns
- Accepts both defensive coding styles

TESTING:
✓ No change in issue count (99 issues - still accurate)
✓ CRITICAL: 0 (validated - no false positives)
✓ HIGH: 10 (same functions, better detection logic)
---
 tools/toolkit-qa-check.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/tools/toolkit-qa-check.sh b/tools/toolkit-qa-check.sh
index 91f5aef..4744796 100755
--- a/tools/toolkit-qa-check.sh
+++ b/tools/toolkit-qa-check.sh
@@ -318,6 +318,11 @@ echo "Issue: rm -rf with potentially empty variables = catastrophic data loss"
 echo ""
 
 while IFS=: read -r file line_num line_content; do
+    # Skip if it's in an echo/comment (documentation, not execution)
+    if echo "$line_content" | grep -qE '^\s*(echo|#)'; then
+        continue
+    fi
+
     # Check for rm -rf $var patterns where var might be empty
     if echo "$line_content" | grep -qE 'rm\s+-[a-z]*r[a-z]*f.*\$[A-Z_]+[^/]|rm\s+-[a-z]*r[a-z]*f\s+/?\$'; then
         # Skip if it has proper validation ([ -n "$var" ] && rm ...)
@@ -468,8 +473,11 @@ while read -r file; do
 
         # Check if function uses parameters
         if grep -A 20 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -q '\$[1-9]'; then
-            # Check if it validates them
-            if ! grep -A 5 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -qE '\[\s*-[nz]\s*"\$[1-9]"|\[\s*\$#\s*-'; then
+            # Check if it validates them (accepts both $1 and variable name patterns)
+            # Pattern 1: [ -z "$1" ] or [ -n "$1" ]
+            # Pattern 2: [ -z "$var_name" ] where var_name was assigned from $1
+            # Pattern 3: [ $# -lt 1 ] or similar
+            if ! grep -A 5 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -qE '\[\s*-[nz]\s*"\$([1-9]|[a-zA-Z_][a-zA-Z0-9_]*)"\s*\]|\[\s*\$#\s*-'; then
                 echo "HIGH|$file|$line_num|Function '$func_name' uses parameters without validation"
                 count_issue "HIGH"
                 ((count++))