Fix major false positives in QA script (33 HIGH issues eliminated)
Reduced false positives from 104 to 71 HIGH issues by improving detection logic:
1. SOURCE Detection (CHECK 44):
- Skip lines with error handling (|| or 2>/dev/null)
- Better extraction: handle quotes, skip special chars
- Skip empty/variable/absolute paths
- More precise grep pattern (only ^\s*source lines)
- Validates existence checks more accurately
2. IFS Detection (CHECK 68):
- Skip safe pattern: 'IFS= read' (only affects read command)
- Skip IFS in while/for conditions (locally scoped)
- Only flag standalone IFS assignments without reset
- Changed grep to only match ^\s*IFS= (not inline usage)
3. WORDSPLIT Detection (CHECK 51):
- Downgraded from HIGH to MEDIUM severity
- Skip intentional patterns: $disks, $ips, $users, $dbs, etc.
- Skip variables ending in _list, _array, _items
- Added guidance: suppress if intentional, quote if bug
- Recognizes common bash idiom for space-separated lists
Results:
- Before: 104 HIGH, 223 MEDIUM, 390 TOTAL
- After: 71 HIGH (-33), 231 MEDIUM (+8), 365 TOTAL (-25)
- Eliminated: 10 IFS false positives, ~15 SOURCE, ~8 WORDSPLIT
- Accuracy improvement: ~32% reduction in false HIGH issues
Impact: QA scan now focuses on real issues, not common bash patterns.
cschantz
0c25f15c89