This is an automated email from the ASF dual-hosted git repository.

imbajin pushed a commit to branch goal-scan
in repository https://gitbox.apache.org/repos/asf/hugegraph-ai.git

commit 53f3ebac1717e589f57d3cbb979e86e75a8d5b31
Author: imbajin <[email protected]>
AuthorDate: Sun May 31 11:59:32 2026 +0800

    docs(code-scan): sync fixed issue statuses
    
    - correct status rows for completed requested fixes
    - leave unrelated open scan findings marked open
    - keep CS-001, CS-002, CS-004, CS-008, CS-011, CS-012, CS-013, and CS-030 
fixed
---
 .workflow/code-scan/reports/issues.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.workflow/code-scan/reports/issues.md 
b/.workflow/code-scan/reports/issues.md
index 665de54d..6c8277f5 100644
--- a/.workflow/code-scan/reports/issues.md
+++ b/.workflow/code-scan/reports/issues.md
@@ -45,7 +45,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through P5 
lowest.
 - Module: `hugegraph-python-client`
 - Layer: transport / routing
 - Paths: `hugegraph-python-client/src/pyhugegraph/utils/huge_requests.py:100`, 
`hugegraph-python-client/src/pyhugegraph/utils/huge_requests.py:120`, 
`hugegraph-python-client/src/pyhugegraph/api/auth.py:37`, 
`hugegraph-python-client/src/pyhugegraph/api/auth.py:84`
-- Status: fixed
+- Status: open
 - Evidence: `HGraphSession.resolve()` passes leading-slash paths to `urljoin`, 
which replaces the base URL path. A base like `http://host/proxy` plus 
`/auth/groups` resolves to `http://host/auth/groups`.
 - Impact: HugeGraph behind path-prefix proxies or ingress routes is addressed 
incorrectly.
 - Recommendation: Treat route strings as API-root-relative paths inside the 
client, or reject base URLs with path prefixes explicitly.
@@ -69,7 +69,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through P5 
lowest.
 - Module: `hugegraph-python-client`
 - Layer: transport / routing
 - Paths: `hugegraph-python-client/src/pyhugegraph/utils/huge_config.py:44`, 
`hugegraph-python-client/src/pyhugegraph/utils/huge_config.py:73`, 
`hugegraph-python-client/src/pyhugegraph/utils/huge_router.py:139`
-- Status: fixed
+- Status: open
 - Evidence: `HGraphConfig.__post_init__()` probes `/versions` with a fixed 
`0.5s` timeout. Most probe failures silently set `gs_supported=False`, making 
graphspace auth routes fail locally with `ValueError`.
 - Impact: HugeGraph 1.7+ auth behavior becomes sensitive to a single transient 
version probe.
 - Recommendation: Make graphspace configuration explicit or retry/observe the 
capability probe using the configured timeout.
@@ -81,7 +81,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through P5 
lowest.
 - Module: `hugegraph-python-client`
 - Layer: client-api
 - Paths: `hugegraph-python-client/src/pyhugegraph/api/graph.py:68`, 
`hugegraph-python-client/src/pyhugegraph/api/graph.py:73`, 
`hugegraph-python-client/src/pyhugegraph/api/graph.py:173`, 
`hugegraph-python-client/src/pyhugegraph/utils/huge_requests.py:144`
-- Status: fixed
+- Status: open
 - Evidence: `getVertexByPage()`, `getVertexByCondition()`, and 
`getEdgeByPage()` concatenate labels and JSON properties directly into the URL.
 - Impact: Property values containing `&`, `?`, `#`, `=`, or spaces can corrupt 
filters and query different data.
 - Recommendation: Use `params=` or `urllib.parse.urlencode()` for all query 
parameters.
@@ -105,7 +105,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through 
P5 lowest.
 - Module: `hugegraph-python-client`
 - Layer: gremlin / error contract
 - Paths: `hugegraph-python-client/src/pyhugegraph/api/gremlin.py:48`, 
`hugegraph-python-client/src/pyhugegraph/api/gremlin.py:54`, 
`hugegraph-python-client/src/tests/api/test_gremlin.py:99`
-- Status: open
+- Status: fixed
 - Evidence: `GremlinManager.exec()` catches every exception and raises 
`NotFoundError`.
 - Impact: Auth failures, transport errors, server errors, and syntax errors 
are indistinguishable upstream.
 - Fix: `GremlinManager.exec()` no longer wraps all lower-level exceptions as 
`NotFoundError`; typed auth/transport/server/parse exceptions propagate from 
the transport boundary.
@@ -141,7 +141,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through 
P5 lowest.
 - Module: `hugegraph-llm`
 - Layer: API / models / config
 - Paths: `hugegraph-llm/src/hugegraph_llm/api/models/rag_requests.py:27`, 
`hugegraph-llm/src/hugegraph_llm/api/rag_api.py:92`
-- Status: open
+- Status: fixed
 - Evidence: `GraphConfigRequest` has concrete defaults and 
`set_graph_config()` writes every field to global `huge_settings` whenever 
`client_config` exists.
 - Impact: A request intended to override one field can clear credentials, 
graph name, or graphspace for the whole process.
 - Fix: request-scoped graph config updates now use `model_fields_set`, so only 
explicitly provided nested fields mutate `huge_settings`.
@@ -165,7 +165,7 @@ Issue IDs use `CS-NNN`. Priorities are P0 highest through 
P5 lowest.
 - Module: `hugegraph-llm`
 - Layer: LLM operator / graph import
 - Paths: 
`hugegraph-llm/src/hugegraph_llm/operators/llm_op/property_graph_extract.py:53`,
 
`hugegraph-llm/src/hugegraph_llm/operators/hugegraph_op/commit_to_hugegraph.py:134`,
 `hugegraph-llm/src/hugegraph_llm/flows/import_graph_data.py:65`
-- Status: open
+- Status: fixed
 - Evidence: `filter_item()` converts non-string properties to strings, while 
`Commit2Graph` enforces schema Python types and skips mismatches. Edge writes 
can continue and the flow reports success.
 - Impact: KG import can partially fail while the UI reports success.
 - Fix: `filter_item()` no longer stringifies non-string property values, so 
extracted JSON numeric values survive into `Commit2Graph` schema validation.

Reply via email to