codeant-ai-for-open-source[bot] commented on PR #36678: URL: https://github.com/apache/superset/pull/36678#issuecomment-3661584166
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36678/files#diff-7ba4e6bc48eb9430226633219d4cb3c608327479c8257daa1c6cf2ff1699941cR120-R123'><strong>Sensitive information exposure</strong></a><br>The API returns the stringified exception to the client for schema-not-found and validation errors. Those messages may contain internal details (DB error messages, stack traces, or other sensitive details) and can leak implementation or infrastructure information to callers.<br> - [ ] <a href='https://github.com/apache/superset/pull/36678/files#diff-7ba4e6bc48eb9430226633219d4cb3c608327479c8257daa1c6cf2ff1699941cR109-R115'><strong>No background task enqueued</strong></a><br>The endpoint initiates an analysis and returns a run_id, but the code path does not enqueue or start any background job (the command.run() currently only generates a uuid). This can mislead clients into believing work is scheduled when it is not.<br> - [ ] <a href='https://github.com/apache/superset/pull/36678/files#diff-eac7c9af6d229b2af933f4d663f5a02a2d972c2b852cf2f356c258c5ad7766f6R36-R40'><strong>Unused route parameter</strong></a><br>The `loading` route accepts a `run_id` path parameter but does not pass it to the frontend/bootstrap context. The frontend will not receive the run identifier and cannot correlate the loading screen with the backend run without additional plumbing.<br> - [ ] <a href='https://github.com/apache/superset/pull/36678/files#diff-f49542c54593d81021532273420dd1dbbddcb70a9564d699ed782b07f9c0fb55R98-R107'><strong>Swallowed Specific Error</strong></a><br>The code raises DatasourceAnalyzerSchemaNotFoundError inside a try block that catches all Exceptions. As a result, SchemaNotFoundError is appended to a generic exceptions list and re-raised as DatasourceAnalyzerInvalidError, changing the observable error type and making callers unable to distinguish "schema not found" from other introspection failures.<br> - [ ] <a href='https://github.com/apache/superset/pull/36678/files#diff-f49542c54593d81021532273420dd1dbbddcb70a9564d699ed782b07f9c0fb55R98-R106'><strong>Over-broad exception handling</strong></a><br>The code catches every Exception from schema fetching (including programmer errors and specific command exceptions). This hides the root cause and may convert recoverable or specific errors into a generic invalid error. Catching narrower exceptions or re-raising known command exceptions would be safer.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
