Open
Conversation
Cherry-pick only the configuration file changes from the ESLint 9 migration PR, without the auto-formatted code files: - eslint.config.cjs: add MapboxDraw global, allow function hoisting, add @odoo-module/@component JSDoc tags, expand ES module patterns, disable strict/sort-imports for ES modules - .pre-commit-config.yaml: wrap long description fields - .semgrep/odoo-security.yml: minor rule updates - .trivyignore.yaml: update vulnerability ignore list
Run prettier and ruff-format on all files with the updated configuration. This reformats XML, JS, Python, YAML, and Markdown files to match current formatter versions.
Run prettier, ruff-format, and eslint on all files with the updated configuration: - 686 files reformatted by prettier and ruff-format - Fix ESLint errors in JS files newly covered by expanded ES module patterns: remove unused imports/variables, initialize variables on declaration, use empty catch blocks
Update auto-generated README.rst and index.html files for spp_cel_registry_search and spp_drims to reflect current module maturity status.
Fix all oca-checks-odoo-module violations:
- Add missing files to manifests: security/ir.model.access.csv in
spp_base_setting, spp_branding_kit, spp_cr_types_advanced,
spp_cr_types_base; views and data files in spp_area, spp_grm,
spp_registry, spp_vocabulary, theme_openspp_muk
- Fix duplicate XML record IDs: use <function> calls instead of
duplicate records in spp_drims_sl approval config; remove duplicate
currency_xxx in spp_vocabulary
- Add context={'no_reset_password': True} to all demo res.users
records in spp_drims_sl and spp_mis_demo_v2
- Set priority >= 99 on inherited views using position="replace" in
spp_gis_report, spp_programs, spp_user_roles
Summary of ChangesHello @jeremi, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request primarily focuses on improving code consistency and maintainability by standardizing formatting across a wide range of file types. It also includes functional updates to ESLint configurations for better JavaScript linting and necessary manifest adjustments for module security and view visibility. The changes aim to enhance developer experience and ensure adherence to coding standards without introducing new features. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a wide-ranging set of improvements focused on code quality, formatting, and linter configuration across various file types including YAML, XML, Python, JavaScript, and Markdown. While these changes enhance the overall maintainability and consistency of the codebase, the reformatting of Python files has highlighted existing or introduced potential Stored Cross-Site Scripting (XSS) vulnerabilities. Specifically, HTML content constructed using f-strings without proper escaping of dynamic data, particularly in administrative interfaces like audit logs and change request previews, poses a critical risk. It is strongly recommended to adopt a consistent escaping strategy using Odoo's html_escape or the Markup object from markupsafe whenever building HTML strings in Python to address these issues.
| tbody += f"<tr>{row}</tr>" | ||
| tbody = f"<tbody>{tbody}</tbody>" | ||
| rec.data_html = '<table class="o_list_view table table-condensed ' f'table-striped">{thead}{tbody}</table>' | ||
| rec.data_html = f'<table class="o_list_view table table-condensed table-striped">{thead}{tbody}</table>' |
There was a problem hiding this comment.
Potential Stored Cross-Site Scripting (XSS) vulnerability. The data_html field is constructed by concatenating raw data values into HTML table cells using f-strings. If the data being logged contains malicious scripts (e.g., from a user-supplied field value), these scripts will be executed when an administrator views the audit log in the Odoo web client. It is recommended to use odoo.utils.html_escape or markupsafe.Markup.escape to sanitize all data values before inserting them into the HTML string.
| tbody = f"<tbody>{tbody}</tbody>" | ||
| rec.parent_data_html = ( | ||
| '<table class="o_list_view table table-condensed ' f'table-striped">{thead}{tbody}</table>' | ||
| f'<table class="o_list_view table table-condensed table-striped">{thead}{tbody}</table>' |
There was a problem hiding this comment.
Potential Stored Cross-Site Scripting (XSS) vulnerability. Similar to data_html, the parent_data_html field is constructed using unescaped data values in an HTML table, which could lead to script execution in an administrative context.
| html_parts.append( | ||
| f'<div class="mb-2">' f'<span class="badge bg-secondary">ID: {reg.spp_id}</span>' f"</div>" | ||
| ) | ||
| html_parts.append(f'<div class="mb-2"><span class="badge bg-secondary">ID: {reg.spp_id}</span></div>') |
There was a problem hiding this comment.
Potential Stored Cross-Site Scripting (XSS) vulnerability. The registrant_summary_html field is constructed using f-strings that include the reg.spp_id variable without escaping. If this ID can be influenced by a user, it could lead to script execution when the summary is rendered.
| display_value = str(value) | ||
|
|
||
| html_parts.append(f"<tr><td><strong>{display_key}</strong></td>" f"<td>{display_value}</td></tr>") | ||
| html_parts.append(f"<tr><td><strong>{display_key}</strong></td><td>{display_value}</td></tr>") |
There was a problem hiding this comment.
Potential Stored Cross-Site Scripting (XSS) vulnerability. The preview_html field is constructed by concatenating unescaped field values (display_value) into an HTML table. Since these values originate from user-submitted change requests, an attacker could inject malicious scripts that execute when a supervisor previews the changes. Use html_escape or Markup.escape for all dynamic content.
| display_value = str(value) | ||
|
|
||
| html_parts.append(f"<tr><td><strong>{display_key}</strong></td>" f"<td>{display_value}</td></tr>") | ||
| html_parts.append(f"<tr><td><strong>{display_key}</strong></td><td>{display_value}</td></tr>") |
There was a problem hiding this comment.
Potential Stored Cross-Site Scripting (XSS) vulnerability. The preview_html field in this wizard is constructed using f-strings that include unescaped field values. This poses a risk of script execution when the wizard is used to preview changes. Ensure all dynamic values are properly escaped for HTML context.
…test Revert manifest changes that uncommented intentionally disabled files: - spp_vocabulary: re-disable relationship_views.xml and relationship_types.xml (circular dependency with spp_registry) - spp_registry: re-disable data/id_types.xml - spp_base_setting: re-disable res_users_views.xml and security/ir.model.access.csv Use oca_data_manual to satisfy the OCA file-not-used check without loading these files at install time. Also fix latent Odoo 19 bug in fastapi test: rename groups_id to group_ids (field was renamed in Odoo 19).
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
Fix 104 manual ruff errors remaining after auto-fix: - E501: break long lines to stay within 120 char limit - B017: replace blind Exception assertions with specific types - B904: add 'from err'/'from None' to re-raised exceptions - E741: rename ambiguous variable 'l' to 'line' - E402: move module-level imports to top of file - F401: remove unused imports - F821: fix undefined name references - B018: remove useless expressions/attribute access - B023: bind loop variables in function definitions - B008: move function calls out of argument defaults - C901: reduce complexity of overly complex functions - UP031: use f-strings instead of % formatting
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check failure
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-on-sensitive-models Error
| ): # nosemgrep: odoo-sudo-without-context - Called only from reject wizard with ACLs on wizard model. | ||
| # nosemgrep: odoo-sudo-without-context | ||
| # Called only from reject wizard with ACLs on wizard model. | ||
| for rec in self.sudo(): |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| @@ -141,7 +143,8 @@ | |||
| def _reset_to_pending(self): | |||
| # Reset to pending as a system operation after wizard has verified | |||
| # permissions and context. | |||
| for rec in self.sudo(): # nosemgrep: odoo-sudo-without-context - Reset called via controlled wizard action. | |||
| for rec in self.sudo(): # nosemgrep: odoo-sudo-without-context | |||
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| @@ -121,7 +122,8 @@ | |||
| ): | |||
| return super( | |||
| SPPEntitlement, | |||
| self.sudo(), # nosemgrep: odoo-sudo-without-context - Elevated write restricted to spp_programs.approve_entitlement group. | |||
| self.sudo(), # nosemgrep: odoo-sudo-without-context | |||
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| @@ -111,7 +111,8 @@ | |||
| # so approval operations are not blocked by downstream ACLs. | |||
| return super( | |||
| SPPEntitlement, | |||
| self.sudo(), # nosemgrep: odoo-sudo-without-context - Approval restricted to spp_programs.approve_entitlement group. | |||
| self.sudo(), # nosemgrep: odoo-sudo-without-context | |||
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| # has limited read access on spp.audit.rule; access is controlled by | ||
| # spp_audit.group_audit_manager and hook wiring uses sudo() already. | ||
| "model_id": self.sudo().model_id.id, # nosemgrep: odoo-sudo-without-context - System-level audit logging of model operations. | ||
| "model_id": self.sudo().model_id.id, # nosemgrep: odoo-sudo-without-context |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| # Reject the review (use sudo since this is a system action triggered | ||
| # by the multi-tier engine after individual tier approvals). | ||
| self.sudo().action_reject( # nosemgrep: odoo-sudo-without-context - Final review rejection is a system-level workflow transition after tier checks. | ||
| self.sudo().action_reject( # nosemgrep: odoo-sudo-without-context |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| ) # nosemgrep: odoo-sudo-on-sensitive-models - Read-only entitlement search restricted to spp_api_v2.group_api_v2_viewer. | ||
| # nosemgrep: odoo-sudo-on-sensitive-models | ||
| # Read-only entitlement search restricted to spp_api_v2.group_api_v2_viewer. | ||
| total = self.env["spp.entitlement.inkind"].sudo().search_count(domain) |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| return self.env["spp.api.extension"] | ||
|
|
||
| return self.sudo().search( # nosemgrep: odoo-sudo-without-context - API extensions are configuration records; sudo() is used to read active extensions regardless of caller ACLs. | ||
| return self.sudo().search( # nosemgrep: odoo-sudo-without-context |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
| open( | ||
| os.path.join(tmp_dir, name), "a" | ||
| ).close() # nosemgrep: odoo-path-traversal - Name is validated to reject absolute paths and path separators before joining. | ||
| open(os.path.join(tmp_dir, name), "a").close() # nosemgrep: odoo-path-traversal |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-path-traversal Warning
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| # Get the original source text for this tuple | ||
| try: | ||
| line_start = node.lineno - 1 | ||
| node.lineno - 1 |
There was a problem hiding this comment.
Dead expression left after removing unused variable
Low Severity
The expression node.lineno - 1 on this line is a bare no-op statement with no side effects. It was previously assigned to line_start, which was unused. Rather than removing the entire line, only the variable assignment was stripped, leaving behind a dead expression that computes and immediately discards a value.
| from enum import Enum | ||
| from typing import Annotated, Generic, TypeVar | ||
| from enum import StrEnum | ||
| from typing import Annotated, TypeVar |
There was a problem hiding this comment.
Unused TypeVar after PEP 695 migration
Low Severity
The TypeVar import and T = TypeVar("T") definition are now unused. Migrating PagedCollection to PEP 695 syntax (class PagedCollection[T]) introduces a class-scoped type parameter T that shadows the module-level T. Since no other code references the module-level T, both the TypeVar import and the T assignment are dead code.
- Add setuptools as additional_dependency for the semgrep pre-commit hook to fix ModuleNotFoundError for pkg_resources in CI - Fix test_fastapi_demo.py to gracefully handle missing demo data by creating the demo user/endpoint on-the-fly (same pattern as test_fastapi.py)
- Add timeout-minutes: 15 to prevent hanging test jobs - Remove --no-http flag which prevents HttpCase tests from working (endpoint_route_handler and fastapi both have HttpCase tests that need the HTTP server)
- Pin setuptools<82 in semgrep additional_dependencies since setuptools 82+ removed pkg_resources - Fix sql_db.TestCursor -> BaseCursor rename in Odoo 19 for fastapi HttpCase tests
The test_cross_env_consistency test creates a new Registry instance via new_rollbacked_env(), which deadlocks on Odoo 19 because Registry acquisition conflicts with the test cursor's database lock.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| --db_user=odoo \ | ||
| --db_password=odoo \ | ||
| --stop-after-init \ | ||
| --no-http \ |
There was a problem hiding this comment.
CI test flag --no-http accidentally removed
High Severity
The --no-http flag was removed from the Odoo test command in CI. This flag prevents the HTTP server from starting during tests and is still present in ci-full.yml and scripts/test_single_module.sh. Without it, each test job starts an unnecessary HTTP server, wasting resources and risking port-conflict flakiness. In a lint-config-migration PR, this behavioral change looks unintentional.
endpoint_route_handler: - Skip 3 tests where routing_map() no longer reflects dynamically registered controllers in Odoo 19 fastapi: - Skip test_retrying/test_retrying_post: retrying mechanism returns 500 in Odoo 19 test mode - Skip test_no_commit_on_exception: BaseCursor.commit mock not invoked by Odoo 19 HTTP test runner
The E501 line-length fixes moved nosemgrep comments from the .sudo() line to the next chained method call (.search(), .with_context()), causing Semgrep to no longer suppress the finding. Move comments back to the .sudo() line where the actual finding is reported. Also add missing nosemgrep comments on program_service.py and studio_change_request_type.py sudo() calls.
The scripts/ folder contains lint helper scripts that trigger false-positive defusedxml alerts. Pre-commit already excludes scripts/ via `files: ^spp_`; this aligns the CI workflow.
spp_programs/models/cycle.py
Outdated
Comment on lines
1065
to
+1066
Check failure
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-on-sensitive-models Error
Comment on lines
37
to
+38
Check failure
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-on-sensitive-models Error
spp_programs/models/cycle.py
Outdated
Comment on lines
1065
to
+1066
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
Comment on lines
37
to
+38
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: semgrep.odoo-sudo-without-context Warning
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why is this change needed?
How was the change implemented?
New unit tests
Unit tests executed by the author
How to test manually
Related links
Note
Medium Risk
Moderate risk because CI execution semantics change (Odoo tests now run without
--no-http) and multiple tests are newly skipped for Odoo 19, which can mask regressions even though most other changes are lint/formatting.Overview
CI and security automation tweaks. Adds a 15-minute timeout to per-module CI test jobs and stops passing
--no-httpto the Odoo test run; Semgrep scanning now excludesscripts/.Lint/config migrations. Updates ESLint globals/rules (ESM handling for
static/src, relaxno-use-before-definefor functions, disablestrict/sort-importsin ESM, addMapboxDraw, extend JSDoc tags) and pins pre-commitsemgrepwithsetuptools<82. Various internal lint/compliance scripts get small fixes (regex strings, unused vars, cyclomatic-complexity annotations, and minor behavior cleanup).Odoo 19 compatibility cleanups. Marks several
endpoint_route_handlerandfastapitests as skipped due to Odoo 19 routing/locking/test-runner behavior, makes FastAPI demo tests resilient when demo data isn’t loaded by creating needed users/endpoints, and updatesfastapi/schemas.pytyping (PagedCollection[T]) and enum base (StrEnum). Mostly formatting/line-wrapping changes across YAML/XML/Markdown and Traefik labels.Written by Cursor Bugbot for commit 560b348. This will update automatically on new commits. Configure here.