fix(plugins): argparse choices, date math, fall-through (#1070)

Three real issues and a handful of false positives closing out the
semantic audit backlog (#1070):

- sap-open-concur-com: `choices=services.append('All')` evaluated to
  `choices=None` because `list.append()` returns `None`, so the
  `--service` argument accepted any value without validation. Use
  `choices=services + ['All']` to build a proper choices list.
- nextcloud-security-scan: compute scan age as
  `(today - scan_date).days` instead of `abs(scan_date - today).days`,
  so a scan with a clock-skewed future timestamp no longer triggers a
  rescan. Only past scans older than `--trigger` days trigger a rescan.
- fortios-network-io: make the "no warnings vs warnings present"
  branches structurally exclusive via an explicit `else:`. Same
  readability fix as the chunk-3 plugins.

False positives from the same audit, not touched:
- grafana-version: the agent claimed `shell_exec()` return-type
  confusion, but the code correctly unpacks the outer `(success,
  result)` tuple and then indexes the inner `(stdout, stderr, retc)`
  on success.
- icinga-topflap-services: the agent claimed the `SELECT ... FROM
  perfdata` target didn't match a CREATE. In fact `lib.db_sqlite`
  defaults the table name to `perfdata`, so the whole plugin works
  on the implicit default table.
- infomaniak-events: the `ended_at - started_at` subtraction is
  guarded by `if event.get('ended_at') is not None`, so the None
  subtraction the agent flagged never runs.

Author: markuslf

CHANGELOG.md

@@ -14,12 +14,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * axenita-stats: fix the version-number extraction slice `[8 : 8 + find('-') - 1]` that only worked for exactly 6-character versions like `14.0.8` and silently truncated any longer patch number. Use `split('-')[1]` instead, which handles `14.0.12`, `1.2.3`, and 2-digit majors correctly ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * deb-updates: add missing `lib.txt` import so the "N update(s) available" summary no longer crashes with `AttributeError` at runtime
 * Fix `--require-hashes` pip install in pre-commit autoupdate workflow by using pinned version instead
+* fortios-network-io: make the "no warnings vs warnings present" branches structurally exclusive via an explicit `else:`. The old code relied on `lib.base.oao()` exiting to skip the follow-up call, which works but is fragile to read ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * hin-status: when incidents are found, set `cnt_incidents = len(incidents)` instead of the hardcoded `1`, so the perfdata counter matches the actual number of incidents listed in the message ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * keycloak-version: replace the fragile regex `r'n (.*)'` (which relied on the "n " in the word "Version" of `/opt/keycloak/version.txt`) with an explicit `r'[Vv]ersion\s+(\d+(?:\.\d+)*)'` pattern. Also fall through to the API fallback when the file is present but the regex does not match, instead of aborting with "Keycloak not found" ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * mysql-memory: fix `get_other_process_memory()` fallback path for psutil older than 5.3.0 (referenced an undefined `cmdline` variable and the wrong attribute on the process dict) and drop an unreachable `break` after `return` in `get_pfs_memory()`
 * mysql-storage-engines: drop a dead `SELECT ... FROM information_schema.engines` query whose result was never used
 * mysql-table-locks: the "X immediate / Y locks" message denominator used `Table_locks_immediate` twice instead of `Table_locks_immediate + Table_locks_waited` as the total, so the output lied about the total lock count. The ratio displayed as a percentage was already correct ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * network-connections: the final `lib.base.oao()` call passed a hardcoded `STATE_OK` instead of the accumulated `state`, discarding all WARN/CRIT decisions from the loop. The plugin now exits with the correct accumulated state ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* nextcloud-security-scan: compute scan age as `(today - scan_date).days` instead of `abs(scan_date - today).days`, so a scan with a clock-skewed future timestamp no longer triggers a rescan. Only past scans older than `--trigger` days trigger a rescan ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * ntp-ntpd: collapse four sequential `if`-then-`oao()` early-exit guards into a single `if/elif` chain so the intent (try each failure mode in turn and exit on the first one that matches) is explicit ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * ntp-w32tm: when the "Time since Last Good Sync Time" check yields a non-OK state, the appended state label is now the actual `local_state` (WARN or CRIT) instead of a hardcoded `STATE_WARN`, so a CRIT state no longer shows up as "WARNING" in the message ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * openstack-swift-stat: the "bytes used" block gated on `'x-account-meta-quota-bytes' in headers` (a quota header) when it should have gated on `'x-account-bytes-used' in headers`. The "used" line now shows up for any account with non-zero bytes, regardless of whether a quota is set ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
@@ -29,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * qts-temperatures: the `systemp` and `cputemp` perfdata entries had their `warn` / `crit` thresholds swapped (system perfdata used the CPU threshold fields and vice versa). The message text was already correct ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * redis-status, valkey-status: the `key_count` perfdata value used the loop variable `keys` (the last database's per-DB key count) instead of the accumulated `key_count` (total across all databases). The "with X keys" message text was already using `key_count` ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * rocketchat-stats: add missing `lib.txt` import so the user-count pluralization no longer crashes with `AttributeError` at runtime
+* sap-open-concur-com: `choices=services.append('All')` was effectively `choices=None` because `list.append()` returns `None`. The `--service` argument therefore accepted any value without validation. Use `choices=services + ['All']` to build a proper choices list ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * starface-java-memory-usage: the heap and non-heap state checks used `state += lib.base.get_worst(used_state, state)` which adds state integers together and corrupts the accumulated state (e.g. WARN+WARN=2 reads as CRIT, WARN+CRIT=3 is outside the valid range). Replaced with `state = lib.base.get_worst(state, used_state)` so the accumulated state remains a valid STATE_OK / STATE_WARN / STATE_CRIT value ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * tools/run-unit-tests: skip the `example` plugin in default runs. Its unit test is a template meant to be copy-pasted into new plugins and does not correspond to a real check. Explicit `python tools/run-unit-tests example` still runs it
 * tox.ini: disable the sdist build (`no_package = true`) so `tox` no longer trips over the flat top-level layout with "Multiple top-level packages discovered". The repo is a collection of plugin scripts, not a Python package

check-plugins/fortios-network-io/fortios-network-io

@@ -390,7 +390,8 @@ def main():
     if not msg_link and not msg_saturation:
         # no warnings, so print the interface with the highest load
         lib.base.oao(msg_header + '\n\n' + table, state, perfdata)
-    lib.base.oao(msg_link + msg_saturation + '\n' + table, state, perfdata)
+    else:
+        lib.base.oao(msg_link + msg_saturation + '\n' + table, state, perfdata)
 
 
 if __name__ == '__main__':

check-plugins/nextcloud-security-scan/nextcloud-security-scan

@@ -22,7 +22,7 @@ import lib.url
 from lib.globals import STATE_CRIT, STATE_OK, STATE_UNKNOWN, STATE_WARN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026040801'
+__version__ = '2026041201'
 
 DESCRIPTION = """Checks the security of a private Nextcloud server using the Nextcloud security scanner.
 Reports the assigned security rating and alerts on known vulnerabilities in the
@@ -191,11 +191,14 @@ def main():
     elif result['rating'] == 2 or result['rating'] == 3:
         state = STATE_WARN
 
-    # warn if last check is more than 30 days ago, and trigger a rescan
+    # warn if last check is more than TRIGGER days ago, and trigger a rescan.
+    # `today - scan_date` yields a positive .days for scans in the past; a scan
+    # dated in the future (clock skew) should not trigger a rescan, so drop the
+    # abs() that the old code relied on.
     scan_date = datetime.datetime.strptime(result['scannedAt']['date'][:10], '%Y-%m-%d')
     today = lib.time.now(as_type='datetime')
-    delta = scan_date - today
-    if abs(delta.days) > args.TRIGGER:
+    age_days = (today - scan_date).days
+    if age_days > args.TRIGGER:
         lib.base.coe(trigger_rescan_nextcloud_com(args.URL, args))
 
 

check-plugins/sap-open-concur-com/sap-open-concur-com

@@ -23,7 +23,7 @@ from lib.globals import STATE_CRIT, STATE_OK, STATE_UNKNOWN, STATE_WARN
 
 __author__ = """Linuxfabrik GmbH, Zurich/Switzerland;
                 originally written by Dominik Riva, Universitätsspital Basel/Switzerland"""
-__version__ = '2026040801'
+__version__ = '2026041201'
 
 
 DESCRIPTION = """Monitors the SAP Concur Open status page (open.concur.com) for active service
@@ -108,7 +108,7 @@ def parse_args():
         'Default: %(default)s',
         dest='SERVICE',
         default=DEFAULT_SERVICE,
-        choices=services.append('All'),
+        choices=services + ['All'],
     )
 
     parser.add_argument(