fix: Address 5 bugs from Cursor Bugbot code review (#33)

devatsecure · claude · devatsecure · commit 5197f3b51f37 · 2026-02-08T17:04:01.000+05:00
- epss_scorer.py: Reorder HTTPError before URLError (subclass ordering)
- config_loader.py: Remove duplicate dast_auth_config_path/dast_enable_totp keys
- compliance_mapper.py: Compute mappings once in generate_all_reports (6x perf)
- error_classifier.py: Run pattern matching before isinstance fallback so
  FileNotFoundError/PermissionError are classified correctly, not as transient
- dast_orchestrator.py: Catch all exceptions from YAML config loading

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/scripts/compliance_mapper.py b/scripts/compliance_mapper.py
@@ -474,7 +474,12 @@ def generate_report(
             )
 
         all_mappings = self.map_findings(findings)
+        return self._build_report(framework, all_mappings)
 
+    def _build_report(
+        self, framework: str, all_mappings: list[ComplianceMapping]
+    ) -> ComplianceReport:
+        """Build a report for *framework* from pre-computed mappings."""
         # Filter mappings for the requested framework.
         framework_mappings = [
             m for m in all_mappings if m.framework == framework
@@ -507,16 +512,19 @@ def generate_all_reports(
     ) -> list[ComplianceReport]:
         """Generate compliance reports for every configured framework.
 
+        Computes mappings once and reuses across all frameworks.
+
         Args:
             findings: list of finding dictionaries.
 
         Returns:
             A list of :class:`ComplianceReport` instances, one per framework.
         """
-        reports = []
-        for framework in self.frameworks:
-            report = self.generate_report(findings, framework)
-            reports.append(report)
+        all_mappings = self.map_findings(findings)
+        reports = [
+            self._build_report(framework, all_mappings)
+            for framework in self.frameworks
+        ]
         logger.info("Generated %d compliance reports", len(reports))
         return reports
 
diff --git a/scripts/config_loader.py b/scripts/config_loader.py
@@ -142,10 +142,6 @@ def get_default_config() -> Dict[str, Any]:
         "temporal_namespace": "argus",
         "temporal_retry_mode": "production",
 
-        # -- DAST auth --
-        "dast_auth_config_path": "",      # path to YAML auth config
-        "dast_enable_totp": True,
-
         # -- Vulnerability enrichment & compliance --
         "enable_license_risk_scoring": True,
         "enable_epss_scoring": True,
diff --git a/scripts/dast_orchestrator.py b/scripts/dast_orchestrator.py
@@ -105,7 +105,7 @@ def __init__(self, config: Optional[OrchestratorConfig] = None):
                     self.dast_auth.login_type,
                     self.dast_auth.login_url or "(none)",
                 )
-            except (FileNotFoundError, ValueError) as exc:
+            except Exception as exc:
                 logger.warning("DAST auth config load failed: %s", exc)
 
         # Initialize agents
diff --git a/scripts/epss_scorer.py b/scripts/epss_scorer.py
@@ -361,10 +361,10 @@ def _fetch_batch(self, cve_ids: list[str]) -> dict[str, EPSSScore]:
                 len(cve_ids),
             )
 
-        except urllib.error.URLError as e:
-            logger.warning("EPSS API network error: %s", e)
         except urllib.error.HTTPError as e:
             logger.warning("EPSS API HTTP error %d: %s", e.code, e.reason)
+        except urllib.error.URLError as e:
+            logger.warning("EPSS API network error: %s", e)
         except json.JSONDecodeError as e:
             logger.warning("EPSS API returned invalid JSON: %s", e)
         except (OSError, ValueError, TypeError) as e:
diff --git a/scripts/error_classifier.py b/scripts/error_classifier.py
@@ -217,26 +217,9 @@ def classify_llm_error(
     if status_code is not None:
         context["status_code"] = status_code
 
-    # Also check for common exception types directly
-    if isinstance(error, (ConnectionError, OSError)):
-        return ClassifiedError(
-            error_type=ERROR_TYPE_TRANSIENT,
-            retryable=True,
-            original=error,
-            context=context,
-            provider=provider,
-        )
-
-    if isinstance(error, TimeoutError):
-        return ClassifiedError(
-            error_type=ERROR_TYPE_TRANSIENT,
-            retryable=True,
-            original=error,
-            context=context,
-            provider=provider,
-        )
-
-    # Pattern matching against known error types
+    # Pattern matching against known error types (checked first so that
+    # specific patterns like "permission denied" or "no such file" are
+    # classified correctly before the broad isinstance fallback).
     for error_type, patterns, retryable in _PATTERN_REGISTRY:
         for pattern in patterns:
             if pattern in combined:
@@ -248,6 +231,16 @@ def classify_llm_error(
                     provider=provider,
                 )
 
+    # Fallback: network-level connection errors are transient
+    if isinstance(error, ConnectionError):
+        return ClassifiedError(
+            error_type=ERROR_TYPE_TRANSIENT,
+            retryable=True,
+            original=error,
+            context=context,
+            provider=provider,
+        )
+
     # Fail-safe: unknown errors are classified as permanent (not retryable)
     return ClassifiedError(
         error_type=ERROR_TYPE_PERMANENT,

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ def __init__(self, config: Optional[OrchestratorConfig] = None):`
`105`	`105`	`self.dast_auth.login_type,`
`106`	`106`	`self.dast_auth.login_url or "(none)",`
`107`	`107`	`)`
`108`		`- except (FileNotFoundError, ValueError) as exc:`
	`108`	`+ except Exception as exc:`
`109`	`109`	`logger.warning("DAST auth config load failed: %s", exc)`
`110`	`110`
`111`	`111`	`# Initialize agents`