[CHORE][SONAR]: Fix all must-fix SonarQube findings - type safety, async tasks, dead code #2981
Description
Summary
Address all verified must-fix SonarQube findings.
Findings
1. Fire-and-forget asyncio tasks - silent task loss (S7502, 6 instances)
asyncio.create_task() called without storing the reference. Python's event loop holds only a weak reference - the task can be garbage collected mid-execution.
| File | Line | Task |
|---|---|---|
services/token_catalog_service.py |
846, 889 | auth_cache.invalidate_revocation() |
services/email_auth_service.py |
1727-1729 | auth_cache.invalidate_user/teams/membership() |
cache/resource_cache.py |
139 | self._cleanup_loop() - also missing from shutdown() |
Fix: Store task references in a set with add_done_callback for auto-discard. Add cleanup task cancellation to resource_cache.shutdown().
2. SSO type mismatch - SimpleNamespace passed as SSOProvider (S5655, 6 instances)
provider_ctx created as SimpleNamespace(id=..., provider_metadata=...) but passed to methods typed as SSOProvider.
| File | Lines |
|---|---|
services/sso_service.py |
859, 891, 892, 951, 978, 980 |
Fix: Replace SimpleNamespace with a proper SSOProviderContext dataclass. Update method signatures accordingly.
3. Return type lies - functions return None where hint promises a value (S5886, 2 instances)
| File | Declared Return | Actual |
|---|---|---|
services/gateway_service.py |
-> GatewayRead |
Returns None when gateway is inactive |
utils/services_auth.py |
-> str |
Returns None when auth_value is falsy |
Fix: Change return types to Optional[GatewayRead] and Optional[str].
4. Type hint missing Optional for None defaults (S5890, 2 instances)
| File | Current | Fix |
|---|---|---|
plugins/external/cedar/.../schema.py |
policy: Union[list, str] = None |
Optional[Union[list, str]] = None |
plugins/external/opa/.../schema.py |
mode: str = None |
Optional[str] = None |
5. Dead conditionals - both branches identical (S3923, 2 instances)
| File | Details |
|---|---|
plugins/unified_pdp/cache.py |
if/else both append - remove dead branch |
mcpgateway/translate.py |
if/else both call await original_app(...) - remove dead branch |
Closes #2376
6. Logger format bug - extra argument silently dropped (S3457, 1 instance)
validate_signature.py:319: logger.info("Signature valid:", ...) - uses comma instead of %s. The boolean result is silently dropped.
7. Duplicate branches (S1871, 2 real instances)
| File | Fix |
|---|---|
toon.py:805-808 |
Merge if " " / elif "\n" into single if in (" ", "\n") |
schemas.py:1150-1152 |
Simplify redundant if/elif to single if path_template |
8. Jinja2 auto-escaping disabled - XSS hotspots (S5247, 18 instances) - false positive
Remove all {% autoescape false %} wrappers from templates (16 blocks) and replace 2 |safe patterns with CSS-based word wrapping. This is currently a false positive (as XSS happens outside the block), but correcting it here for future Sonar scans.
| Location | Count |
|---|---|
admin.html |
5 autoescape blocks + 2 |safe patterns |
11 *_partial.html templates |
11 autoescape blocks |
Files Changed
mcpgateway/cache/resource_cache.pymcpgateway/services/token_catalog_service.pymcpgateway/services/email_auth_service.pymcpgateway/services/sso_service.pymcpgateway/services/gateway_service.pymcpgateway/utils/services_auth.pymcpgateway/utils/validate_signature.pymcpgateway/translate.pymcpgateway/schemas.pymcpgateway/templates/admin.htmlmcpgateway/templates/*_partial.html(11 files)mcpgateway/templates/tools_with_pagination.htmlplugins/unified_pdp/cache.pyplugins/toon_encoder/toon.pyplugins/external/cedar/cedarpolicyplugin/schema.pyplugins/external/opa/opapluginfilter/schema.py