update code

Author: luoluoyuyu

.codacy.yml

@@ -8,6 +8,9 @@ exclude_paths:
   - "examples/**"
   - "README.md"
   - "cli/README.md"
+  # Build scripts use subprocess with controlled build-time inputs only
+  - "python/functionstream-runtime/build.py"
+  - "python/functionstream-api/build_package.py"
 
 # Exclude some code quality checks (during refactoring phase)
 exclude_patterns:

Dockerfile

@@ -1,10 +1,10 @@
 FROM rust:1-bookworm AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    cmake \
+    cmake=3.25.1-1 \
     make \
-    clang \
-    libclang-dev \
+    clang=1:14.0-55.7~deb12u1 \
+    libclang-dev=1:14.0-55.7~deb12u1 \
     python3 \
     python3-venv \
     python3-pip \
@@ -40,8 +40,8 @@ RUN make build-full
 FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    libssl3 \
+    ca-certificates=20230311+deb12u1 \
+    libssl3=3.0.18-1~deb12u2 \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app

python/functionstream-client/src/fs_client/client.py

@@ -90,6 +90,47 @@ def _is_under_site_or_stdlib(origin: Path) -> bool:
         return True
 
 
+def _get_module_origin(
+    module_name: str,
+    result: Dict[str, Path],
+) -> Optional[Path]:
+    """Resolve module origin path from spec or existing result."""
+    if module_name == "__main__" and module_name in result:
+        return result[module_name]
+    try:
+        spec = importlib.util.find_spec(module_name)
+    except (ImportError, ValueError, ModuleNotFoundError):
+        return None
+    if spec is None or spec.origin is None or spec.origin == "built-in":
+        return None
+    return Path(spec.origin)
+
+
+def _process_module_deps(
+    module_name: str,
+    origin: Path,
+    package: str,
+    dep_graph: Dict[str, Set[str]],
+    seen: Set[str],
+    queue: List[str],
+) -> None:
+    """Parse module and add its imports to dep_graph and queue."""
+    try:
+        tree = ast.parse(origin.read_text(encoding="utf-8"))
+    except (OSError, SyntaxError):
+        return
+    for module_part, level in _get_imported_names(tree):
+        abs_name = (
+            module_part
+            if level == 0
+            else _resolve_relative(module_part, level, package)
+        )
+        if abs_name:
+            dep_graph[module_name].add(abs_name)
+            if abs_name not in seen:
+                queue.append(abs_name)
+
+
 def _collect_local_deps(
     driver_class: Type,
     driver_file: Path,
@@ -100,6 +141,7 @@ def _collect_local_deps(
     dep_graph: Dict[str, Set[str]] = {}
     queue: List[str] = [driver_module_name]
     seen: Set[str] = set()
+
     if driver_module_name == "__main__":
         result[driver_module_name] = driver_file.resolve()
         dep_graph[driver_module_name] = set()
@@ -110,42 +152,22 @@ def _collect_local_deps(
             continue
         seen.add(module_name)
         package = module_name.rpartition(".")[0]
-        if module_name == "__main__" and module_name in result:
-            origin = result[module_name]
-        else:
-            try:
-                spec = importlib.util.find_spec(module_name)
-            except (ImportError, ValueError, ModuleNotFoundError):
-                continue
-            if (
-                spec is None
-                or spec.origin is None
-                or spec.origin == "built-in"
-            ):
-                continue
-            origin = Path(spec.origin)
+
+        origin = _get_module_origin(module_name, result)
+        if origin is None:
+            continue
         if _is_under_site_or_stdlib(origin):
             continue
         try:
             origin.resolve().relative_to(driver_root)
         except ValueError:
             continue
+
         result[module_name] = origin
         dep_graph[module_name] = set()
-        try:
-            tree = ast.parse(origin.read_text(encoding="utf-8"))
-        except (OSError, SyntaxError):
-            pass
-        else:
-            for module_part, level in _get_imported_names(tree):
-                if level == 0:
-                    abs_name = module_part
-                else:
-                    abs_name = _resolve_relative(module_part, level, package)
-                if abs_name:
-                    dep_graph[module_name].add(abs_name)
-                    if abs_name not in seen:
-                        queue.append(abs_name)
+        _process_module_deps(
+            module_name, origin, package, dep_graph, seen, queue
+        )
 
     return result, dep_graph
 

python/functionstream-client/src/fs_client/exceptions.py

@@ -71,17 +71,14 @@ class FunctionStreamTimeoutError(ServerError):
 
 class BadRequestError(ServerError):
     """Raised when the arguments are invalid (INVALID_ARGUMENT)."""
-    pass
 
 
 class AuthenticationError(ServerError):
     """Raised when the client is not authenticated (UNAUTHENTICATED)."""
-    pass
 
 
 class PermissionDeniedError(ServerError):
     """Raised when the client does not have permission (PERMISSION_DENIED)."""
-    pass
 
 
 class NotFoundError(ServerError):

python/functionstream-runtime/src/fs_runtime/runner.py

@@ -11,11 +11,14 @@
 # limitations under the License.
 
 import importlib.util
+import logging
 import sys
 from typing import List, Optional, Tuple
 
 from fs_api.driver import FSProcessorDriver
 
+logger = logging.getLogger(__name__)
+
 from .store.fs_context import WitContext, convert_config_to_dict
 
 
@@ -46,11 +49,13 @@ def fs_exec(class_name: str, modules: List[Tuple[str, bytes]]) -> None:
             # Create the module
             module = importlib.util.module_from_spec(spec)
 
-            # Execute the module source code
-            # Note: exec is required here for dynamic module loading
-            # This is a controlled execution environment for user-provided code
+            # Execute the module source code.
+            # exec is required: importlib.util.module_from_spec does not execute
+            # code; Python's import system uses exec internally. This runtime
+            # is designed to execute trusted user-provided processor code in
+            # an isolated WASM sandbox. Only deploy code from trusted sources.
             code = compile(module_source, f"<{module_name}>", "exec")
-            exec(code, module.__dict__)  # noqa: S102
+            exec(code, module.__dict__)  # noqa: S102  # nosec B102
 
             # Add the module to sys.modules
             sys.modules[module_name] = module
@@ -105,47 +110,44 @@ def fs_init(self, config: List[Tuple[str, str]]) -> None:
         if _DRIVER:
             try:
                 _DRIVER.init(_CONTEXT, _CONTEXT._CONFIG)
-            except Exception:
-                # Silently ignore initialization errors to allow graceful degradation
-                pass  # noqa: S110
+            except Exception as e:
+                logger.debug("Driver init failed (graceful degradation): %s", e)
 
     def fs_process(self, source_id: int, data: bytes) -> None:
         if not _DRIVER or not _CONTEXT:
             return
 
         try:
             _DRIVER.process(_CONTEXT, source_id, data)
-        except Exception:
-            # Silently ignore processing errors to allow graceful degradation
-            pass  # noqa: S110
+        except Exception as e:
+            logger.debug("Process error (graceful degradation): %s", e)
 
     def fs_process_watermark(self, source_id: int, watermark: int) -> None:
         if not _DRIVER or not _CONTEXT:
             return
 
         try:
             _DRIVER.process_watermark(_CONTEXT, source_id, watermark)
-        except Exception:
-            # Silently ignore watermark processing errors to allow graceful degradation
-            pass  # noqa: S110
+        except Exception as e:
+            logger.debug("Watermark process error (graceful degradation): %s", e)
 
     def fs_take_checkpoint(self, checkpoint_id: int) -> None:
         if not _DRIVER or not _CONTEXT:
             return
 
         try:
             _DRIVER.take_checkpoint(_CONTEXT, checkpoint_id)
-        except Exception:
-            # Silently ignore checkpoint errors to allow graceful degradation
-            pass  # noqa: S110
+        except Exception as e:
+            logger.debug("Checkpoint error (graceful degradation): %s", e)
 
     def fs_check_heartbeat(self) -> bool:
         if not _DRIVER or not _CONTEXT:
             return False
 
         try:
             return _DRIVER.check_heartbeat(_CONTEXT)
-        except Exception:
+        except Exception as e:
+            logger.debug("Heartbeat check failed (graceful degradation): %s", e)
             return False
 
     def fs_close(self) -> None:
@@ -154,9 +156,8 @@ def fs_close(self) -> None:
         if _DRIVER and _CONTEXT:
             try:
                 _DRIVER.close(_CONTEXT)
-            except Exception:
-                # Silently ignore close errors to ensure cleanup completes
-                pass  # noqa: S110
+            except Exception as e:
+                logger.debug("Driver close error (cleanup continues): %s", e)
 
         _DRIVER = None
         _CONTEXT = None

python/functionstream-runtime/src/fs_runtime/store/fs_collector.py

@@ -10,8 +10,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 from typing import TYPE_CHECKING
 
+logger = logging.getLogger(__name__)
+
 if TYPE_CHECKING:
     from wit_world.imports.collector import (
         emit as wit_emit,
@@ -34,9 +37,8 @@ def emit(data: bytes, channel: int = 0) -> None:
 
     try:
         wit_emit(channel, data)
-    except Exception:
-        # Silently ignore emit errors to allow graceful degradation
-        pass  # noqa: S110
+    except Exception as e:
+        logger.debug("Emit error (graceful degradation): %s", e)
 
 
 def emit_watermark(watermark: int, channel: int = 0) -> None:
@@ -45,9 +47,10 @@ def emit_watermark(watermark: int, channel: int = 0) -> None:
 
     try:
         wit_emit_watermark(channel, watermark)
-    except Exception:
-        # Silently ignore watermark emit errors to allow graceful degradation
-        pass  # noqa: S110
+    except Exception as e:
+        logger.debug(
+            "Watermark emit error (graceful degradation): %s", e
+        )
 
 
 __all__ = ['emit', 'emit_watermark']