# BUGS / Repair Plan ## Scope This plan starts with defects found in [sysinfo_client](sysinfo_client) and then requires end-to-end analysis of all runtime components: - modules in [modules/](modules/) - transports/helpers in [scripts/](scripts/) - shared libraries in [library.pm](library.pm), [DataTransport.pm](DataTransport.pm), [sysinfoconf.pm](sysinfoconf.pm), and installer/runtime glue used by execution flow ## Priority 0: Correctness/Safety Defects In sysinfo_client ### 1) Fix transport iteration bug - File: [sysinfo_client](sysinfo_client#L313) - Problem: Iteration currently uses flattened hash values instead of transport keys. - Action: - Replace transport loop with key iteration over `%$transports` only. - Keep numeric priority ordering. - Acceptance: - Multiple transports execute in deterministic numeric order. - No warnings/errors from invalid transport key usage. ### 2) Fix bad dereference in missing-script error path - File: [sysinfo_client](sysinfo_client#L342) - Problem: Uses array-style dereference on hashref in logging path. - Action: - Replace with correct hashref access for `sendScript`. - Acceptance: - Missing transport script logs correctly and falls through to next transport. ### 3) Remove shell command injection risk in serial fallback - File: [sysinfo_client](sysinfo_client#L779) - Problem: Serial fallback builds shell command from config-derived values. - Action: - Replace shell pipeline with pure-Perl hash generation (no shell invocation). - Use deterministic hash output compatible with current format expectations. - Acceptance: - Serial fallback works with special characters in hostname/clientName. - No shell execution in fallback path. ### 4) Remove eval-based hash assignment in tab parser - File: [sysinfo_client](sysinfo_client#L436-L442) - Problem: Parser constructs Perl code and evals module output. - Action: - Replace eval string execution with iterative hash descent and direct assignment. - Preserve current tab-delimited behavior. - Acceptance: - Existing module output still maps to identical nested structure. - Malformed keys/values cannot execute code. ### 5) Fix transport return-code handling precedence - File: [sysinfo_client](sysinfo_client#L853) - Problem: Boolean result stored instead of transport return code. - Action: - Capture raw return value from `sendResults` before comparison. - Log true return code on failure. - Acceptance: - Logs show actual transport return value. - Success/failure behavior matches return contract. ### 6) Fix error prefix detection offset - File: [sysinfo_client](sysinfo_client#L513) - Problem: `error:` detection starts at index 1, missing index 0. - Action: - Detect error prefix from start of string. - Acceptance: - Outputs beginning with `error:` are always classified as errors. ## Priority 1: Add Focused Regression Tests For sysinfo_client - Add test cases for: - transport priority ordering and fallback behavior - missing transport script path - serial fallback with special characters - tab-delimited parser nested key assignment and malformed input - module output `error:` classification - sendResults return-code propagation - Suggested location: - new test file(s) under project root test convention, e.g. [test_DataTransport.pl](test_DataTransport.pl)-style naming - Acceptance: - Tests fail on current buggy behavior and pass after fixes. ## Priority 2: End-to-End Analysis Across Modules, Scripts, Libraries ### Required full review coverage - Modules: - all executable collectors in [modules/](modules/) - Scripts/transports: - all send/output scripts in [scripts/](scripts/) - Libraries/core: - [library.pm](library.pm) - [DataTransport.pm](DataTransport.pm) - [sysinfoconf.pm](sysinfoconf.pm) - any runtime utility included by module/script execution ### Analysis goals - Validate interface contracts end-to-end: - module output format -> parser -> report structure - report serialization type handling (yaml/json/datatransport) - transport invocation and return-code semantics - Identify security risks: - shell invocation with unsanitized input - dynamic require/eval surfaces - file/path trust boundaries - Identify reliability risks: - permission assumptions - missing dependency behavior - malformed output/config handling ### Deliverables - A reviewed component matrix (module/script/lib, status, findings, severity) - Reproducible defect list with file/line references - Patch set grouped by severity - Regression test plan and executed test evidence ## Execution Order 1. Implement Priority 0 fixes in [sysinfo_client](sysinfo_client) 2. Add/execute Priority 1 tests 3. Perform Priority 2 end-to-end analysis and produce findings report 4. Apply cross-component fixes from end-to-end findings 5. Re-run full validation (unit + integration + install smoke) ## Smoke Validation Checklist After Fixes - `perl -c` passes for touched files - `sysinfo_client --test` produces expected report without warnings - At least one module failure and one transport failure path validated - Report successfully emitted via configured transport fallback path - Installer smoke still passes on Devuan path