From dcf250d36f30e9875b98dd1ee43096c50078ca64 Mon Sep 17 00:00:00 2001
From: Adam Outler <adamoutler@gmail.com>
Date: Sun, 19 Oct 2025 15:12:27 +0000
Subject: [PATCH] Coderabbit nitpicks.

---
 .devcontainer/scripts/setup.sh                |  2 +-
 .github/copilot-instructions.md               |  4 +-
 .../services/config/nginx/README.md           |  2 +-
 .../scripts/check-first-run-config.sh         | 10 ++++-
 .../services/scripts/check-ramdisk.sh         |  6 +--
 .../services/scripts/cron_script.sh           |  5 ++-
 .../services/scripts/update_vendors.sh        | 37 +++++++++++++++----
 7 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh
index 61150001..928b9342 100755
--- a/.devcontainer/scripts/setup.sh
+++ b/.devcontainer/scripts/setup.sh
@@ -98,7 +98,7 @@ configure_source() {
     sudo chown -R netalertx:www-data ${INSTALL_DIR}
 
     
-    while `ps ax | grep -v grep | grep python3 > /dev/null`; do
+    while ps ax | grep -v grep | grep python3 > /dev/null; do
         killall python3 &>/dev/null
         sleep 0.2
     done
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 9dae9fa0..82ca4350 100755
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,7 +1,7 @@
 # NetAlertX AI Assistant Instructions
-This is NetAlertX — network monitoring & alerting. NetAlertX provides Network inventory, awareness, insight, categorization, intruder and presence detection. This is a heavily community driven project, welcoming of all contributions. 
+This is NetAlertX — network monitoring & alerting. NetAlertX provides Network inventory, awareness, insight, categorization, intruder and presence detection. This is a heavily community-driven project, welcoming of all contributions.
 
-You are to expected to be concise, opinionated, and biased toward security and simplicity.
+You are expected to be concise, opinionated, and biased toward security and simplicity.
 
 ## Architecture (what runs where)
 - Backend (Python): main loop + GraphQL/REST endpoints orchestrate scans, plugins, workflows, notifications, and JSON export.
diff --git a/install/production-filesystem/services/config/nginx/README.md b/install/production-filesystem/services/config/nginx/README.md
index f1e3b020..64ff5b61 100644
--- a/install/production-filesystem/services/config/nginx/README.md
+++ b/install/production-filesystem/services/config/nginx/README.md
@@ -1,6 +1,6 @@
 Nginx's conf is in /services/config/nginx/conf.active.  This is the default configuration when run as a read-only container without a mount. 
 
-With a tmpfs mount on /services/config/nginx.conf.active, the nginx template will be rewritten to allow ENV customization of listen address and port.
+With a tmpfs mount on /services/config/nginx/conf.active, the nginx template will be rewritten to allow ENV customization of listen address and port.
 
 The act of running /services/start-nginx.sh writes a new nginx.conf file, using envsubst, then starts nginx based on the parameters in that file.
 
diff --git a/install/production-filesystem/services/scripts/check-first-run-config.sh b/install/production-filesystem/services/scripts/check-first-run-config.sh
index f7efd78c..354c9c53 100644
--- a/install/production-filesystem/services/scripts/check-first-run-config.sh
+++ b/install/production-filesystem/services/scripts/check-first-run-config.sh
@@ -3,8 +3,14 @@
 
 # Check for app.conf and deploy if required
 if [ ! -f ${NETALERTX_CONFIG}/app.conf ]; then
-    mkdir -p ${NETALERTX_CONFIG}
-    cp /app/back/app.conf ${NETALERTX_CONFIG}/app.conf
+    mkdir -p "${NETALERTX_CONFIG}" || {
+        >&2 echo "ERROR: Failed to create config directory ${NETALERTX_CONFIG}"
+        exit 1
+    }
+    cp /app/back/app.conf "${NETALERTX_CONFIG}/app.conf" || {
+        >&2 echo "ERROR: Failed to copy default config to ${NETALERTX_CONFIG}/app.conf"
+        exit 1
+    }
     CYAN='\033[1;36m'
     RESET='\033[0m'
     >&2 printf "%s" "${CYAN}"
diff --git a/install/production-filesystem/services/scripts/check-ramdisk.sh b/install/production-filesystem/services/scripts/check-ramdisk.sh
index 44c1e6ee..a8b771d5 100644
--- a/install/production-filesystem/services/scripts/check-ramdisk.sh
+++ b/install/production-filesystem/services/scripts/check-ramdisk.sh
@@ -33,7 +33,7 @@ EOF
 
 
 # If NETALERTX_DEBUG=1 then we will exit
-if [ "${NETALERTX_DEBUG}" -eq 1 ]; then
+if [ "${NETALERTX_DEBUG}" = "1" ]; then
 	exit 0
 fi
 
@@ -45,6 +45,6 @@ if [ "${failures}" -ne 0 ]; then
     exit 1
 fi
 
-if [ ! -f "${SYSTEM_NGINIX_CONFIG}/conf.active" ]; then
-    echo "Note: Using default listen address ${LISTEN_ADDR}:${PORT} (no ${SYSTEM_NGINIX_CONFIG}/conf.active override)."
+if [ ! -f "${SYSTEM_NGINX_CONFIG}/conf.active" ]; then
+    echo "Note: Using default listen address ${LISTEN_ADDR}:${PORT} (no ${SYSTEM_NGINX_CONFIG}/conf.active override)."
 fi
diff --git a/install/production-filesystem/services/scripts/cron_script.sh b/install/production-filesystem/services/scripts/cron_script.sh
index 2cde46a3..347f1a20 100755
--- a/install/production-filesystem/services/scripts/cron_script.sh
+++ b/install/production-filesystem/services/scripts/cron_script.sh
@@ -5,11 +5,12 @@ export INSTALL_DIR=/app
 
 # Check if there are any entries with cron_restart_backend
 if grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
-  # Restart python application using s6
   killall python3
   sleep 2
   /services/start-backend.sh &
 
   # Remove all lines containing cron_restart_backend from the log file
-  sed -i '/cron_restart_backend/d' "${LOG_EXECUTION_QUEUE}"
+  # Atomic replacement with temp file
+  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp" && \
+    mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
 fi
diff --git a/install/production-filesystem/services/scripts/update_vendors.sh b/install/production-filesystem/services/scripts/update_vendors.sh
index 23ca1bd0..3f780d5a 100755
--- a/install/production-filesystem/services/scripts/update_vendors.sh
+++ b/install/production-filesystem/services/scripts/update_vendors.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
 # ------------------------------------------------------------------------------
 #  NetAlertX
@@ -14,13 +15,35 @@
 #    /usr/share/arp-scan
 # ----------------------------------------------------------------------
 
+#!/usr/bin/env bash
+set -euo pipefail
+
+TEMP_FILE="/services/run/tmp/ieee-oui.txt.tmp"
+OUTPUT_FILE="/services/run/tmp/ieee-oui.txt"
+
 # Download the file using wget to stdout and process it
-wget -q "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
-    sed -E 's/ *\(base 16\)//' | \
-    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
-    sort | \
-    awk '{$1=$1; print}' | \
-    sort -u | \
-    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' \
+if ! wget --timeout=30 --tries=3 "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
+	sed -E 's/ *\(base 16\)//' | \
+	awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
+	sort | \
+	awk '{$1=$1; print}' | \
+	sort -u | \
+	awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' \
+	> "${TEMP_FILE}"; then
+	echo "ERROR: Failed to download or process OUI data" >&2
+	rm -f "${TEMP_FILE}"
+	exit 1
+fi
+
+# Validate we got actual content (should have hundreds of thousands of lines)
+if [ ! -s "${TEMP_FILE}" ] || [ "$(wc -l < "${TEMP_FILE}")" -lt 1000 ]; then
+	echo "ERROR: OUI data appears invalid or incomplete" >&2
+	rm -f "${TEMP_FILE}"
+	exit 1
+fi
+
+# Atomic replacement
+mv "${TEMP_FILE}" "${OUTPUT_FILE}"
+echo "Successfully updated IEEE OUI database ($(wc -l < "${OUTPUT_FILE}") entries)"
     > /services/run/tmp/ieee-oui.txt