fix: integrate shared third-party excludes + fix stale line-number bugs

- Source lib/third-party-excludes.sh in 17 fix scripts, replacing
  per-script SKIP_DIRS with the shared FIND_THIRD_PARTY_EXCLUDES array
- Fix stale line-number bug in 5 scripts (innerhtml, secret-to-env,
  unchecked-error, resource-leak, sql-parameterize) by processing
  grep -n results in reverse order (sort -rn) so sed insertions
  don't shift subsequent line numbers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Jonathan D.A. Jewell

scripts/fix-atom-exhaustion.sh

@@ -15,6 +15,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -26,13 +29,8 @@ echo "  Repo:    $REPO_PATH"
 echo "  Pattern: $PATTERN_ID"
 echo ""
 
-# Directories to skip
-SKIP_DIRS=( "_build" "deps" ".git" )
-
-FIND_EXCLUDES=()
-for dir in "${SKIP_DIRS[@]}"; do
-    FIND_EXCLUDES+=( -not -path "*/${dir}/*" )
-done
+# Use shared third-party exclusions
+FIND_EXCLUDES=(-not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}")
 
 # Find all Elixir source files
 EX_FILES=()

scripts/fix-believe-me.sh

@@ -10,6 +10,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -36,7 +39,7 @@ while IFS= read -r -d '' file; do
 
         ((FIXED_COUNT++)) || true
     fi
-done < <(find "$REPO_PATH" -type f -name "*.idr" -not -path "*/\.git/*" -not -path "*/.pack/*" -print0 2>/dev/null)
+done < <(find "$REPO_PATH" -type f -name "*.idr" -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -not -path "*/.pack/*" -print0 2>/dev/null)
 
 echo ""
 if [[ "$FIXED_COUNT" -gt 0 ]]; then

scripts/fix-command-injection.sh

@@ -20,6 +20,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -31,14 +34,8 @@ echo "  Repo:    $REPO_PATH"
 echo "  Pattern: $PATTERN_ID"
 echo ""
 
-# Directories to skip
-SKIP_DIRS=(".git" "target" "node_modules" "_build" ".lake")
-
-# Build the -not -path clauses for find
-FIND_EXCLUDES=()
-for d in "${SKIP_DIRS[@]}"; do
-    FIND_EXCLUDES+=(-not -path "*/${d}/*")
-done
+# Use shared third-party exclusions
+FIND_EXCLUDES=(-not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}")
 
 FIXED_COUNT=0
 

scripts/fix-dynamic-code-exec.sh

@@ -13,6 +13,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -24,14 +27,8 @@ echo "  Repo:    $REPO_PATH"
 echo "  Pattern: $PATTERN_ID"
 echo ""
 
-# Directories to skip
-SKIP_DIRS=( ".git" "node_modules" "target" "_build" "vendor" ".lake" )
-
-# Build the -not -path predicates for find
-FIND_EXCLUDES=()
-for dir in "${SKIP_DIRS[@]}"; do
-    FIND_EXCLUDES+=( -not -path "*/${dir}/*" )
-done
+# Use shared third-party exclusions
+FIND_EXCLUDES=(-not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}")
 
 FIXED_COUNT=0
 

scripts/fix-eval-to-safe.sh

@@ -14,6 +14,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -22,13 +25,8 @@ echo "  Repo: $REPO_PATH"
 
 FIXED_COUNT=0
 
-# Directories to skip
-SKIP_DIRS=( ".git" "node_modules" "target" "_build" "vendor" )
-
-FIND_EXCLUDES=()
-for dir in "${SKIP_DIRS[@]}"; do
-    FIND_EXCLUDES+=( -not -path "*/${dir}/*" )
-done
+# Use shared third-party exclusions
+FIND_EXCLUDES=(-not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}")
 
 # --- Shell files (.sh, .bash) ---
 while IFS= read -r -d '' file; do

scripts/fix-hardcoded-secrets.sh

@@ -17,6 +17,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -28,13 +31,8 @@ echo "  Repo:    $REPO_PATH"
 echo "  Pattern: $PATTERN_ID"
 echo ""
 
-# Directories to skip
-SKIP_DIRS=(".git" "target" "node_modules" "_build" ".lake")
-
-FIND_EXCLUDES=()
-for d in "${SKIP_DIRS[@]}"; do
-    FIND_EXCLUDES+=(-not -path "*/${d}/*")
-done
+# Use shared third-party exclusions
+FIND_EXCLUDES=(-not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}")
 
 FIXED_COUNT=0
 

scripts/fix-innerhtml.sh

@@ -10,6 +10,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -48,7 +51,7 @@ while IFS= read -r -d '' file; do
                 sed -i "${line_num}s/\.innerHTML\s*=/.textContent =/" "$file" 2>/dev/null || true
                 changed=true
             fi
-        done < <(grep -nP '\.innerHTML\s*=' "$file" 2>/dev/null | cut -d: -f1)
+        done < <(grep -nP '\.innerHTML\s*=' "$file" 2>/dev/null | cut -d: -f1 | sort -rn)
     fi
 
     # Pattern 2: .innerHTML used in concatenation (.innerHTML += ...)
@@ -80,8 +83,8 @@ while IFS= read -r -d '' file; do
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f \( -name "*.js" -o -name "*.mjs" -o -name "*.jsx" -o -name "*.res" \) \
-    -not -path "*/node_modules/*" -not -path "*/\.git/*" -not -path "*/target/*" \
-    -not -path "*/_build/*" -not -name "*.min.js" -print0 2>/dev/null)
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" \
+    -not -name "*.min.js" -print0 2>/dev/null)
 
 echo ""
 if [[ "$FIXED_COUNT" -gt 0 ]]; then

scripts/fix-resource-leak.sh

@@ -10,6 +10,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -36,15 +39,15 @@ while IFS= read -r -d '' file; do
                 sed -i "${line_num}i\\    // TODO: ensure file handle is dropped/closed (use ? or explicit drop)" "$file" 2>/dev/null || true
                 changed=true
             fi
-        done < <(grep -nP 'File::open\(' "$file" 2>/dev/null | cut -d: -f1)
+        done < <(grep -nP 'File::open\(' "$file" 2>/dev/null | cut -d: -f1 | sort -rn)
     fi
 
     if [[ "$changed" == "true" ]]; then
         echo "  FIXED $rel_path"
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f -name "*.rs" \
-    -not -path "*/\.git/*" -not -path "*/target/*" -print0 2>/dev/null)
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -print0 2>/dev/null)
 
 # --- Python: open() without with statement ---
 while IFS= read -r -d '' file; do
@@ -65,15 +68,15 @@ while IFS= read -r -d '' file; do
                 sed -i "${line_num}i\\    # TODO: use 'with open(...)' context manager to prevent resource leak" "$file" 2>/dev/null || true
                 changed=true
             fi
-        done < <(grep -nP '^\s+\w+\s*=\s*open\(' "$file" 2>/dev/null | cut -d: -f1)
+        done < <(grep -nP '^\s+\w+\s*=\s*open\(' "$file" 2>/dev/null | cut -d: -f1 | sort -rn)
     fi
 
     if [[ "$changed" == "true" ]]; then
         echo "  FIXED $rel_path"
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f -name "*.py" \
-    -not -path "*/\.git/*" -not -path "*/venv/*" -not -path "*/__pycache__/*" -print0 2>/dev/null)
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -not -path "*/venv/*" -print0 2>/dev/null)
 
 echo ""
 if [[ "$FIXED_COUNT" -gt 0 ]]; then

scripts/fix-secret-to-env.sh

@@ -10,6 +10,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -67,7 +70,7 @@ while IFS= read -r -d '' file; do
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f \( -name "*.sh" -o -name "*.bash" -o -name "*.env.example" \) \
-    -not -path "*/\.git/*" -not -path "*/node_modules/*" -print0 2>/dev/null)
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -print0 2>/dev/null)
 
 # --- YAML/config files ---
 while IFS= read -r -d '' file; do
@@ -97,14 +100,14 @@ while IFS= read -r -d '' file; do
 
         sed -i "${line_num}i\\  # SECURITY: replace hardcoded secret with environment variable" "$file" 2>/dev/null || true
         changed=true
-    done < <(grep -niP "^\\s*${SECRET_KEYS}:\\s*[\"'].+[\"']" "$file" 2>/dev/null || true)
+    done < <(grep -niP "^\\s*${SECRET_KEYS}:\\s*[\"'].+[\"']" "$file" 2>/dev/null | sort -t: -k1,1 -rn || true)
 
     if [[ "$changed" == "true" ]]; then
         echo "  FIXED $rel_path — added secret warnings"
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.toml" \) \
-    -not -path "*/\.git/*" -not -path "*/node_modules/*" \
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" \
     -not -path "*/.github/workflows/*" -print0 2>/dev/null)
 
 # --- Elixir config files ---
@@ -128,7 +131,7 @@ while IFS= read -r -d '' file; do
                     sed -i "${line_num}i\\      # SECURITY: replace hardcoded secret with System.get_env/1" "$file" 2>/dev/null || true
                     changed=true
                 fi
-            done < <(grep -nP "${SECRET_KEYS}:\\s*\"[^\"]{8,}\"" "$file" 2>/dev/null | cut -d: -f1)
+            done < <(grep -nP "${SECRET_KEYS}:\\s*\"[^\"]{8,}\"" "$file" 2>/dev/null | cut -d: -f1 | sort -rn)
         fi
     fi
 
@@ -137,7 +140,7 @@ while IFS= read -r -d '' file; do
         ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f \( -name "*.ex" -o -name "*.exs" \) \
-    -not -path "*/_build/*" -not -path "*/deps/*" -not -path "*/\.git/*" -print0 2>/dev/null)
+    -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -print0 2>/dev/null)
 
 echo ""
 if [[ "$FIXED_COUNT" -gt 0 ]]; then

scripts/fix-shell-quoting.sh

@@ -10,6 +10,9 @@
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/third-party-excludes.sh" 2>/dev/null || true
+
 REPO_PATH="${1:?Usage: $0 <repo-path> <finding-json>}"
 FINDING_JSON="${2:?Missing finding JSON file}"
 
@@ -26,7 +29,7 @@ echo ""
 SHELL_FILES=()
 while IFS= read -r -d '' f; do
     SHELL_FILES+=("$f")
-done < <(find "$REPO_PATH" -type f \( -name "*.sh" -o -name "*.bash" \) -not -path "*/\.git/*" -not -path "*/node_modules/*" -not -path "*/target/*" -print0 2>/dev/null)
+done < <(find "$REPO_PATH" -type f \( -name "*.sh" -o -name "*.bash" \) -not -path "*/.git/*" "${FIND_THIRD_PARTY_EXCLUDES[@]}" -print0 2>/dev/null)
 
 # Also check .yml/.yaml files for shell: sections
 while IFS= read -r -d '' f; do