Revert "Remove comments indicating FP or TP"

This reverts commit 42cdf985ca.

src/security_demo/database.py

@@ -1,4 +1,10 @@
-"""Database module - streamlined version."""
+"""Database module - streamlined version.
+
+FINDING CLASSIFICATIONS:
+- TRUE POSITIVE (TP): Actual security vulnerability
+- FALSE POSITIVE (FP): Flagged but not a real issue in context
+- UNCERTAIN: Could be either depending on deployment context
+"""
 
 import hashlib
 import hmac
@@ -21,21 +27,21 @@ class DatabaseManager:
     # =========================================================================
 
     def find_by_username_unsafe(self, username: str) -> Optional[dict]:
-        """SQL injection via string formatting."""
+        """TP: SQL injection via string formatting."""
         session = self.Session()
         query = f"SELECT * FROM users WHERE username = '{username}'"
         result = session.execute(text(query))
         return result.fetchone()
 
     def search_users_unsafe(self, search_term: str) -> List[dict]:
-        """SQL injection in LIKE clause."""
+        """TP: SQL injection in LIKE clause."""
         session = self.Session()
         query = f"SELECT * FROM users WHERE username LIKE '%{search_term}%'"
         result = session.execute(text(query))
         return result.fetchall()
 
     def find_by_id_safe(self, user_id: int) -> Optional[dict]:
-        """Parameterized query is safe."""
+        """FP: Parameterized query is safe."""
         session = self.Session()
         result = session.execute(
             text("SELECT * FROM users WHERE id = :id"), {"id": user_id}
@@ -43,7 +49,7 @@ class DatabaseManager:
         return result.fetchone()
 
     def dynamic_column_sort(self, column: str, order: str = "ASC") -> List[dict]:
-        """Column name from allowlist but still uses f-string."""
+        """UNCERTAIN: Column name from allowlist but still uses f-string."""
         allowed_columns = ["username", "email", "created_at"]
         if column not in allowed_columns:
             raise ValueError("Invalid column")
@@ -57,15 +63,15 @@ class PasswordManager:
     """Password hashing patterns."""
 
     def hash_password_md5(self, password: str) -> str:
-        """MD5 is cryptographically broken for passwords."""
+        """TP: MD5 is cryptographically broken for passwords."""
         return hashlib.md5(password.encode()).hexdigest()
 
     def hash_password_sha1(self, password: str) -> str:
-        """SHA1 is weak for password hashing."""
+        """TP: SHA1 is weak for password hashing."""
         return hashlib.sha1(password.encode()).hexdigest()
 
     def compute_file_checksum_md5(self, filepath: str) -> str:
-        """MD5 acceptable for file integrity (non-security)."""
+        """FP: MD5 acceptable for file integrity (non-security)."""
         hasher = hashlib.md5(usedforsecurity=False)
         with open(filepath, "rb") as f:
             for chunk in iter(lambda: f.read(4096), b""):
@@ -75,12 +81,12 @@ class PasswordManager:
     def verify_signature_sha256(
         self, message: bytes, signature: str, key: bytes
     ) -> bool:
-        """HMAC-SHA256 for signatures is secure."""
+        """FP: HMAC-SHA256 for signatures is secure."""
         expected = hmac.new(key, message, hashlib.sha256).hexdigest()
         return hmac.compare_digest(expected, signature)
 
     def hash_password_pbkdf2(self, password: str) -> tuple:
-        """PBKDF2 is a proper password hash."""
+        """FP: PBKDF2 is a proper password hash."""
         salt = secrets.token_bytes(32)
         key = hashlib.pbkdf2_hmac("sha256", password.encode(), salt, 600000)
         return key.hex(), salt.hex()