Skip to content

fix(review): add post-LLM filter for hardcoded secret false positives#325

Merged
ajianaz merged 3 commits into
developfrom
fix/secret-fp-post-llm-filter
Jun 27, 2026
Merged

fix(review): add post-LLM filter for hardcoded secret false positives#325
ajianaz merged 3 commits into
developfrom
fix/secret-fp-post-llm-filter

Conversation

@ajianaz

@ajianaz ajianaz commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Problem

Cora LLM sometimes flags struct field declarations like api_key: String or api_key: extract_api_key.clone() as "Hardcoded password or secret in variable" — even though no literal value is present.

The .cora.yaml rules field is only LLM context (non-deterministic), so instructions to ignore these are unreliable.

Solution

1. Post-LLM false positive filter

Add apply_llm_secret_fp_filter — a deterministic post-LLM filter that:

  1. Identifies LLM findings with issue_type: security and titles matching hardcoded secret keywords
  2. Looks up the actual added line at the reported file:line in the parsed diff
  3. Cross-validates against the sec-hardcoded-secret regex (key = "literal")
  4. Removes findings where the line is just a struct field declaration (no literal assignment)
  5. Keeps findings for unknown/unresolvable lines (safe default — better safe than sorry)

Pipeline position:

LLM findings
  → valid file path filter (existing)
  → apply_llm_secret_fp_filter (NEW)
  → apply_ignore_rules (existing)
  → min_severity block check (existing)

2. Dependency security fixes

  • Bump git2 0.20 → 0.21 (resolves RUSTSEC-2026-0183, RUSTSEC-2026-0184)
  • Bump quinn-proto 0.11.14 → 0.11.15 (resolves RUSTSEC-2026-0185)

Testing

4 unit tests for the FP filter:

  • ✅ Struct field declarations → removed (FP)
  • ✅ Actual hardcoded secret → kept (real finding)
  • ✅ Non-security findings → pass through
  • ✅ Unknown lines → kept (safe default)

All 596 tests pass. Clippy clean. Fmt clean.

ajianaz added 3 commits June 27, 2026 12:31
Cora LLM sometimes flags struct field declarations (e.g. api_key: String)
as 'Hardcoded password or secret in variable' even when no literal value
is present. The built-in sec-hardcoded-secret regex only matches actual
assignments like api_key = "sk-...", but the LLM can hallucinate these
findings regardless of .cora.yaml rules.

Add apply_llm_secret_fp_filter that cross-validates LLM security findings
against actual diff lines. If a finding about hardcoded secrets points to
a line that doesn't match the sec-hardcoded-secret regex, it's removed
as a false positive. Unknown/unresolvable lines are kept (safe default).

4 unit tests cover: FP removal, real secret retention, non-security
pass-through, and unknown-line preservation.
- git2 0.21.0 fixes RUSTSEC-2026-0183 (null ptr in Remote::list)
  and RUSTSEC-2026-0184 (null ptr in Blame::blame_buffer Signature)
- Remote::url() API changed from Option<&str> to Result<&str, Error>
- Adapted get_repo_info() to use .url().ok() chain
Resolves remote memory exhaustion DoS vulnerability in quinn-proto
unbounded out-of-order stream reassembly.
@ajianaz ajianaz merged commit 0e36412 into develop Jun 27, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant