fix(meta-analyzer): keep LLM-confirmed findings when model returns end_line#70
Open
JiayingHuang wants to merge 1 commit into
Open
fix(meta-analyzer): keep LLM-confirmed findings when model returns end_line#70JiayingHuang wants to merge 1 commit into
JiayingHuang wants to merge 1 commit into
Conversation
…d_line apply_filter dropped LLM-confirmed findings whose static end_line is None when the model populated end_line (e.g. end_line == start_line, as DeepSeek does): the granular, start_only and coarse lookups all missed and the finding was silently filtered out. This turned a CRITICAL skill (live OSV CVEs) into SAFE once LLM analysis was enabled. Add an end_line-agnostic fallback keyed by (file, rule_id, start_line), gated on the static finding having end_line is None so findings deliberately distinguished by end_line keep exact matching. Add regression tests. Fixes NVIDIA#67 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Jiaying Huang <hjyxka@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
LLMMetaAnalyzer.apply_filtersilently drops LLM-confirmed findings whose staticend_lineisNonewhen the model populatesend_line(e.g.end_line == start_line, as DeepSeek does). Theexact_key,start_only_keyandcoarse_keylookups all miss, so the finding is filtered out viacontinue.Because the meta-analyzer is a drop-by-default whitelist filter, the effect is a security false negative: a skill with live OSV CVEs scored
100 / CRITICALin static-only mode but0 / SAFEonce LLM analysis was enabled — even though the model confirmed the findings withis_vulnerability=True, confidence≈1.0. Root cause and a no-API-key reproduction are in #67.Fix
Add an
end_line-agnostic fallback index keyed by(file, rule_id, start_line), gated on the static finding havingend_line is None. Findings deliberately distinguished byend_line(samefile+rule_id+start_line, differentend_line) keep using exact matching, so existing behaviour (test_end_line_used_when_provided) is preserved. Theis_vulnerability/confidence >= 0.6gating is unchanged, so the fallback cannot resurrect findings the LLM rejected.Tests
tests/nodes/test_meta_analyzer.py: regression test fails onmain, passes with the fix; plus rejected-finding and exact-match guards.tests/nodes+tests/unitstay green (572 passed, 11 skipped).