da4084ee78
Some checks failed
CI / Check (pull_request) Successful in 10m8s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been cancelled
CI / Deploy Dashboard (pull_request) Has been cancelled
CI / Deploy Docs (pull_request) Has been cancelled
CI / Deploy MCP (pull_request) Has been cancelled
Code review prompts (review_prompts.rs): - Add explicit "Do NOT report" sections listing common false positive patterns - Add language-specific guidance (Rust short-circuit, shadowing, clone patterns) - Cap findings per pass (3 for conventions, 2 for complexity) to reduce noise - Raise complexity thresholds (80 lines, 5+ nesting) to pragmatic levels - Require concrete bug scenarios, not theoretical concerns - Separate severity guides per pass with clear definitions Triage prompt (triage.rs): - Add explicit dismiss criteria for language idioms, non-security hash usage, operational logging, and duplicate findings - Add confirm-only-when criteria requiring concrete exploit scenarios - Refined confidence scoring guide with clear thresholds Finding descriptions (descriptions.rs): - Rewrite to be developer-facing: lead with what/where, skip filler - Fix suggestions should show corrected code, not vulnerable code - Remove generic "could lead to" phrasing in favor of specific scenarios Code fix suggestions (fixes.rs): - Require drop-in replacement code preserving original style - Handle false positives by returning original code with explanation - Limit inline comments to the changed line only Pentest orchestrator (prompt_builder.rs): - Add "Finding Quality Rules" section preventing duplicate findings - Instruct grouping related findings (e.g. missing headers = one finding) - Cap missing header severity at medium unless exploit demonstrated - Mark console.log in vendored/minified JS as informational only RAG chat (chat.rs): - Add concise rules for referencing files/lines and security context Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
76 lines
2.6 KiB
Rust
76 lines
2.6 KiB
Rust
use std::sync::Arc;
|
|
|
|
use compliance_core::models::Finding;
|
|
|
|
use crate::error::AgentError;
|
|
use crate::llm::LlmClient;
|
|
|
|
const DESCRIPTION_SYSTEM_PROMPT: &str = r#"You are a security engineer writing a bug tracker issue for a developer to fix. Be direct and actionable — developers skim issue descriptions, so lead with what matters.
|
|
|
|
Format in Markdown:
|
|
|
|
1. **What**: 1 sentence — what's wrong and where (file:line)
|
|
2. **Why it matters**: 1-2 sentences — concrete impact if not fixed. Avoid generic "could lead to" phrasing; describe the specific attack or failure scenario.
|
|
3. **Fix**: The specific code change needed. Use a code block with the corrected code if possible. If the fix is configuration-based, show the exact config change.
|
|
4. **References**: CWE/CVE link if applicable (one line, not a section)
|
|
|
|
Rules:
|
|
- No filler paragraphs or background explanations
|
|
- No restating the finding title in the body
|
|
- Code blocks should show the FIX, not the vulnerable code (the developer can see that in the diff)
|
|
- If the remediation is a one-liner, just say it — don't wrap it in a section header"#;
|
|
|
|
pub async fn generate_issue_description(
|
|
llm: &Arc<LlmClient>,
|
|
finding: &Finding,
|
|
) -> Result<(String, String), AgentError> {
|
|
let user_prompt = format!(
|
|
"Generate an issue title and body for this finding:\n\
|
|
Scanner: {}\n\
|
|
Type: {}\n\
|
|
Severity: {}\n\
|
|
Rule: {}\n\
|
|
Title: {}\n\
|
|
Description: {}\n\
|
|
File: {}\n\
|
|
Line: {}\n\
|
|
Code:\n```\n{}\n```\n\
|
|
CWE: {}\n\
|
|
CVE: {}\n\
|
|
Remediation hint: {}",
|
|
finding.scanner,
|
|
finding.scan_type,
|
|
finding.severity,
|
|
finding.rule_id.as_deref().unwrap_or("N/A"),
|
|
finding.title,
|
|
finding.description,
|
|
finding.file_path.as_deref().unwrap_or("N/A"),
|
|
finding
|
|
.line_number
|
|
.map(|n| n.to_string())
|
|
.unwrap_or_else(|| "N/A".to_string()),
|
|
finding.code_snippet.as_deref().unwrap_or("N/A"),
|
|
finding.cwe.as_deref().unwrap_or("N/A"),
|
|
finding.cve.as_deref().unwrap_or("N/A"),
|
|
finding.remediation.as_deref().unwrap_or("N/A"),
|
|
);
|
|
|
|
let response = llm
|
|
.chat(DESCRIPTION_SYSTEM_PROMPT, &user_prompt, Some(0.3))
|
|
.await?;
|
|
|
|
// Extract title from first line, rest is body
|
|
let mut lines = response.lines();
|
|
let title = lines
|
|
.next()
|
|
.unwrap_or(&finding.title)
|
|
.trim_start_matches('#')
|
|
.trim()
|
|
.to_string();
|
|
let body = lines.collect::<Vec<_>>().join("\n").trim().to_string();
|
|
|
|
let body = if body.is_empty() { response } else { body };
|
|
|
|
Ok((title, body))
|
|
}
|