Skip to content

investigate: ignore.rules does not filter security scanner findings from SARIF output #326

Description

@ajianaz

Problem

.cora.yaml ignore.rules with pattern "Command injection via exec/system with dynamic input" does not filter out findings from the built-in security_scanner (injection/exec rule). SARIF output still contains the finding even though:

  1. apply_ignore_rules() in review.rs:341 runs after merge_rule_findings() at line 311
  2. The RuleFinding title matches the ignore pattern via contains()
  3. .cora.yaml is correctly detected and loaded in CI log

Evidence

  • SARIF output: 3201 bytes, 1 finding despite ignore rule
  • CI log: No blocking issues (severity filter works, but SARIF still has the finding)
  • Cora CLI version: v0.6.2

Suspected Cause

Possibly a config merge ordering issue where ignore rules are applied but the SARIF formatter receives the pre-filtered response rather than the filtered one. Or the security_scanner findings are re-added after ignore rules are applied.

Files to Investigate

  • src/engine/review.rs:302-341 (merge + filter ordering)
  • src/engine/security_scanner.rs (finding generation)
  • src/engine/rules/mod.rs:109-145 (merge_rule_findings, sets issue_type: rule)
  • src/commands/review.rs:263 (filtered_response = response.clone)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions