feat(finding): pluggable false-positive-history candidate filter#15155
Draft
valentijnscholten wants to merge 1 commit into
Draft
Conversation
Add FINDING_FALSE_POSITIVE_HISTORY_CANDIDATE_FILTER_METHOD hook to do_false_positive_history_batch. When configured, the per-finding candidate list resolved by the deduplication algorithm is passed through the plugin method before the FP decision, letting a plugin (Pro) narrow candidates by fields excluded from the hash string but compared per pair (set-match tokens on vulnerability_ids / CWEs). Resolved once via get_custom_method; a no-op when unset, so default behavior is unchanged. Tests: hook can suppress matches (drops candidates -> no FP replication) and passthrough matches the default path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 PR stack — CWE / vulnerability-ID consolidation (OSS)
Merge bottom-up: #15145 → #15143 → (#15154, #15155). 👉 This PR: #15155
Adds
FINDING_FALSE_POSITIVE_HISTORY_CANDIDATE_FILTER_METHOD, a plugin hook indo_false_positive_history_batch. After the per-finding candidate list is resolved by the deduplication algorithm, it is passed through the configured method before the false-positive decision, letting a plugin (Pro) narrow candidates by fields that are excluded from the hash string but compared per pair (set-match tokens onvulnerability_ids/ CWEs). Resolved once viaget_custom_method; a no-op when unset, so default behavior is unchanged.Mirrors the existing
FINDING_DEDUPE_BATCH_METHODpattern. Covers the batch path (import, reimport, bulk-edit, async importer). The edit-view reactivation path (match_finding_to_existing_findings) is unchanged and can be a follow-up.Tests (
unittests/test_false_positive_history_logic.py): hook can suppress matches (drops candidates → no FP replication) and passthrough matches the default path.