fix: flag Paddle code patterns as warnings#925
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 19 minutes and 25 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe Paddle scanner now reports suspicious code patterns with WARNING severity instead of INFO, enabling security exit codes. Tests are updated to verify WARNING severity and confirm exit code 1 is returned for suspicious code detections. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Performance BenchmarksCompared
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tests/scanners/test_paddle_scanner.py`:
- Around line 38-48: The test
test_paddle_suspicious_pdmodel_aggregate_exit_code_is_security_finding should be
hardened to assert ScanResult severity flags: after calling
scan_model_directory_or_file in that test (and similarly in the other aggregate
test around lines 126-136), add assertions that result.has_warnings is True and
result.has_errors is False to lock in the intended semantics (WARNING should set
has_warnings but not has_errors); update references around the test function
name and the result variable so the assertions run alongside the existing
determine_exit_code(result) and severity checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8b522ab4-eced-49db-971f-4caa118f350c
📒 Files selected for processing (3)
CHANGELOG.mdmodelaudit/scanners/paddle_scanner.pytests/scanners/test_paddle_scanner.py
1 participant
Summary
This PR fixes a false-clean aggregate result in the Paddle scanner. Paddle model files containing shared dangerous code patterns such as os.system, eval, and import os were reported only as INFO findings, so aggregate scans returned success and exit code 0 even though suspicious executable content was detected.
Root Cause
PaddleScanner used IssueSeverity.INFO for both exact binary code-pattern hits and suspicious string-pattern hits. ModelAudit intentionally treats INFO as informational and does not return a security exit code for it. That made real code-execution indicators visible in the report but invisible to exit-code based automation.
Changes
Validation
Summary by CodeRabbit