SIG-184 Phase 3: stamp canonical vuln-class on SARIF results#32
Merged
Conversation
Adds stamp_rule_classes: maps native semgrep/opengrep ruleIds to the engine's CanonicalVulnClass via anchored patterns, stamping properties.sigilixRuleClass ONLY when exactly one class matches (collision-safe → unset otherwise). Strips any preexisting (untrusted) class first. Wired into the contract _main after cap/metadata. Lets the engine receipt-join corroborate a finding into VERIFIED when an independent scan flags the same class at the same location.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@coderabbitai ignore
@Sigilix ignore
What
Emits
properties.sigilixRuleClasson each SARIF result so the engine's receipt-join can corroborate a security finding into the VERIFIED proof tier (an independent runner scan flagging the same canonical vuln-class at the same path/line).stamp_rule_classes(run, tool_id): maps native semgrep/opengrep ruleIds → canonical class (command-injection,sql-injection, …) via anchored patterns. Stamps only when exactly one class matches (collision-safe — ambiguous/colliding ruleId → left unset → engine treats as INCONCLUSIVE, never a wrong stamp). Strips any preexisting (untrusted)sigilixRuleClassfirst._mainafter cap/metadata (runs over the final assembled output).CanonicalVulnClassenum verbatim (kept in lockstep).Credibility
Codex + DeepSeek sign-off: exact/anchored (not loose substring) + the exactly-one-class guard means a colliding ruleId is fail-safe, never mis-stamped. The engine re-validates against its allowlist regardless.
Verified
python3 .github/scripts/sigilix_sarif_test.py— 65 tests pass (incl. command-injection stamp, sql-vs-nosql disambiguation, unknown→unset, strip-preexisting, collision→unset, unknown-tool→strip-only).