From a36d94fa3d1a0c4978bc1e7b0f397ccec05e36b9 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Tue, 7 Apr 2026 07:35:04 +0000 Subject: [PATCH] fix: correct nosemgrep rule IDs for sagemaker-ai and tools The nosemgrep inline comments used truncated rule IDs that didn't match the full IDs reported by semgrep, so suppressions were silently ignored. All findings are false positives: - format_detector.py: is_valid is a @dataclass bool field, not a method - validate-cross-refs.cjs: marketplacePath is only called with hardcoded string constants, never user input Co-Authored-By: Claude Opus 4.6 --- .../skills/dataset-evaluation/scripts/format_detector.py | 6 +++--- tools/validate-cross-refs.cjs | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/plugins/sagemaker-ai/skills/dataset-evaluation/scripts/format_detector.py b/plugins/sagemaker-ai/skills/dataset-evaluation/scripts/format_detector.py index 158db918..2debd27a 100644 --- a/plugins/sagemaker-ai/skills/dataset-evaluation/scripts/format_detector.py +++ b/plugins/sagemaker-ai/skills/dataset-evaluation/scripts/format_detector.py @@ -653,7 +653,7 @@ def detect_format(file_path: str, sample_size_bytes: int = 1_048_576, s3_client= if args.json: output = { "format_type": result.format_type.value, - "is_valid": result.is_valid, # nosemgrep: python.lang.maintainability.is-function-without-parentheses -- dataclass field, not a method + "is_valid": result.is_valid, # nosemgrep: python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses -- dataclass field, not a method "confidence": result.confidence.value, "lines_sampled": result.lines_sampled, "errors": [ @@ -664,7 +664,7 @@ def detect_format(file_path: str, sample_size_bytes: int = 1_048_576, s3_client= print(json.dumps(output, indent=2)) else: print(f"Format: {result.format_type.value}") - print(f"Valid: {'✓' if result.is_valid else '✗'}") # nosemgrep: python.lang.maintainability.is-function-without-parentheses -- dataclass field, not a method + print(f"Valid: {'✓' if result.is_valid else '✗'}") # nosemgrep: python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses -- dataclass field, not a method print(f"Confidence: {result.confidence.name}") print(f"Lines sampled: {result.lines_sampled}") if result.errors: @@ -672,7 +672,7 @@ def detect_format(file_path: str, sample_size_bytes: int = 1_048_576, s3_client= for err in result.errors: print(f" Line {err.line_number}: {err.message}") - sys.exit(0 if result.is_valid else 1) # nosemgrep: python.lang.maintainability.is-function-without-parentheses -- dataclass field, not a method + sys.exit(0 if result.is_valid else 1) # nosemgrep: python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses -- dataclass field, not a method except (FileNotFoundError, IOError, ValueError) as e: print(f"Error: {e}", file=sys.stderr) sys.exit(1) diff --git a/tools/validate-cross-refs.cjs b/tools/validate-cross-refs.cjs index ae48df43..3b49b348 100644 --- a/tools/validate-cross-refs.cjs +++ b/tools/validate-cross-refs.cjs @@ -51,6 +51,7 @@ function info(message) { function validateMarketplace(marketplacePath, manifestPathParts) { // Check marketplace.json exists + // nosemgrep: gitlab.eslint.detect-non-literal-fs-filename, javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename -- callers pass hardcoded constants, not user input if (!fs.existsSync(marketplacePath)) { error(`Marketplace file not found: ${marketplacePath}`); return; @@ -58,6 +59,7 @@ function validateMarketplace(marketplacePath, manifestPathParts) { let marketplace; try { + // nosemgrep: gitlab.eslint.detect-non-literal-fs-filename, javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename -- callers pass hardcoded constants, not user input marketplace = JSON.parse(fs.readFileSync(marketplacePath, "utf8")); } catch (e) { error(`Failed to parse ${marketplacePath}: ${e.message}`);