detectors: emit unverified results instead of dropping them on verify…#4896
Draft
shahzadhaider1 wants to merge 1 commit intotrufflesecurity:mainfrom
Draft
detectors: emit unverified results instead of dropping them on verify…#4896shahzadhaider1 wants to merge 1 commit intotrufflesecurity:mainfrom
shahzadhaider1 wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Many detectors silently dropped results (via
continue) when verification hit an indeterminate error: no host in cache, body-read failure, request construction failure, etc. This broke the contract that unverified results must still be emitted so downstream consumers can track last-seen state.Replace those drops with SetVerificationError so the result is still returned with the error attached.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Touches verification paths across many detectors, changing control flow to always return findings with
VerificationErrorinstead of dropping them; broad surface area could affect result volume and downstream expectations.Overview
Ensures detectors always emit a
Resulteven when verification can’t be completed, replacing manycontinue/early-exit paths withResult.SetVerificationError(...)(including cachedno such host, request/response body read failures, and other indeterminate errors).Standardizes host/ID “no such host” caching behavior to skip verification but still return an unverified finding with an attached error across multiple detectors (e.g., Algolia, Artifactory, Azure variants, Salesforce, URI).
Improves MongoDB verification to treat authentication failures as determinate invalid credentials (returns
false, nil) rather than surfacing them as verification errors.Reviewed by Cursor Bugbot for commit dc3f466. Bugbot is set up for automated code reviews on this repo. Configure here.