feat: verify fixedIssueIds/preventedIssueIds against an in-process sc…#48
feat: verify fixedIssueIds/preventedIssueIds against an in-process sc…#48MaVictor wants to merge 4 commits into
Conversation
|
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
5282e64 to
21ef5e7
Compare
…an-result cache Cache the freshest scan findings per file path from successful snyk_code_scan/snyk_sca_scan calls, then check snyk_send_feedback's claimed IDs against that cache and stamp the result (verified/unverifiable/mismatch) on the analytics event. Verification never blocks or delays the feedback call - it's a best-effort, observational check only.
21ef5e7 to
4357d22
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d889a2d. Configure here.
| return verificationUnverifiable | ||
| } | ||
|
|
||
| return verificationVerified |
There was a problem hiding this comment.
Eviction yields false verified state
Medium Severity
VerifyID treats a claimed issue as verified whenever that ID is absent from every remaining cache entry of the matching scan type. After LRU eviction removes the only entries that ever held the ID, unrelated scans can still leave other same-type entries in the cache, so foundRelevantScan stays true and feedback can be tagged verified with no fresh evidence for that file or ID.
Reviewed by Cursor Bugbot for commit d889a2d. Configure here.
ifeanyiecheruo
left a comment
There was a problem hiding this comment.
Changes look good


Description
Cache the freshest scan findings per file path from successful snyk_code_scan/snyk_sca_scan calls, then check snyk_send_feedback's claimed IDs against that cache and stamp the result (verified/unverifiable/mismatch) on the analytics event. Verification never blocks or delays the feedback call - it's a best-effort, observational check only.
Checklist
make generate)make lint-fix)Note
Medium Risk
Touches the scan tool success path and feedback analytics semantics; incorrect cache scoping could mislabel verification, but feedback is observational only and does not gate tool success.
Overview
Adds an in-process scan-result cache (capped at 500 file paths) that records the latest SAST/SCA findings from successful
snyk_code_scanandsnyk_sca_scancalls. The cache is updated from raw CLI output before LLM-facing enhancement, using the tool’s originalpathargument as clear/authority scope so single-file rescans do not wipe sibling files.snyk_send_feedbacknow accepts optionalfixedIssueIds, emits those IDs on analytics, and runs a best-effort verification of combinedpreventedIssueIds+fixedIssueIdsagainst the cache. Events getmcp::verificationofverified,unverifiable, ormismatch(worst ID wins); verification never blocks the tool. Tool schema/docs are updated accordingly.Cache logic handles clean rescans (zero findings), directory vs file scope, SAST/SCA separation on the same path, and LRU eviction. Broad unit and handler integration tests cover these cases.
Reviewed by Cursor Bugbot for commit d889a2d. Bugbot is set up for automated code reviews on this repo. Configure here.