andrewmusselman commented on issue #19: URL: https://github.com/apache/tooling-agents/issues/19#issuecomment-4492205928
L3 run: https://github.com/apache/tooling-agents/tree/main/ASVS/reports/logging-log4net/f57d7b3 Worth noting a couple fixes for subsequent runs @FreeAndNil: 1. Guidance files appear as "affected files" in FINDING-027. The Files column says configuration_trust_boundary.md, adonet_appender_legacy_sql.md — these are policy documents from the supplemental namespace, not source code under audit. The audit LLM saw them in the "Project Security Guidance (Authoritative)" prompt section, noticed they describe dangerous functionality, and synthesized a finding asking for a consolidated register of those guidance docs. That's the audit auditing its own guidance, which is wrong. The supplemental-namespace fix from #33 was supposed to make guidance docs render as authoritative reference, not as audit targets. The bundle/audit code does that mechanically, but the LLM is still treating them as in-scope content because the prompt doesn't explicitly tell it not to. Worth filing as a separate issue — needs a prompt edit to the audit/bundle agents saying "the Authoritative Guidance section is policy context, do not raise findings against those documents." 2. Suggested-guidance cluster shows duplicate section ids. Look at **ASVS sections:** 2.4.1, 2.4.1, 1.4.2 — 2.4.1 appears twice. The cluster builder is listing sections per-drop instead of unique-per-cluster. Minor formatting bug in _build_suggested_guidance_md's cluster output. One-line fix using a sorted({...}) set comprehension instead of a list. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
