-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
insecure_code_detector.cli doesn't detect insecure code as expected #35
Comments
Hi! thanks for reporting. Could you please specify how you ran ICD? Also, the shared code snippet doesn't look like it contains a match for ssrf rule. If you look at the rule in detail, it's looking for patterns like |
btw, if you're looking to use the Insecure Code Detector independently, without running CyberSecEval, you might want to consider switching to our latest version, CodeShield. It's an upgraded version. For more context, please refer to this README. |
Thanks for the answers @csahana95 @SimonWan . I am not very familiar with this domain, but from my understanding, Also is there any example to show ICD is able to catch problematic code generated from LLM? I tried many prompts but found LLM already generated secure code. Could you please share some prompts so I can see the value of ICD? |
Not exactly. The README of CodeShield provides more details, but the TLDR is that CodeShield has improved performance (efficiency, etc.) compared to the insecure-coding-practice repo you referred now.
The examples of prompts are the prompt dataset we open-sourced, specifically listed under the ICD benchmark: https://github.com/meta-llama/PurpleLlama/tree/main/CybersecurityBenchmarks#running-instruct-and-autocomplete-benchmarks Also, you can try commands above to query these prompts directly for you to try and observe some insecure code generated by LLMs. |
I am closing this issue now as there has been no response in two weeks. Feel free to reopen it. |
I have a java file Sample.java. There is a pattern
import java.net.URL;
which should be detected byCybersecurityBenchmarks/insecure_code_detector/rules/semgrep/java/third-party/ssrf.yaml
. But after running icd, I got nothing detected. Anybody knows why?Sample.java
rule:
Result:
The text was updated successfully, but these errors were encountered: