[reflexe]

Looks like this is is not the only problematic example, for example: https://demo.corgea.com/338 Makes sure you don't try to get ctf.key (but not .env for example). Another issue: https://demo.corgea.com/531# The LLM makes up a usage of shell=True despite the original “vulnerable” code not using it.

Well, at least they are showing a real demo and not some made up results.

I think that overall the idea has some potential, but not sure we are there yet.

[asadeddin]

Thanks for the feedback!

For the first one the SAST scanner reports to us issues based on lines and issue type, so we generate fixes isolated for that issue. We do not generate fixes for other vulnerabilities in the same file for the same finding in the same because we want to have one fix to one finding. There might be another issue reported on another issue, and we plan on allowing people to group fixes in the same file together.

Not sure if I'm missing something on the shell=True. It's in the vulnerable code, which is why it changed it. You have to scroll to the right in the code viewer. https://github.com/RhinoSecurityLabs/cloudgoat/blob/8ed1cf0e...

Is there something I'm missing?

[reflexe]

For the first issue: I understand. Thanks.

As for the second, There is no shell=True for me in the demo but it is present in the code you sent. So maybe it is just a bug in the presentation somewhere.

[asadeddin]

Scrolling to the right should work, but you'll need to do so on each code editor section. We should combine scrolling of these two windows to be in sync.

We'll also take a look at what's causing this. It might be a browser issue.

[throwanem]

They scroll in sync for me, but long lines seem truncated in iOS 16.2 Safari. No visible code on that second linked page includes the string in question.

[asadeddin]

Thanks for sharing! Will look into it :)

[rplnt]

Same here, must be a bug in the view, for me it's missing the closing parenthesis as well.