Code analysis scanning flags false positive

[privateboss0]

Select Topic Area

Show & Tell

Body

The code security analysis shows I have this alert : Clear-text logging of sensitive information in this repository: MIT_AI.ME/CyberSecurity/Secure Password Generator/Password_Generator.py. but it is a false positive as the algorithm just recognized the word password, but there was really no password in there.

The one application that had the secret key showed for educational purposes was not flagged and came out as clean false negative: https://github.com/privateboss0/Artificial_Intelligence_MIT/tree/goddevil/MIT_AI.ME/CyberSecurity/Multifactor%20Authentication.

Please kindly tune the algorithm a bit more to detect these use cases.

[SujalMeghwal]

This is a classic false positive case in static code analysis — the tool flagged a security issue simply because the word "password" appeared in the code, not because any sensitive data was actually being logged or mishandled.

Breakdown of the False Positive
Alert Description:
“Clear-text logging of sensitive information” — flagged on:
MIT_AI.ME/CyberSecurity/Secure Password Generator/Password_Generator.py

Tool Behavior:
Static code scanners (like CodeQL, Semgrep, or others) often use pattern matching or lightweight taint analysis.

It likely matched:
print("Generated password:", password)
and assumed you're logging a real user password in cleartext.

Why This Is a False Positive:
The "password" is not a real credential — it’s a randomly generated, ephemeral string.

The purpose of the script is to generate and show passwords — this is the intended behavior.

There is no incoming user-sensitive data being leaked or stored insecurely.

Contrast with the False Negative
The second repo with actual secret keys wasn’t flagged.

URL:
https://github.com/privateboss0/Artificial_Intelligence_MIT/tree/goddevil/MIT_AI.ME/CyberSecurity/Multifactor Authentication

This is concerning. The scanner:
Missed a hardcoded secret → which is a real vulnerability.
Shows that the tool’s detection logic is not balanced — it overflags trivial “keyword matches” but underflags real risks.

Suggested Fixes & Advice

1. Suppress the False Positive (Code Comment or Config)
   If you're using a scanner like CodeQL, Semgrep, or GitHub Advanced Security, you can often suppress or mark the alert as false positive using annotations:

Option A: Use code comments
For CodeQL:

codeql [clear-text-logging]: false positive – this is a password generator, not real credentials

print("Generated password:", password)
Option B: Mark in GitHub UI

Go to the Code scanning alert in GitHub.

Click “Dismiss alert”.

Choose “False positive”, and write a justification (like: "Password is generated, not real user data").

2. Improve Tooling Accuracy (If You Own or Contribute to Ruleset)
   If you're writing custom rules or using Semgrep or CodeQL:
   Tweak the rule to ignore generated or local-use passwords.

Add logic like:
Avoid flagging if the password is generated using secrets.choice or similar libraries.
Only flag if the password comes from input() or external sources.
Avoid flagging if the print is directly after the password generation.

3. Report the False Negative
   For the missed secret key, you should:
   Raise a GitHub issue with the specific line and file.
   Suggest improving secret detection logic (e.g., regex pattern for API keys or SECRET_KEY assignments).