fix

Author: Grzegorz Siewruk

.github/workflows/docker-build-backend.yml

@@ -17,6 +17,22 @@ concurrency:
 jobs:
   unit-testing:
     runs-on: ubuntu-latest
+    # Profile ut normally uses Testcontainers (Docker). CI uses a real Postgres service so tests
+    # do not depend on Testcontainers detecting the Docker socket on the runner.
+    services:
+      postgres:
+        image: postgres:15-alpine
+        env:
+          POSTGRES_USER: test
+          POSTGRES_PASSWORD: test
+          POSTGRES_DB: test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U test -d test"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -26,6 +42,11 @@ jobs:
           distribution: 'temurin'
           java-version: 22
       - name: Build and test with Maven and profile ut
+        env:
+          SPRING_DATASOURCE_URL: jdbc:postgresql://localhost:5432/test
+          SPRING_DATASOURCE_USERNAME: test
+          SPRING_DATASOURCE_PASSWORD: test
+          SPRING_DATASOURCE_DRIVER_CLASS_NAME: org.postgresql.Driver
         run: |
           cd backend
           mvn clean test -Dspring.profiles.active=ut

.gitignore

@@ -9,4 +9,4 @@
 /backend/MixewayFlowAPI.iml
 #frontend/src/environments
 .vscode
-/frontend/dist
+/frontend/dist/

backend/pom.xml

@@ -203,6 +203,14 @@
                     </annotationProcessorPaths>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!-- Mockito/Byte Buddy: allow running tests on newer JDKs than officially supported -->
+                    <argLine>-Dnet.bytebuddy.experimental=true</argLine>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <repositories>

backend/src/main/java/io/mixeway/mixewayflowapi/db/entity/Finding.java

@@ -178,6 +178,18 @@ public void markAiFalsePositive(String modelName, String confidence) {
         this.aiAnalyzedAt = LocalDateTime.now();
     }
 
+    /**
+     * SAST: model zwróciło FALSE_POSITIVE, ale pewność była niższa niż HIGH — nie wyciszamy automatycznie,
+     * żeby nie ukrywać prawdziwych problemów (FP tylko przy wysokiej pewności).
+     */
+    public void markAiSastFpNotAutoSuppressed(String modelName, String confidence) {
+        this.aiAnalyzed = true;
+        this.aiVerdict = "LIKELY_FP_REVIEW";
+        this.aiConfidence = confidence;
+        this.aiModel = modelName;
+        this.aiAnalyzedAt = LocalDateTime.now();
+    }
+
     // Method to update status and suppressed reason
     public void updateStatus(Status newStatus, SuppressedReason suppressedReason) {
         if (newStatus == Status.SUPRESSED && suppressedReason == null) {

backend/src/main/java/io/mixeway/mixewayflowapi/integrations/ollama/service/FalsePositiveAnalyzer.java

@@ -134,6 +134,18 @@ private boolean analyzeOne(Finding finding, Settings s, UserInfo aiUser) {
         String reasoning = v.getReasoning() != null ? v.getReasoning() : "";
 
         if ("FALSE_POSITIVE".equalsIgnoreCase(vStr)) {
+            // SAST: automatyczne wyciszenie tylko przy wysokiej pewności — unikamy masowego FP przy MEDIUM/LOW
+            if (finding.getSource() == Finding.Source.SAST && !isHighConfidence(conf)) {
+                log.info("[AiFp] SAST finding id={}: verdict=FALSE_POSITIVE confidence={} — not auto-suppressing (SAST requires HIGH confidence to suppress)",
+                        finding.getId(), conf);
+                finding.markAiSastFpNotAutoSuppressed(s.getOllamaModel(), conf);
+                findingRepository.save(finding);
+                if (aiUser != null) {
+                    String msg = buildAiCommentSastFpNotSuppressed(v, s, finding, reasoning);
+                    createCommentService.createSystemComment(finding, aiUser, msg);
+                }
+                return false;
+            }
             finding.markAiFalsePositive(s.getOllamaModel(), conf);
             updateFindingService.suppressFinding(finding, Finding.SuppressedReason.FALSE_POSITIVE.name());
             if (aiUser != null) {
@@ -192,6 +204,29 @@ private static void maybeAppendSecretEnrichment(Finding finding, FpVerdictDto v)
         finding.setExplanation(base + block);
     }
 
+    private static boolean isHighConfidence(String conf) {
+        return conf != null && "HIGH".equalsIgnoreCase(conf.trim());
+    }
+
+    private static String buildAiCommentSastFpNotSuppressed(
+            FpVerdictDto v,
+            Settings s,
+            Finding finding,
+            String reasoning) {
+        StringBuilder sb = new StringBuilder();
+        sb.append("[AI analysis — SAST]\n\n");
+        sb.append("## Decision\n");
+        sb.append("Model zwróciło **FALSE_POSITIVE**, ale **nie wyciszono automatycznie**: dla SAST automatyczne wyciszenie ");
+        sb.append("jest dozwolone tylko przy **confidence: HIGH**, żeby nie ukrywać realnych problemów przy średniej/niskiej pewności.\n\n");
+        sb.append("## Rationale (model)\n");
+        sb.append(reasoning != null ? reasoning.trim() : "").append("\n\n");
+        sb.append("## Szczegóły\n");
+        sb.append("- Zgłoszona pewność: **").append(v.getConfidence() != null ? v.getConfidence() : "UNKNOWN").append("**\n");
+        sb.append("- Model: `").append(s.getOllamaModel()).append("`\n");
+        sb.append("- Status: przejrzyj ręcznie; przy potwierdzeniu FP możesz wyciszyć z poziomu UI.\n");
+        return sb.toString();
+    }
+
     private static String buildAiComment(
             FpVerdictDto v,
             Settings s,

backend/src/main/java/io/mixeway/mixewayflowapi/integrations/ollama/service/FalsePositivePromptBuilder.java

@@ -29,7 +29,11 @@ private String buildSast(Finding finding, List<RetrievedChunk> chunks) {
         sb.append("1) Does the vulnerable pattern **actually occur** at the indicated location in this codebase snapshot?\n");
         sb.append("2) In **any realistic execution path or deployment**, could this lead to a **meaningful security impact** ");
         sb.append("(confidentiality, integrity, availability, authn/z bypass, injection, etc.)?\n");
-        sb.append("3) If the rule fires on a safe API, dead code, unreachable branch, or fully mitigated usage, treat as FALSE POSITIVE.\n\n");
+        sb.append("3) **Prefer REAL_ISSUE when in doubt** — do not classify as FALSE_POSITIVE unless you can justify it clearly.\n");
+        sb.append("4) Use FALSE_POSITIVE only when the finding is clearly a **rule misfire**, dead/unreachable code, or safe-by-construction usage; ");
+        sb.append("not merely \"low severity\".\n");
+        sb.append("5) Set **confidence** to **HIGH** only if you are **very sure** the finding is not a real security issue; ");
+        sb.append("if you lean toward false positive but are not fully sure, use **REAL_ISSUE** or **FALSE_POSITIVE** with **MEDIUM**/**LOW** (the pipeline treats SAST auto-suppression only for HIGH).\n\n");
         sb.append("Write **reasoning** as **at least 5–8 sentences**, concrete and code-referenced.\n\n");
         appendJsonSchema(sb, true);
         return sb.toString();

backend/src/main/resources/db/changelog/data_dump_test.sql

@@ -676,17 +676,18 @@ INSERT INTO public.scan_info VALUES (6, 6, 6, '4fb9f47dfa66947b20d7b83c0666b27d1
 -- Data for Name: users; Type: TABLE DATA; Schema: public; Owner: flow_user
 --
 
-INSERT INTO public.users VALUES (2, '$2a$10$KtoPDiXK0qnn5kqcn1phK..ogkzljZmkwJU686o60jH8b6rT6xDNO', 'user', NULL, true, true);
-INSERT INTO public.users VALUES (3, '$2a$10$LQuErsbpMCVb/3D2LoU9/epUKpXzUuqUJlexVVODcU1Mz2nDnB8xy', 'manager', NULL, true, true);
+-- Ids 2–3 are reserved by master changelog (e.g. flowai system user); use 4–5 for fixture users
+INSERT INTO public.users VALUES (4, '$2a$10$KtoPDiXK0qnn5kqcn1phK..ogkzljZmkwJU686o60jH8b6rT6xDNO', 'user', NULL, true, true);
+INSERT INTO public.users VALUES (5, '$2a$10$LQuErsbpMCVb/3D2LoU9/epUKpXzUuqUJlexVVODcU1Mz2nDnB8xy', 'manager', NULL, true, true);
 
 
 --
 -- Data for Name: users_roles; Type: TABLE DATA; Schema: public; Owner: flow_user
 --
 
-INSERT INTO public.users_roles VALUES (2, 1);
-INSERT INTO public.users_roles VALUES (3, 3);
-INSERT INTO public.users_roles VALUES (3, 1);
+INSERT INTO public.users_roles VALUES (4, 1);
+INSERT INTO public.users_roles VALUES (5, 3);
+INSERT INTO public.users_roles VALUES (5, 1);
 
 
 --
@@ -695,12 +696,12 @@ INSERT INTO public.users_roles VALUES (3, 1);
 
 
 INSERT INTO public.users_teams (user_info_id, team_id) VALUES (1, 1);
-INSERT INTO public.users_teams (user_info_id, team_id) VALUES (2, 1);
+INSERT INTO public.users_teams (user_info_id, team_id) VALUES (4, 1);
 INSERT INTO public.users_teams (user_info_id, team_id) VALUES (1, 2);
-INSERT INTO public.users_teams (user_info_id, team_id) VALUES (3, 2);
+INSERT INTO public.users_teams (user_info_id, team_id) VALUES (5, 2);
 INSERT INTO public.users_teams (user_info_id, team_id) VALUES (1, 3);
-INSERT INTO public.users_teams (user_info_id, team_id) VALUES (3, 3);
-INSERT INTO public.users_teams (user_info_id, team_id) VALUES (2, 3);
+INSERT INTO public.users_teams (user_info_id, team_id) VALUES (5, 3);
+INSERT INTO public.users_teams (user_info_id, team_id) VALUES (4, 3);
 
 
 --
@@ -783,7 +784,7 @@ SELECT pg_catalog.setval('public.team_id_seq', 3, true);
 -- Name: users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: flow_user
 --
 
-SELECT pg_catalog.setval('public.users_id_seq', 3, true);
+SELECT pg_catalog.setval('public.users_id_seq', 5, true);
 
 
 --

frontend/src/app/views/show-repo/vulnerabilities-table/vulnerabilities-table.component.html

@@ -379,6 +379,8 @@ <h3 id="vuln-filters-heading" class="vuln-filter-panel__title">
                                         </span>
                                         <span *ngIf="row.ai_analyzed && row.ai_verdict === 'FALSE_POSITIVE' && row.status === 'SUPRESSED'"
                                               class="badge bg-info-subtle text-info ms-2">🤖 AI: False Positive</span>
+                                        <span *ngIf="row.ai_analyzed && row.ai_verdict === 'LIKELY_FP_REVIEW'"
+                                              class="badge bg-warning-subtle text-warning-emphasis ms-2">🤖 AI: FP suggested (review)</span>
                                         <span *ngIf="row.ai_analyzed && row.ai_verdict === 'REAL_ISSUE'"
                                               class="badge bg-secondary-subtle text-secondary ms-2">🤖 AI: Real issue</span>
                                     </div>

frontend/src/app/views/show-team/team-vulnerabilities-table/team-vulnerabilities-table.component.html

@@ -326,6 +326,8 @@
                                         </span>
                                         <span *ngIf="row.ai_analyzed && row.ai_verdict === 'FALSE_POSITIVE' && row.status === 'SUPRESSED'"
                                               class="badge bg-info-subtle text-info ms-2">🤖 AI: False Positive</span>
+                                        <span *ngIf="row.ai_analyzed && row.ai_verdict === 'LIKELY_FP_REVIEW'"
+                                              class="badge bg-warning-subtle text-warning-emphasis ms-2">🤖 AI: FP suggested (review)</span>
                                         <span *ngIf="row.ai_analyzed && row.ai_verdict === 'REAL_ISSUE'"
                                               class="badge bg-secondary-subtle text-secondary ms-2">🤖 AI: Real issue</span>
                                     </div>