You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Finalize PATH_TRAVERSAL_IN suppression after deep-check (settled false positive)
Deep-checked the two PATH_TRAVERSAL_IN sites flagged by findsecbugs:
LlamaLoader (native-lib path from the lib.path / java.library.path / tmpdir
JVM properties) and OfflineModelGuard.check (a read-only Files.exists on the
configured model path). In both the tainted input is the operator's own
process configuration set at launch, not untrusted input crossing a privilege
boundary, and there is no allowed-root to validate against (pointing at an
arbitrary GGUF/library anywhere on disk is the whole point). So it is a settled
false positive for a JNI library and no code fix is appropriate.
Consolidate the two suppression blocks into one finalized <Match> over all
three classes with the reviewed rationale, drop the "provisional/under review"
language, and close the deep-check item in TODO.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0137c1LhUbNvW3kt4eF9Kqyb
0 commit comments