Copilot/explore codebase implementation plan again#798
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
There was a problem hiding this comment.
Sorry @Bryan-Roe, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_e8ac8043-09ec-4978-8392-b632ca44256a) |
| resp = self.client.chat.completions.create( | ||
| model=self.model, | ||
| messages=normalized_messages, | ||
| temperature=self.temperature, | ||
| max_tokens=self.max_output_tokens, | ||
| stream=stream, | ||
| ) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.
You can view more details about this finding in the Semgrep AppSec Platform.
| resolved_key = api_key or os.getenv("GROQ_API_KEY") | ||
| if not resolved_key: | ||
| raise RuntimeError("Groq provider requires GROQ_API_KEY to be set.") | ||
| self.client = OpenAI(base_url=base_url, api_key=resolved_key) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.
You can view more details about this finding in the Semgrep AppSec Platform.
| models_url = server_url.rstrip("/") + "/models" | ||
| headers = {"User-Agent": "QAI", "Authorization": "Bearer " + groq_api_key} | ||
| request = urllib.request.Request(models_url, headers=headers) | ||
| urllib.request.urlopen(request, timeout=3) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application was found passing in a non-literal value to the urllib methods which issue
requests. urllib supports the file:// scheme, which may allow an adversary who can control
the URL value to read arbitrary files on the file system.
To remediate this issue either hardcode the URLs being used in urllib or use the requests
module instead.
Example using the requests module to issue an HTTPS request:
import requests
# Issue a GET request to https://example.com with a timeout of 10 seconds
response = requests.get('https://example.com', timeout=10)
# Work with the response object
# ...
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by B310-1.
You can view more details about this finding in the Semgrep AppSec Platform.
| with urllib.request.urlopen( | ||
| req, timeout=timeout_seconds | ||
| ) as resp: # noqa: S310 - local configurable endpoint |
There was a problem hiding this comment.
The application was found passing in a non-literal value to the urllib methods which issue
requests. urllib supports the file:// scheme, which may allow an adversary who can control
the URL value to read arbitrary files on the file system.
To remediate this issue either hardcode the URLs being used in urllib or use the requests
module instead.
Example using the requests module to issue an HTTPS request:
import requests
# Issue a GET request to https://example.com with a timeout of 10 seconds
response = requests.get('https://example.com', timeout=10)
# Work with the response object
# ...
🍰 Fixed in commit d8276a9 🍰
| models_url = server_url.rstrip("/") + "/models" | ||
| headers = {"User-Agent": "QAI", "Authorization": "Bearer " + groq_api_key} | ||
| request = urllib.request.Request(models_url, headers=headers) | ||
| urllib.request.urlopen(request, timeout=3) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dynamic-urllib-use-detected.
You can view more details about this finding in the Semgrep AppSec Platform.
| with urllib.request.urlopen( | ||
| req, timeout=timeout_seconds | ||
| ) as resp: # noqa: S310 - local configurable endpoint |
There was a problem hiding this comment.
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
🎈 Fixed in commit d8276a9 🎈
|
Semgrep found 26
Possibly found usage of AI: OpenAI |
| assert p.model == "mixtral-8x7b-32768" | ||
| assert p.base_url == "https://custom.groq.example/v1" | ||
| assert p.temperature == 0.3 | ||
| assert p.max_output_tokens == 512 |
| monkeypatch.setenv("GROQ_API_KEY", "gsk-test") | ||
| key_with = _build_provider_detect_cache_key("auto", None, None, None) | ||
|
|
||
| assert key_without != key_with |
| monkeypatch.setenv("GROQ_API_KEY", "gsk-test") | ||
| key_with = _build_provider_detect_cache_key("auto", None, None, None) | ||
|
|
||
| assert key_without != key_with |
| monkeypatch.setenv("GROQ_MODEL", "mixtral-8x7b-32768") | ||
| key_b = _build_provider_detect_cache_key("groq", None, None, None) | ||
|
|
||
| assert key_a != key_b |
| monkeypatch.setenv("GROQ_MODEL", "mixtral-8x7b-32768") | ||
| key_b = _build_provider_detect_cache_key("groq", None, None, None) | ||
|
|
||
| assert key_a != key_b |
| monkeypatch.setenv("GROQ_BASE_URL", "https://custom.groq.example/v1") | ||
| key_custom = _build_provider_detect_cache_key("groq", None, None, None) | ||
|
|
||
| assert key_default != key_custom |
| monkeypatch.setenv("GROQ_BASE_URL", "https://custom.groq.example/v1") | ||
| key_custom = _build_provider_detect_cache_key("groq", None, None, None) | ||
|
|
||
| assert key_default != key_custom |
| @pytest.mark.unit | ||
| def test_groq_provider_requires_openai_package(monkeypatch): | ||
| """GroqProvider raises RuntimeError when openai is not installed.""" | ||
| import chat_providers as cp |
🔐 CodeQL — Open Alerts on this PR
Copilot Autofix suggestions (if enabled) appear as inline review comments on the affected lines. |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_7e9376d7-4e54-461c-abff-bea56d85bf68) |
Summary
Changes
Testing
Checklist
.github/copilot-instructions.md, instruction files)python scripts/test_runner.py --unit)Note
Medium Risk
Touches core
detect_providerauto-selection and default provider priority, which can change which backend serves chat when multiple keys are configured; behavior is well-tested but affects hot API paths.Overview
Groq is added as a first-class chat backend so CLI/API callers can use
--provider groqor rely on auto-detection whenGROQ_API_KEYis set and the API is reachable.The new
GroqProvideruses Groq’s OpenAI-compatible endpoint (defaultllama-3.1-8b-instant, overridable viaGROQ_MODEL/GROQ_BASE_URL) with streaming and user-facing errors for connection, auth, and missing models. Auto mode now probes after OpenAI and before local echo, with_check_groq_available(30s cache,/modelsprobe) and Groq fields included in provider-detection cache keys.shared/configdefault priority and healthsummary()gaingroq/groq_ready;shared/chat_providersre-exportsGroqProvider. Docs andlocal.settings.json.exampledocument the new env vars. Newtests/test_groq_provider.pyplus updates totest_provider_fallback.pycover detection, aliases, and caching.Reviewed by Cursor Bugbot for commit a49e7aa. Bugbot is set up for automated code reviews on this repo. Configure here.