Skip to content

Fix DS126858 false positive on --nomd5 and similar disable flags#722

Open
Copilot wants to merge 6 commits intomainfrom
copilot/fix-ds126858-flagging
Open

Fix DS126858 false positive on --nomd5 and similar disable flags#722
Copilot wants to merge 6 commits intomainfrom
copilot/fix-ds126858-flagging

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

  • Understand the current rule pattern and why it's matching --nomd5
  • Update DS126858 rule pattern to use negative lookbehind to avoid matching MD5 when preceded by "no", "no-", "no_", or "disable_"
  • Add test cases to must-not-match to validate --nomd5 and similar cases
  • Run self-tests to verify the fix works correctly
  • Validate that existing must-match cases still work
  • Add word boundaries to negative lookbehind patterns to prevent edge cases like xnomd5
  • Revert .gitignore change that added DevSkim-DotNet/nuget.config
  • Add changelog entry for version 1.0.72
Original prompt

This section details on the original issue you should resolve

<issue_title>[False Positive] DS126858 flagging --nomd5</issue_title>
<issue_description>## DS126858

What the rule matched

makeself --sha256 --nomd5

Why should this not be matched?

makeself uses md5 checksums as a basic verification mechanism, I am trying to change it to a sha256 checksum. From the makeself documentation:

--sha256 : Adds a SHA256 checksum for the archive. This is in addition to the MD5 / CRC checksums unless --nomd5 is also used.

https://github.com/megastep/makeself</issue_description>

<agent_instructions>Try to improve the md5 rule to be less broad. It seems like it probably shouldn't capture this 'nomd5' case.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@gfs Thanks for your report. I'll take another look at the md5 rule and see if I can narrow it down a bit.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI assigned Copilot and gfs Feb 4, 2026
Copilot AI and others added 2 commits February 4, 2026 23:17
@gfs
Fix DS126858 false positive for --nomd5 flag
791e7a9 
Co-authored-by: gfs <98900+gfs@users.noreply.github.com>
@gfs
Add word boundaries to negative lookbehind patterns
d580086 
Co-authored-by: gfs <98900+gfs@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix false positive on DS126858 with --nomd5 Fix DS126858 false positive on --nomd5 and similar disable flags Feb 4, 2026
Copilot AI requested a review from gfs February 4, 2026 23:23
gfs
gfs requested changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@gfs gfs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

@gfs
Revert .gitignore change for DevSkim-DotNet/nuget.config
6a54c65 
Co-authored-by: gfs <98900+gfs@users.noreply.github.com>
Copilot AI requested a review from gfs February 12, 2026 21:05
@gfs
Copy link
Contributor

gfs commented Feb 12, 2026

@copilot please add a changelog entry for these changes

@gfs
Add changelog entry for DS126858 false positive fix
c19e2a3 
Co-authored-by: gfs <98900+gfs@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 12, 2026

@copilot please add a changelog entry for these changes

Added changelog entry for version 1.0.72 in commit c19e2a3

@gfs gfs marked this pull request as ready for review February 12, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gfs gfs gfs approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@gfs gfs

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[False Positive] DS126858 flagging --nomd5

2 participants

@gfs