feat: Support JSON output codeSuggestions Field [wip]

[jajanet]

This enhances the markdown regex parser to identify and extract code snippets provided within the Recommendation into a new optional Code Suggestions field.

Before, code blocks within recommendations returned as raw text:

{
  "vulnerability": "Path Traversal",
  "recommendation": "First, sanitize the input using a whitelist. \n```typescript\nconst safePath = path.basename(req.query.file);\nconst data = fs.readFileSync(path.join(__dirname, 'safe_dir', safePath));\n```\nAfter that, ensure permissions are restricted."
}

to code blocks parsed into a dedicated codeSuggestion field, and recommendation is cleaned to be natural language only:

{
  "vulnerability": "Path Traversal",
  "recommendation": "First, sanitize the input using a whitelist. After that, ensure permissions are restricted.",
  "codeSuggestion": "const safePath = path.basename(req.query.file);\nconst data = fs.readFileSync(path.join(__dirname, 'safe_dir', safePath));"
  }

We do this using regex by finding markdown code fences (```) within the Recommendation section.

The first code block found is extracted into codeSuggestion

Also updated tests to the following:

• codeSuggestion is null when no code block is present,
• a JS code block is correctly extracted from a recommendation when provided, and
• text appearing after a code block in the recommendation section is preserved and not lost during extraction

[github-actions]

🤖 Hi @jajanet, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[gemini-code-assist]

Summary of Changes

Hello @jajanet, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the markdown parsing functionality by introducing a dedicated codeSuggestion field in the output. It intelligently extracts code snippets embedded within the recommendation section of markdown input, providing them as structured data, while simultaneously cleaning the original recommendation text to contain only natural language. This improves the usability of parsed security findings by separating actionable code examples from descriptive text.

Highlights

• New codeSuggestion Field: Introduced a new optional codeSuggestion field to the parsed finding output, designed to hold extracted code snippets.
• Code Block Extraction: Implemented logic to identify and extract the first markdown code block (e.g., typescript...) found within the recommendation field.
• Recommendation Cleaning: Modified the recommendation field to remove any extracted code blocks, ensuring it contains only natural language descriptive text.
• Enhanced Test Coverage: Added comprehensive test cases to validate the correct extraction of code suggestions, handling of scenarios where no code block is present, and preservation of recommendation text surrounding code blocks.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• mcp-server/src/parser.test.ts
  • Added a test case to verify that codeSuggestion is null when no code block is present in the recommendation.
  • Added a test case to confirm the correct extraction of a JavaScript code block into codeSuggestion and the cleaning of the recommendation field.
  • Added a test case to handle complex markdown input with multiple findings, ensuring codeSuggestion extraction and recommendation text preservation.
  • Added a test case for recommendations with text following a code block, verifying correct extraction and text preservation.
• mcp-server/src/parser.ts
  • Updated the Finding interface to include an optional codeSuggestion field of type string | null.
  • Implemented parsing logic to identify and extract the first markdown code block from the recommendation field into the new codeSuggestion variable.
  • Modified the recommendation field processing to remove extracted code blocks, ensuring it contains only descriptive text before being assigned to the Finding object.

Activity

• No specific activity (comments, reviews) was found in the provided context for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

## 📋 Review Summary

This pull request introduces a valuable feature for extracting code suggestions from markdown recommendations. The approach of parsing code blocks is effective, but the current implementation introduces a significant ReDoS (Regular Expression Denial of Service) vulnerability.

🔍 General Feedback

• The feature is a great addition and will improve the usability of the security findings.
• The tests are well-written and cover a good range of scenarios.
• The identified ReDoS vulnerability is a critical security concern that should be addressed before this change is merged. I have provided a specific recommendation to mitigate this risk.

[github-actions]

## 📋 Security Analysis Summary

A brief, high-level assessment of the Pull Request's objective and quality (2-3 sentences).

The pull request aims to improve the markdown parser to extract code suggestions from recommendations. The implementation is straightforward, but it introduces a regular expression that is vulnerable to ReDoS.

🔍 General Feedback

• The code is well-structured and easy to read.
• The addition of tests for the new functionality is a good practice.
• The ReDoS vulnerability should be addressed before merging.

[gemini-code-assist]

Code Review

This pull request introduces a codeSuggestion field to the parsed output by extracting the first markdown code block from the recommendation section. The implementation is sound and the new tests effectively validate the new functionality, covering various scenarios like the absence of code blocks and text surrounding them. I've added a couple of suggestions to enhance the robustness of the code. One suggestion is to improve the regular expression for code block detection to be more flexible, and the other is to make a test assertion more specific to ensure the test suite's reliability. Overall, this is a valuable enhancement to the parser's output.