💅 entropyThreshold option for noSecrets rules does not have an effect #4494
Description
Environment information
Full Environment Information (probably irrelevant to this bug, but included anyway)
CLI:
Version: 1.9.4
Color support: true
Platform:
CPU Architecture: x86_64
OS: linux
Environment:
BIOME_LOG_PATH: unset
BIOME_LOG_PREFIX_NAME: unset
BIOME_CONFIG_PATH: unset
NO_COLOR: unset
TERM: "xterm-256color"
JS_RUNTIME_VERSION: "v22.9.0"
JS_RUNTIME_NAME: "node"
NODE_PACKAGE_MANAGER: "pnpm/9.12.2"
Biome Configuration:
Status: Loaded successfully
Formatter disabled: false
Linter disabled: false
Organize imports disabled: false
VCS disabled: false
Linter:
JavaScript enabled: true
JSON enabled: true
CSS enabled: true
GraphQL enabled: false
Recommended: true
All: false
Enabled rules:
performance/noDelete
suspicious/noCatchAssign
suspicious/noUnsafeNegation
complexity/useLiteralKeys
suspicious/noClassAssign
style/useImportType
complexity/noMultipleSpacesInRegularExpressionLiterals
a11y/useValidLang
complexity/noUselessEmptyExport
suspicious/useNamespaceKeyword
suspicious/useValidTypeof
a11y/useValidAriaRole
correctness/noConstantCondition
a11y/useAriaActivedescendantWithTabindex
suspicious/noAssignInExpressions
style/useDefaultParameterLast
complexity/noEmptyTypeParameters
correctness/noConstructorReturn
style/useSelfClosingElements
suspicious/noDuplicateParameters
suspicious/noDuplicateSelectorsKeyframeBlock
suspicious/noMisplacedAssertion
correctness/noUnknownProperty
style/useTemplate
correctness/noUnusedLabels
complexity/noUselessTernary
correctness/noUnreachableSuper
nursery/useTrimStartEnd
suspicious/noCompareNegZero
correctness/noSwitchDeclarations
a11y/noAutofocus
correctness/noUnsafeOptionalChaining
correctness/noConstAssign
suspicious/noExplicitAny
suspicious/noControlCharactersInRegex
complexity/noUselessTypeConstraint
style/noVar
suspicious/noDoubleEquals
suspicious/noRedundantUseStrict
style/useLiteralEnumMembers
suspicious/noGlobalIsNan
suspicious/noEmptyInterface
suspicious/noConstEnum
suspicious/noMisleadingCharacterClass
correctness/noPrecisionLoss
a11y/noLabelWithoutControl
suspicious/noRedeclare
correctness/noStringCaseMismatch
correctness/noSetterReturn
correctness/noInvalidConstructorSuper
suspicious/noImplicitAnyLet
suspicious/noDuplicateObjectKeys
a11y/useKeyWithClickEvents
complexity/noUselessThisAlias
correctness/noUnreachable
suspicious/noFallthroughSwitchClause
suspicious/noUnsafeDeclarationMerging
complexity/noThisInStatic
complexity/useOptionalChain
correctness/noInnerDeclarations
style/noParameterAssign
suspicious/noDuplicateCase
a11y/useValidAnchor
complexity/useRegexLiterals
correctness/noSelfAssign
correctness/noInvalidBuiltinInstantiation
nursery/useGuardForIn
style/noUselessElse
style/useShorthandFunctionType
correctness/noInvalidDirectionInLinearGradient
nursery/noValueAtRule
style/useSingleCaseStatement
suspicious/noShadowRestrictedNames
nursery/noMissingVarFunction
a11y/useMediaCaption
complexity/noUselessLabel
complexity/noUselessCatch
suspicious/noImportantInKeyframe
correctness/noUnsafeFinally
a11y/useAriaPropsForRole
style/useCollapsedElseIf
correctness/noNonoctalDecimalEscape
style/useEnumInitializers
a11y/useHtmlLang
suspicious/noDuplicateTestHooks
complexity/noStaticOnlyClass
style/useWhile
complexity/useArrowFunction
style/noInferrableTypes
a11y/noNoninteractiveTabindex
complexity/useSimpleNumberKeys
correctness/useYield
a11y/noInteractiveElementToNoninteractiveRole
style/useNumericLiterals
correctness/noUnnecessaryContinue
suspicious/noApproximativeNumericConstant
suspicious/noImportAssign
suspicious/noLabelVar
correctness/noGlobalObjectCalls
suspicious/useDefaultSwitchClauseLast
correctness/noEmptyCharacterClassInRegex
correctness/noUnknownUnit
a11y/useAltText
suspicious/noSparseArray
a11y/useIframeTitle
complexity/noBannedTypes
a11y/noSvgWithoutTitle
correctness/noVoidElementsWithChildren
style/useAsConstAssertion
correctness/useJsxKeyInIterable
style/useExportType
suspicious/noSuspiciousSemicolonInJsx
complexity/noUselessLoneBlockStatements
style/noArguments
a11y/useValidAriaValues
nursery/noUnknownPseudoClass
suspicious/noCommentText
a11y/useFocusableInteractive
correctness/noUnmatchableAnbSelector
suspicious/noDebugger
suspicious/noDuplicateJsxProps
style/useFragmentSyntax
a11y/noPositiveTabindex
correctness/noEmptyPattern
complexity/noExcessiveNestedTestSuites
performance/noReExportAll
a11y/useKeyWithMouseEvents
security/noDangerouslySetInnerHtmlWithChildren
suspicious/noExtraNonNullAssertion
correctness/noRenderReturnValue
correctness/useExhaustiveDependencies
nursery/noUnknownPseudoElement
nursery/noSecrets
a11y/noRedundantRoles
complexity/useFlatMap
correctness/useIsNan
correctness/useHookAtTopLevel
correctness/noUnusedVariables
security/noGlobalEval
style/noNonNullAssertion
style/useConst
nursery/noIrregularWhitespace
style/useConsistentBuiltinInstantiation
style/noYodaExpression
security/noDangerouslySetInnerHtml
style/useNodejsImportProtocol
a11y/noDistractingElements
nursery/useValidAutocomplete
complexity/noWith
style/useConsistentArrayType
style/useForOf
suspicious/noArrayIndexKey
complexity/noExtraBooleanCast
performance/noAccumulatingSpread
a11y/useValidAriaProps
a11y/noRedundantAlt
correctness/noChildrenProp
correctness/noUnknownFunction
correctness/noInvalidPositionAtImportRule
suspicious/noAsyncPromiseExecutor
suspicious/noConfusingLabels
suspicious/noDuplicateClassMembers
suspicious/noDuplicateFontNames
suspicious/noGlobalAssign
suspicious/noGlobalIsFinite
suspicious/noMisleadingInstantiator
suspicious/noPrototypeBuiltins
suspicious/noThenProperty
suspicious/useGetterReturn
suspicious/noConfusingVoidType
suspicious/noFocusedTests
a11y/useButtonType
a11y/useSemanticElements
suspicious/noShorthandPropertyOverrides
a11y/noAriaUnsupportedElements
correctness/noInvalidGridAreas
nursery/noUnknownTypeSelector
correctness/noFlatMapIdentity
style/useShorthandAssign
suspicious/noSelfCompare
suspicious/useErrorMessage
a11y/noBlankTarget
a11y/useHeadingContent
correctness/useValidForDirection
correctness/noVoidTypeReturn
correctness/noInvalidUseBeforeDeclaration
a11y/noAriaHiddenOnFocusable
a11y/useGenericFontNames
correctness/noUnknownMediaFeatureName
a11y/useAnchorContent
complexity/noUselessRename
nursery/noUselessEscapeInRegex
nursery/noSubstr
complexity/noUselessConstructor
a11y/noAccessKey
style/useExponentiationOperator
style/noUnusedTemplateLiteral
complexity/noUselessSwitchCase
style/useNumberNamespace
correctness/noUndeclaredVariables
nursery/noStaticElementInteractions
nursery/useAriaPropsSupportedByRole
nursery/useAdjacentOverloadSignatures
style/useSingleVarDeclarator
style/useBlockStatements
suspicious/noExportsInTest
a11y/noNoninteractiveElementToInteractiveRole
nursery/noTemplateCurlyInString
style/noCommaOperator
suspicious/useAwait
suspicious/noDuplicateAtImportRules
suspicious/useIsArray
a11y/noHeaderScope
complexity/noUselessFragments
suspicious/noMisrefactoredShorthandAssign
suspicious/noEmptyBlock
complexity/noForEach
correctness/noUnusedImports
suspicious/noFunctionAssign
Workspace:
Open Documents: 0Rule name
lint/nursery/noSecrets
Playground link
Expected result
Due to a bug in the implementation of the no_secrets rule, the entropyThreshold setting does not have any observable effect. Because the base_treshold is always added to the result of the entropy calculation, it has no purpose because it is meaningless to do base_threshold + adjusted_entropy > base_threshold.
(Due to type conversions f64 <-> u16, the actual comparison is more like floor(base_threshold + adjusted_entropy) > base_threshold)
biome/crates/biome_js_analyze/src/lint/nursery/no_secrets.rs
Lines 493 to 502 in fbf4b3d
biome/crates/biome_js_analyze/src/lint/nursery/no_secrets.rs
Lines 385 to 389 in fbf4b3d
Code of Conduct
- I agree to follow Biome's Code of Conduct