Comment by akie
14 hours ago
I would say that recall is the most important metric here though. I'd want it to catch all the issues.
False positives are easy to ignore.
14 hours ago
I would say that recall is the most important metric here though. I'd want it to catch all the issues.
False positives are easy to ignore.
What, no they're not. You still need to analyze them to understand they are false positives. It's time wasted
Agree, it's something that will eventually teach your developers to ignore points raised as it's mostly garbage.
Finding problems is optimizing for the customer. Avoiding false positives is optimizing for the developer. Which is right depends on your org's culture.
If I flag every line in your PR as a potential security bug then I have 100% recall.
Obviously you need a mixture of high recall and low false positive rate. If 7/8 flagged items are fine its much more likely people will ignore the warnings, much like they would any security tool with a 90% false positive rate. That is not optimized for the customer.
3 replies →