💅 entropyThreshold option for noSecrets rules does not have an effect

[cr7pt0gr4ph7]

Environment information

Full Environment Information (probably irrelevant to this bug, but included anyway)

CLI:
  Version:                      1.9.4
  Color support:                true

Platform:
  CPU Architecture:             x86_64
  OS:                           linux

Environment:
  BIOME_LOG_PATH:               unset
  BIOME_LOG_PREFIX_NAME:        unset
  BIOME_CONFIG_PATH:            unset
  NO_COLOR:                     unset
  TERM:                         "xterm-256color"
  JS_RUNTIME_VERSION:           "v22.9.0"
  JS_RUNTIME_NAME:              "node"
  NODE_PACKAGE_MANAGER:         "pnpm/9.12.2"

Biome Configuration:
  Status:                       Loaded successfully
  Formatter disabled:           false
  Linter disabled:              false
  Organize imports disabled:    false
  VCS disabled:                 false

Linter:
  JavaScript enabled:           true
  JSON enabled:                 true
  CSS enabled:                  true
  GraphQL enabled:              false
  Recommended:                  true
  All:                          false
  Enabled rules:
  performance/noDelete
  suspicious/noCatchAssign
  suspicious/noUnsafeNegation
  complexity/useLiteralKeys
  suspicious/noClassAssign
  style/useImportType
  complexity/noMultipleSpacesInRegularExpressionLiterals
  a11y/useValidLang
  complexity/noUselessEmptyExport
  suspicious/useNamespaceKeyword
  suspicious/useValidTypeof
  a11y/useValidAriaRole
  correctness/noConstantCondition
  a11y/useAriaActivedescendantWithTabindex
  suspicious/noAssignInExpressions
  style/useDefaultParameterLast
  complexity/noEmptyTypeParameters
  correctness/noConstructorReturn
  style/useSelfClosingElements
  suspicious/noDuplicateParameters
  suspicious/noDuplicateSelectorsKeyframeBlock
  suspicious/noMisplacedAssertion
  correctness/noUnknownProperty
  style/useTemplate
  correctness/noUnusedLabels
  complexity/noUselessTernary
  correctness/noUnreachableSuper
  nursery/useTrimStartEnd
  suspicious/noCompareNegZero
  correctness/noSwitchDeclarations
  a11y/noAutofocus
  correctness/noUnsafeOptionalChaining
  correctness/noConstAssign
  suspicious/noExplicitAny
  suspicious/noControlCharactersInRegex
  complexity/noUselessTypeConstraint
  style/noVar
  suspicious/noDoubleEquals
  suspicious/noRedundantUseStrict
  style/useLiteralEnumMembers
  suspicious/noGlobalIsNan
  suspicious/noEmptyInterface
  suspicious/noConstEnum
  suspicious/noMisleadingCharacterClass
  correctness/noPrecisionLoss
  a11y/noLabelWithoutControl
  suspicious/noRedeclare
  correctness/noStringCaseMismatch
  correctness/noSetterReturn
  correctness/noInvalidConstructorSuper
  suspicious/noImplicitAnyLet
  suspicious/noDuplicateObjectKeys
  a11y/useKeyWithClickEvents
  complexity/noUselessThisAlias
  correctness/noUnreachable
  suspicious/noFallthroughSwitchClause
  suspicious/noUnsafeDeclarationMerging
  complexity/noThisInStatic
  complexity/useOptionalChain
  correctness/noInnerDeclarations
  style/noParameterAssign
  suspicious/noDuplicateCase
  a11y/useValidAnchor
  complexity/useRegexLiterals
  correctness/noSelfAssign
  correctness/noInvalidBuiltinInstantiation
  nursery/useGuardForIn
  style/noUselessElse
  style/useShorthandFunctionType
  correctness/noInvalidDirectionInLinearGradient
  nursery/noValueAtRule
  style/useSingleCaseStatement
  suspicious/noShadowRestrictedNames
  nursery/noMissingVarFunction
  a11y/useMediaCaption
  complexity/noUselessLabel
  complexity/noUselessCatch
  suspicious/noImportantInKeyframe
  correctness/noUnsafeFinally
  a11y/useAriaPropsForRole
  style/useCollapsedElseIf
  correctness/noNonoctalDecimalEscape
  style/useEnumInitializers
  a11y/useHtmlLang
  suspicious/noDuplicateTestHooks
  complexity/noStaticOnlyClass
  style/useWhile
  complexity/useArrowFunction
  style/noInferrableTypes
  a11y/noNoninteractiveTabindex
  complexity/useSimpleNumberKeys
  correctness/useYield
  a11y/noInteractiveElementToNoninteractiveRole
  style/useNumericLiterals
  correctness/noUnnecessaryContinue
  suspicious/noApproximativeNumericConstant
  suspicious/noImportAssign
  suspicious/noLabelVar
  correctness/noGlobalObjectCalls
  suspicious/useDefaultSwitchClauseLast
  correctness/noEmptyCharacterClassInRegex
  correctness/noUnknownUnit
  a11y/useAltText
  suspicious/noSparseArray
  a11y/useIframeTitle
  complexity/noBannedTypes
  a11y/noSvgWithoutTitle
  correctness/noVoidElementsWithChildren
  style/useAsConstAssertion
  correctness/useJsxKeyInIterable
  style/useExportType
  suspicious/noSuspiciousSemicolonInJsx
  complexity/noUselessLoneBlockStatements
  style/noArguments
  a11y/useValidAriaValues
  nursery/noUnknownPseudoClass
  suspicious/noCommentText
  a11y/useFocusableInteractive
  correctness/noUnmatchableAnbSelector
  suspicious/noDebugger
  suspicious/noDuplicateJsxProps
  style/useFragmentSyntax
  a11y/noPositiveTabindex
  correctness/noEmptyPattern
  complexity/noExcessiveNestedTestSuites
  performance/noReExportAll
  a11y/useKeyWithMouseEvents
  security/noDangerouslySetInnerHtmlWithChildren
  suspicious/noExtraNonNullAssertion
  correctness/noRenderReturnValue
  correctness/useExhaustiveDependencies
  nursery/noUnknownPseudoElement
  nursery/noSecrets
  a11y/noRedundantRoles
  complexity/useFlatMap
  correctness/useIsNan
  correctness/useHookAtTopLevel
  correctness/noUnusedVariables
  security/noGlobalEval
  style/noNonNullAssertion
  style/useConst
  nursery/noIrregularWhitespace
  style/useConsistentBuiltinInstantiation
  style/noYodaExpression
  security/noDangerouslySetInnerHtml
  style/useNodejsImportProtocol
  a11y/noDistractingElements
  nursery/useValidAutocomplete
  complexity/noWith
  style/useConsistentArrayType
  style/useForOf
  suspicious/noArrayIndexKey
  complexity/noExtraBooleanCast
  performance/noAccumulatingSpread
  a11y/useValidAriaProps
  a11y/noRedundantAlt
  correctness/noChildrenProp
  correctness/noUnknownFunction
  correctness/noInvalidPositionAtImportRule
  suspicious/noAsyncPromiseExecutor
  suspicious/noConfusingLabels
  suspicious/noDuplicateClassMembers
  suspicious/noDuplicateFontNames
  suspicious/noGlobalAssign
  suspicious/noGlobalIsFinite
  suspicious/noMisleadingInstantiator
  suspicious/noPrototypeBuiltins
  suspicious/noThenProperty
  suspicious/useGetterReturn
  suspicious/noConfusingVoidType
  suspicious/noFocusedTests
  a11y/useButtonType
  a11y/useSemanticElements
  suspicious/noShorthandPropertyOverrides
  a11y/noAriaUnsupportedElements
  correctness/noInvalidGridAreas
  nursery/noUnknownTypeSelector
  correctness/noFlatMapIdentity
  style/useShorthandAssign
  suspicious/noSelfCompare
  suspicious/useErrorMessage
  a11y/noBlankTarget
  a11y/useHeadingContent
  correctness/useValidForDirection
  correctness/noVoidTypeReturn
  correctness/noInvalidUseBeforeDeclaration
  a11y/noAriaHiddenOnFocusable
  a11y/useGenericFontNames
  correctness/noUnknownMediaFeatureName
  a11y/useAnchorContent
  complexity/noUselessRename
  nursery/noUselessEscapeInRegex
  nursery/noSubstr
  complexity/noUselessConstructor
  a11y/noAccessKey
  style/useExponentiationOperator
  style/noUnusedTemplateLiteral
  complexity/noUselessSwitchCase
  style/useNumberNamespace
  correctness/noUndeclaredVariables
  nursery/noStaticElementInteractions
  nursery/useAriaPropsSupportedByRole
  nursery/useAdjacentOverloadSignatures
  style/useSingleVarDeclarator
  style/useBlockStatements
  suspicious/noExportsInTest
  a11y/noNoninteractiveElementToInteractiveRole
  nursery/noTemplateCurlyInString
  style/noCommaOperator
  suspicious/useAwait
  suspicious/noDuplicateAtImportRules
  suspicious/useIsArray
  a11y/noHeaderScope
  complexity/noUselessFragments
  suspicious/noMisrefactoredShorthandAssign
  suspicious/noEmptyBlock
  complexity/noForEach
  correctness/noUnusedImports
  suspicious/noFunctionAssign

Workspace:
  Open Documents:               0

Rule name

lint/nursery/noSecrets

Playground link

https://biomejs.dev/playground/?lintRules=all&code=dAAoACIAbQBpAHMAcwBpAG4AZwBUAHIAYQBuAHMAbABhAHQAaQBvAG4AIgApAA%3D%3D

Expected result

Due to a bug in the implementation of the no_secrets rule, the entropyThreshold setting does not have any observable effect. Because the base_treshold is always added to the result of the entropy calculation, it has no purpose because it is meaningless to do base_threshold + adjusted_entropy > base_threshold.

(Due to type conversions f64 <-> u16, the actual comparison is more like floor(base_threshold + adjusted_entropy) > base_threshold)

biome/crates/biome_js_analyze/src/lint/nursery/no_secrets.rs

Lines 493 to 502 in fbf4b3d

	fn apply_exponential_entropy_scaling(
	entropy: f64,
	token_length: usize,
	base_threshold: f64,
	scaling_factor: f64,
	) -> f64 {
	// We will apply a logarithmic dampening to prevent excessive scaling for long tokens
	let scaling_adjustment = (token_length as f64 / scaling_factor).ln();
	base_threshold + entropy * scaling_adjustment
	}

biome/crates/biome_js_analyze/src/lint/nursery/no_secrets.rs

Lines 385 to 389 in fbf4b3d

	let entropy =
	calculate_entropy_with_case_and_classes(token, *entropy_threshold as f64, 15.0);
	if (entropy as u16) > *entropy_threshold {
	return Some("Detected high entropy string");
	}

Code of Conduct

• I agree to follow Biome's Code of Conduct

[urothis]

Just came across this issue as well, tracking so we can stop biome ignoring all of our arns, hopefully.

[ematipico]

@SaadBazaz could you please look at this issue? Unfortunately I don't know the rule enough to provide a fix. Help is welcome

[SaadBazaz]

Oh yikes I didn't see this, thanks for retagging me @ematipico . I will try looking at it this week.