Skip to content

GSoC 2026 Module B — Week 4: evaluation harness + recall-first gold corrections + prompt tuning#976

Merged
Pa04rth merged 4 commits into
OWASP:mainfrom
manshusainishab:module_b_w4
Jul 11, 2026
Merged

GSoC 2026 Module B — Week 4: evaluation harness + recall-first gold corrections + prompt tuning#976
Pa04rth merged 4 commits into
OWASP:mainfrom
manshusainishab:module_b_w4

Conversation

@manshusainishab

Copy link
Copy Markdown
Contributor

Summary

Adds the Module B evaluation harness and uses it to tune Stage 2 toward the
mid-evaluation target. Measures the full gate (regex → sanitize → LLM
classifier) against the labeled dataset under the recall-first rule.

Result on the 100-record labeled set: accuracy 0.93, KNOWLEDGE recall
1.00 (zero security chunks dropped), NOISE recall 0.84, NOISE precision
1.00. The remaining misses are all safe-direction (NOISE → KNOWLEDGE false
positives that the downstream stage re-judges), never lost knowledge.

What's added / changed

  • scripts/evaluate_noise_filter.py (new) — evaluation harness. Runs the
    labeled set through the real gate, scores against gold, and reports the
    recall-first headline (KNOWLEDGE recall + KNOWLEDGE→NOISE leakage), a 3×3
    confusion matrix, per-class precision/recall/F1, mean confidence, and a
    Stage-2-only breakdown. Flags: --limit, --threshold, --model,
    --batch-size, --no-regex, --out.
  • application/tests/noise_filter/fixtures/labeled_data.json — 9 label
    corrections for consistency with the recall-first rule:
    • 5 worked security examples (attack-scenario walkthroughs, DOM-XSS
      dangerous-sink catalogs) UNCERTAIN → KNOWLEDGE.
    • 4 heading/title-only chunks (a bare title or subheading with no body)
      KNOWLEDGE → NOISE, matching how such chunks were already labeled
      elsewhere. New distribution: 56 KNOWLEDGE / 44 NOISE.
  • application/utils/noise_filter/prompts.py — sharpened the NOISE
    definition to distinguish security knowledge from content about a security
    project
    (release/version notes, licenses, translations, reference-format
    docs, titles/banners, event teasers are NOISE even when they name a security
    standard), plus 2 hard-negative few-shots. Few-shot mix is now 5/5/2.
  • application/tests/noise_filter/llm_classifier_test.py — updated the
    few-shot distribution assertion.

How to run

python scripts/evaluate_noise_filter.py # full dataset
python scripts/evaluate_noise_filter.py --limit 10 # quick smoke run

The harness makes real LLM calls using CRE_NOISE_FILTER_LLM_MODEL
(default gemini/gemini-2.5-flash-lite, auth via the existing GEMINI_API_KEY).

Testing

  • Module B suite: 85/85 pass; black --check clean.
  • No production classifier/config code changed in this PR — only the prompt,
    the labeled fixture, and the new harness.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 52631142-2508-4ed0-979e-43e4beca2def

📥 Commits

Reviewing files that changed from the base of the PR and between 548daad and ba34b8b.

📒 Files selected for processing (1)
  • scripts/evaluate_noise_filter.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • scripts/evaluate_noise_filter.py

Summary by CodeRabbit

  • Improvements

    • Enhanced noise-filtering guidance to more reliably separate real security-knowledge content from headings, metadata, project names, and licensing entries.
    • Refined classifier examples and labeling for clearer NOISE vs KNOWLEDGE/UNCERTAIN distinctions.
  • Testing

    • Updated noise-filtering fixtures and few-shot expectations to match the revised labeling rules.
  • Tools / Evaluation

    • Added a new evaluation harness that runs staged classification and reports per-label metrics, confusion matrix, and confidence behavior.

Walkthrough

The noise-filter prompt and labeled fixtures are updated to refine NOISE and KNOWLEDGE classifications. A new evaluation CLI runs regex, sanitization, and batched LLM stages, applies confidence thresholds, reports metrics, and writes per-record CSV results.

Changes

Noise filter classification and evaluation

Layer / File(s) Summary
Classification guidance and expected labels
application/utils/noise_filter/prompts.py, application/tests/noise_filter/llm_classifier_test.py, application/tests/noise_filter/fixtures/labeled_data.json
The NOISE criteria and few-shot examples are expanded, the expected NOISE count is updated, and several fixture classifications and rationales are revised.
Staged evaluation harness
scripts/evaluate_noise_filter.py
Adds evaluation data structures, dataset loading, optional regex filtering, sanitization, batched LLM classification, and confidence remapping.
Evaluation metrics and CSV results
scripts/evaluate_noise_filter.py
Computes accuracy, recall-first measures, confusion-matrix metrics, and LLM-stage statistics, then writes per-record CSV results.
Evaluation command-line entry point
scripts/evaluate_noise_filter.py
Adds CLI options for dataset selection, record limits, thresholds, batching, model overrides, regex control, and CSV output.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • OWASP/OpenCRE#947: Directly overlaps with the noise-filter prompt, few-shot examples, and label-distribution test updates.

Suggested reviewers: Pa04rth, northdpole

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the main changes: an evaluation harness, label corrections, and prompt tuning.
Description check ✅ Passed The description matches the implemented changes and correctly summarizes the harness, fixture updates, and prompt tuning.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
scripts/evaluate_noise_filter.py (1)

116-116: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add strict=True to zip()

This catches a survivor/result length mismatch instead of silently truncating predictions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/evaluate_noise_filter.py` at line 116, Update the zip call in the
survivors/results iteration to pass strict=True, ensuring mismatched survivor,
gold, and result lengths raise an error instead of being silently truncated.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/evaluate_noise_filter.py`:
- Line 162: Guard the accuracy calculation in the evaluation output around the
`correct / total` expression so a zero `total` does not raise an exception.
Preserve the existing formatted accuracy output for nonzero totals and emit an
appropriate zero/empty-result value when no valid records are available.

---

Nitpick comments:
In `@scripts/evaluate_noise_filter.py`:
- Line 116: Update the zip call in the survivors/results iteration to pass
strict=True, ensuring mismatched survivor, gold, and result lengths raise an
error instead of being silently truncated.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 5b55ef4d-78c8-4478-a191-2c1d9ed5a93b

📥 Commits

Reviewing files that changed from the base of the PR and between 19f12ba and 548daad.

📒 Files selected for processing (4)
  • application/tests/noise_filter/fixtures/labeled_data.json
  • application/tests/noise_filter/llm_classifier_test.py
  • application/utils/noise_filter/prompts.py
  • scripts/evaluate_noise_filter.py

Comment thread scripts/evaluate_noise_filter.py
@Pa04rth Pa04rth merged commit 6b6a5ac into OWASP:main Jul 11, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants