fix(linter): reduce noSecrets false positives on CamelCase identifiers (#8832)

Exudev · autofix-ci[bot] · web-flow · commit b08270b21b53 · 2026-01-22T17:36:08.000-05:00
Co-authored-by: autofix-ci[bot] &lt;114827586+autofix-ci[bot]@users.noreply.github.com&gt;
diff --git a/.changeset/brave-camels-dance.md b/.changeset/brave-camels-dance.md
@@ -0,0 +1,7 @@
+---
+"@biomejs/biome": patch
+---
+
+Fixed [#8809](https://github.com/biomejs/biome/issues/8809), [#7985](https://github.com/biomejs/biome/issues/7985), and [#8136](https://github.com/biomejs/biome/issues/8136): the `noSecrets` rule no longer reports false positives on common CamelCase identifiers like `paddingBottom`, `backgroundColor`, `unhandledRejection`, `uncaughtException`, and `IngestGatewayLogGroup`.
+
+The entropy calculation algorithm now uses "average run length" to distinguish between legitimate CamelCase patterns (which have longer runs of same-case letters) and suspicious alternating case patterns (which have short runs).
diff --git a/crates/biome_js_analyze/src/lint/security/no_secrets.rs b/crates/biome_js_analyze/src/lint/security/no_secrets.rs
@@ -418,11 +418,18 @@ Uses Shannon Entropy as a base algorithm, then adds "boosts" for special pattern
 For example, Continuous mixed cases (lIkE tHiS) are more likely to contribute to a higher score than single cases.
 Symbols also contribute highly to secrets.
 
-TODO: This needs work. False positives/negatives are highlighted in valid.js and invalid.js.
+Key insight: CamelCase/PascalCase has a predictable pattern where uppercase letters start "words"
+and are followed by runs of lowercase letters. Random/suspicious strings have more frequent
+case switches with shorter runs between them.
+
+We measure "average run length" - the average number of same-case letters before a switch.
+CamelCase has longer runs (e.g., "Gateway" = 1 upper + 6 lower = avg 3.5)
+Random alternating has short runs (e.g., "aBcDeF" = all runs of length 1)
 
 References:
 - ChatGPT chat: https://chatgpt.com/share/670370bf-3e18-8011-8454-f3bd01be0319
 - Original paper for Shannon Entropy: https://ieeexplore.ieee.org/abstract/document/6773024/
+- Fix for false positives on CamelCase: https://github.com/biomejs/biome/issues/8809
 */
 fn calculate_entropy_with_case_and_classes(data: &str) -> f64 {
     let shannon_entropy = shannon_entropy(data);
@@ -434,35 +441,56 @@ fn calculate_entropy_with_case_and_classes(data: &str) -> f64 {
     let mut digit_count = 0;
     let mut symbol_count = 0;
     let mut case_switches = 0;
-    let mut previous_char_was_upper = false;
+    let mut previous_was_upper: Option<bool> = None;
 
-    // Letter classification and case switching
-    for (i, c) in data.chars().enumerate() {
+    for c in data.chars() {
         if c.is_ascii_alphabetic() {
             letter_count += 1;
-            if c.is_uppercase() {
+            let is_upper = c.is_uppercase();
+
+            if is_upper {
                 uppercase_count += 1;
-                if i > 0 && !previous_char_was_upper {
-                    case_switches += 1;
-                }
-                previous_char_was_upper = true;
             } else {
                 lowercase_count += 1;
-                if i > 0 && previous_char_was_upper {
-                    case_switches += 1;
-                }
-                previous_char_was_upper = false;
             }
+
+            // Count case switches (transitions between upper and lower)
+            if let Some(prev_upper) = previous_was_upper
+                && prev_upper != is_upper
+            {
+                case_switches += 1;
+            }
+            previous_was_upper = Some(is_upper);
         } else if c.is_ascii_digit() {
             digit_count += 1;
         } else if !c.is_whitespace() {
             symbol_count += 1;
         }
     }
 
-    // Adjust entropy: case switches and symbol boosts
-    let case_entropy_boost = if uppercase_count > 0 && lowercase_count > 0 {
-        (case_switches as f64 / letter_count as f64) * 2.0
+    // Calculate case entropy boost based on case switch frequency
+    // The key metric is "average run length" = letters / (switches + 1)
+    // CamelCase has longer runs (lower boost), random alternating has short runs (higher boost)
+    let case_entropy_boost = if uppercase_count > 0 && lowercase_count > 0 && letter_count > 0 {
+        // average_run_length: higher = more CamelCase-like, lower = more random
+        // For "IngestGatewayLogGroup" (21 letters, 7 switches): avg_run = 21/8 = 2.625
+        // For "aBcDeFgHiJk" (11 letters, 10 switches): avg_run = 11/11 = 1.0
+        let average_run_length = letter_count as f64 / (case_switches + 1) as f64;
+
+        // Normalize: if avg_run >= 2.5, it's likely CamelCase (no boost)
+        // if avg_run = 1, it's perfectly alternating (full boost)
+        // Linear scale between 1 and 2.5, clamped
+        let camel_factor = if average_run_length >= 2.5 {
+            0.0 // CamelCase-like, no case boost
+        } else if average_run_length <= 1.0 {
+            1.0 // Perfectly alternating, full boost
+        } else {
+            // Linear interpolation: (2.5 - avg) / 1.5
+            (2.5 - average_run_length) / 1.5
+        };
+
+        let switch_density = case_switches as f64 / letter_count as f64;
+        switch_density * 2.0 * camel_factor
     } else {
         0.0
     };
@@ -557,4 +585,53 @@ mod tests {
             "Expected some entropy for digits, got {entropy}"
         );
     }
+
+    #[test]
+    fn test_camelcase_entropy() {
+        // CamelCase/PascalCase identifiers should have low entropy (below 4.1 threshold)
+        // These are common programming identifiers that should NOT trigger false positives
+        let entropy = calculate_entropy_with_case_and_classes("paddingBottom");
+        assert!(entropy < 4.1, "paddingBottom should not trigger: {entropy}");
+
+        let entropy = calculate_entropy_with_case_and_classes("IngestGatewayLogGroup");
+        assert!(
+            entropy < 4.1,
+            "IngestGatewayLogGroup should not trigger: {entropy}"
+        );
+
+        let entropy = calculate_entropy_with_case_and_classes("unhandledRejection");
+        assert!(
+            entropy < 4.1,
+            "unhandledRejection should not trigger: {entropy}"
+        );
+
+        let entropy = calculate_entropy_with_case_and_classes("backgroundColor");
+        assert!(
+            entropy < 4.1,
+            "backgroundColor should not trigger: {entropy}"
+        );
+
+        let entropy = calculate_entropy_with_case_and_classes("uncaughtException");
+        assert!(
+            entropy < 4.1,
+            "uncaughtException should not trigger: {entropy}"
+        );
+    }
+
+    #[test]
+    fn test_alternating_case_entropy() {
+        // Alternating case patterns should have high entropy (suspicious)
+        let entropy = calculate_entropy_with_case_and_classes("aBcDeFgHiJkLmNoPq");
+        assert!(entropy > 4.1, "Alternating case should trigger: {entropy}");
+    }
+
+    #[test]
+    fn test_secret_detection_unchanged() {
+        // Ensure real secrets with mixed case, digits, and symbols still trigger
+        let entropy = calculate_entropy_with_case_and_classes("AKIaSyD9mP+e2KqZ2S");
+        assert!(
+            entropy > 6.5,
+            "AWS-like key should still trigger: {entropy}"
+        );
+    }
 }
diff --git a/crates/biome_js_analyze/tests/specs/security/noSecrets/invalid.js b/crates/biome_js_analyze/tests/specs/security/noSecrets/invalid.js
@@ -18,6 +18,9 @@ const VAULT = {
   token: "AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F"
 };
 
+// Alternating case patterns - SHOULD trigger (suspicious, unlike CamelCase)
+const suspiciousString = "aBcDeFgHiJkLmNoPq";
+
 // TODO: Get these to work, they seem common and important
 // const herokuApiKey = "abcd1234-5678-90ef-ghij-klmnopqrstuv";
 // const BASIC_AUTH_HEADER = "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l";
diff --git a/crates/biome_js_analyze/tests/specs/security/noSecrets/invalid.js.snap b/crates/biome_js_analyze/tests/specs/security/noSecrets/invalid.js.snap
@@ -24,6 +24,9 @@ const VAULT = {
   token: "AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F"
 };
 
+// Alternating case patterns - SHOULD trigger (suspicious, unlike CamelCase)
+const suspiciousString = "aBcDeFgHiJkLmNoPq";
+
 // TODO: Get these to work, they seem common and important
 // const herokuApiKey = "abcd1234-5678-90ef-ghij-klmnopqrstuv";
 // const BASIC_AUTH_HEADER = "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l";
@@ -419,3 +422,25 @@ invalid.js:18:10 lint/security/noSecrets ━━━━━━━━━━━━━
   
 
 ```
+
+```
+invalid.js:22:26 lint/security/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  i Potential secret found.
+  
+    21 │ // Alternating case patterns - SHOULD trigger (suspicious, unlike CamelCase)
+  > 22 │ const suspiciousString = "aBcDeFgHiJkLmNoPq";
+       │                          ^^^^^^^^^^^^^^^^^^^
+    23 │ 
+    24 │ // TODO: Get these to work, they seem common and important
+  
+  i Type of secret detected: Detected high entropy string
+  
+  i Storing secrets in source code is a security risk. Consider the following steps:
+    1. Remove the secret from your code. If you've already committed it, consider removing the commit entirely from your git tree.
+    2. If needed, use environment variables or a secure secret management system to store sensitive data.
+    3. If this is a false positive, consider adding an inline disable comment, or tweak the entropy threshold. See options in our docs.
+    This rule only catches basic vulnerabilities. For more robust, proper solutions, check out our recommendations at: https://biomejs.dev/linter/rules/no-secrets/#recommendations
+  
+
+```
diff --git a/crates/biome_js_analyze/tests/specs/security/noSecrets/valid.js b/crates/biome_js_analyze/tests/specs/security/noSecrets/valid.js
@@ -35,6 +35,13 @@ const tailwindConfigOptions = {
 }
 export const url = 'https://www.nytimes.com/2024/03/05/arts/design/pritzker-prize-riken-yamamoto-architecture.html'
 
+// CamelCase/PascalCase identifiers - should NOT trigger (fix for #8809, #7985, #8136)
+const paddingBottomValue = "paddingBottom";
+const bgColorProperty = "backgroundColor";
+const rejectionHandler = "unhandledRejection";
+const exceptionType = "uncaughtException";
+const logGroupName = "IngestGatewayLogGroup";
+
 // TODO: Remove these false positives, they unfortunately hurt the user experience.
 // const NAMESPACE_CLASSNAME = 'Validation.JSONSchemaValidationUtilsImplFactory';
 // const BASE64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
diff --git a/crates/biome_js_analyze/tests/specs/security/noSecrets/valid.js.snap b/crates/biome_js_analyze/tests/specs/security/noSecrets/valid.js.snap
@@ -41,6 +41,13 @@ const tailwindConfigOptions = {
 }
 export const url = 'https://www.nytimes.com/2024/03/05/arts/design/pritzker-prize-riken-yamamoto-architecture.html'
 
+// CamelCase/PascalCase identifiers - should NOT trigger (fix for #8809, #7985, #8136)
+const paddingBottomValue = "paddingBottom";
+const bgColorProperty = "backgroundColor";
+const rejectionHandler = "unhandledRejection";
+const exceptionType = "uncaughtException";
+const logGroupName = "IngestGatewayLogGroup";
+
 // TODO: Remove these false positives, they unfortunately hurt the user experience.
 // const NAMESPACE_CLASSNAME = 'Validation.JSONSchemaValidationUtilsImplFactory';
 // const BASE64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
