Issue Detection
Pattern Matching for Bugs and Vulnerabilities
Two Approaches to Detection
Code review tools use two complementary detection strategies:
Rule-based detection is fast, deterministic, and explainable. A regex that matches innerHTML = will catch XSS vulnerabilities in milliseconds, every time, with zero ambiguity about why it flagged. The downside: rules only catch what you explicitly code for.
AI-powered detection catches nuanced issues that rules miss -- subtle logic errors, design problems, or context-dependent bugs. The downside: it's slower, non-deterministic, and harder to explain. "The model thinks this might be a bug" is less convincing than "this matches the SQL injection pattern."
Production code review systems run rules first (milliseconds), then use AI for the issues rules can't catch (seconds). Your detector pipeline implements the rule-based layer -- the foundation that AI analysis builds on.
Bug Detection Patterns
The most common bugs caught by static analysis:
Missing null checks -- Property chain access (obj.prop.subprop) on variables that could be null. The detector scans for property chains and checks if the surrounding context includes a guard (if (obj), obj?., or obj &&). Missing guards are flagged.
Off-by-one errors -- Loop boundaries using <= with array.length instead of <. Arrays are zero-indexed, so i <= arr.length iterates one past the end. This is the single most common bug pattern in loop-heavy code.
Race conditions -- Read-modify-write sequences on shared state without synchronization. The pattern: read a value, compute a new value, write it back. If two concurrent requests interleave, the second overwrites the first. The detector looks for increment/update patterns without lock, mutex, or transaction context.
Unhandled promise rejections -- Async calls without try/catch or .catch() handlers. In Node.js, unhandled promise rejections crash the process. The detector scans for await or fetch() without surrounding error handling.
Security Scanning
Security vulnerabilities are the highest-priority findings in code review:
| Vulnerability | Detection Pattern | Fix |
|---|---|---|
| SQL injection | String interpolation in query context | Parameterized queries |
| XSS | User input in `innerHTML` or `dangerouslySetInnerHTML` | Use `textContent`, sanitize |
| Hardcoded secrets | API key patterns: `sk_live_`, `AKIA`, literal passwords | Environment variables |
| Insecure crypto | MD5/SHA1 for password hashing | bcrypt, scrypt, argon2 |
The SQL injection detector looks for template literals or string concatenation inside database query functions. The pattern is language-agnostic -- whether the code uses PostgreSQL, MySQL, or MongoDB, string interpolation in queries is always dangerous.
Complexity Analysis
High complexity correlates with bugs. Two metrics capture different aspects:
Cyclomatic complexity counts independent paths through a function. Every if, else, for, while, case, catch, &&, || adds one path. A function with cyclomatic complexity of 14 needs 14 test cases for full coverage. The threshold is typically 10.
Cognitive complexity measures how hard code is to understand. Unlike cyclomatic complexity, it penalizes nesting: an if inside a for inside a try scores higher than three sequential if statements. This better predicts where developers will struggle during review.
False Positive Management
A detector that flags everything is worse than no detector. Every false positive costs developer attention and erodes trust. The key mechanisms:
// eslint-disable-next-line comment signals the developer is aware.// review-ignore: rule-id to suppress specific rules on specific lines.This is chapter 2 of AI Code Review Agent.
Get the full hands-on course — free during early access. Build the complete system. Your projects become your portfolio.
View course details