Reduce false positives: Amplitude, placeholder, HTTP namespace URIs

[olsenbudanur]

Summary

• Amplitude SDK detection: Replaced bare (?i)(amplitude) regex with SDK-specific patterns (import Amplitude, Amplitude.instance, @amplitude/, etc.). The word "amplitude" is a common math/physics term (e.g. let amplitude: CGFloat = 8 for wave rendering) and was causing false positives on variable names and comments.
• Placeholder content detection: Added ignore patterns for Swift/WidgetKit protocol method signatures like func placeholder(in context:), which is a required AppIntentTimelineProvider conformance — not actual placeholder text.
• Insecure HTTP URL detection: Added w3.org, xmlns, DTD, and doctype to the ignore list. XML/SVG namespace URIs like http://www.w3.org/2000/svg are spec-defined identifiers, not network requests, and are unaffected by App Transport Security.

Context

All three false positives were encountered while running greenlight preflight on a SwiftUI iOS app with WidgetKit extensions and embedded HTML5 games using inline SVG.

Test plan

• go build ./... passes
• go test ./... passes
• Verify Amplitude SDK is still detected when actually imported (e.g. import Amplitude)
• Verify func placeholder(in context:) no longer triggers, but "placeholder text" in strings still does
• Verify http://www.w3.org/2000/svg no longer triggers, but http://example-api.com/data still does

---

Important

Refines detection patterns for Amplitude SDK, placeholder content, and HTTP URLs to reduce false positives in code scanning.

• Amplitude SDK Detection:
  • Replaced generic (?i)(amplitude) regex with specific patterns like import Amplitude, Amplitude.instance, @amplitude/ in rules.go and scanner.go.
• Placeholder Content Detection:
  • Added ignore patterns for Swift/WidgetKit methods like func placeholder(in context:) in rules.go.
• HTTP URL Detection:
  • Added w3.org, xmlns, DTD, and doctype to ignore list in rules.go for XML/SVG namespace URIs.

^{This description was created by for d400171. You can customize this summary. It will automatically update as commits are pushed.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to d400171 in 6 seconds. Click for details.

• Reviewed 45 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_mIeAdur2WsO2D7uj

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d4001713a4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore Objective-C Amplitude SDK matching

This pattern now only recognizes Swift/JS-specific forms (import Amplitude, Amplitude.instance, @amplitude/) and misses common Objective-C integrations such as #import <Amplitude/Amplitude.h> and [Amplitude instance]. In Objective-C apps, missing-att will no longer detect Amplitude usage, so the scanner can skip a real ATT compliance warning (5.1.2); this is a regression from the previous broader amplitude match, and the same narrowed pattern is also present in internal/privacy/scanner.go.

Useful? React with 👍 / 👎.