Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 5.23s · analysis 2.05s · 47.8 MB · GitHub API rate-limit (preflight)

stamparm/maltrail

https://github.com/stamparm/maltrail · scanned 2026-05-31 01:25 UTC (5 days, 7 hours ago) · 10 languages

173 findings (87 legacy + 86 scanner) 11/13 scanners ran 38th percentile · Python · small (2-20K LoC) Scanner says 89 (lower by 25)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 130 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
81.0
/100
Repobility
73
87 legacy
9-layer
89
100.0% cov · 43 gaps
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 55.0 0.15 8.25
security_score 100.0 0.25 25.00
testing_score 0.0 0.20 0.00
documentation_score 97.0 0.15 14.55
practices_score 67.0 0.15 10.05
code_quality 61.0 0.10 6.10
Overall 1.00 63.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 65 Medium 14 Low 35 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 87 9-layer 43 Crowd 0 Layer: Software 8 Quality 98 Cicd 8 Security 9 Api 1 Frontend 3 Hardware 3
Scan summary Repository scanned at 89.1/100 with 100.0% coverage. It contains 1443 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 43 findings — concentrated in quality (27), security (5), frontend (3). Risk profile is high: 0 critical, 1 high, 8 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 116 of 130 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility [MINED127] Cryptominer signature: `supportxmr`: Source contains a known cryptominer signature (`supportxmr`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial — but it warrants immediate investigation. Mining pool URLs in production code are almost never legitimate.
Verify the file's provenance — when was it added, by whom, in what PR. Search the repo for related indicators (binary blobs, outbound network calls, base64-encoded shell scripts).
html/js/demo.js:30 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED127] Cryptominer signature: `xmrig`: Source contains a known cryptominer signature (`xmrig`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial — but it warrants immediate investigation. Mining pool URLs in production code are almost never legitimate.
Verify the file's provenance — when was it added, by whom, in what PR. Search the repo for related indicators (binary blobs, outbound network calls, base64-encoded shell scripts).
html/js/demo.js:223 dependencylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
core/common.py:137 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
server.py:117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
core/parallel.py:106 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._format` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self._format`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._format = <default>` in __init__, or add a class-level default.
core/httpd.py:210 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data = <default>` in __init__, or add a class-level default.
core/httpd.py:134 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.end_headers = <default>` in __init__, or add a class-level default.
core/httpd.py:224 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.headers = <default>` in __init__, or add a class-level default.
core/httpd.py:212 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.headers = <default>` in __init__, or add a class-level default.
core/httpd.py:168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.path = <default>` in __init__, or add a class-level default.
core/httpd.py:200 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.path = <default>` in __init__, or add a class-level default.
core/httpd.py:162 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.path = <default>` in __init__, or add a class-level default.
core/httpd.py:128 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:195 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:193 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:192 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:174 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:186 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:183 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:182 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:213 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:199 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_header = <default>` in __init__, or add a class-level default.
core/httpd.py:222 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_response = <default>` in __init__, or add a class-level default.
core/httpd.py:173 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_response = <default>` in __init__, or add a class-level default.
core/httpd.py:180 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.send_response = <default>` in __init__, or add a class-level default.
core/httpd.py:198 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.socket` used but never assigned in __init__: Method `server_bind` of class `ThreadingServer` reads `self.socket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.socket = <default>` in __init__, or add a class-level default.
core/httpd.py:85 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.wfile = <default>` in __init__, or add a class-level default.
core/httpd.py:228 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.wfile = <default>` in __init__, or add a class-level default.
core/httpd.py:230 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-release.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `python:3` not pinned by digest: `FROM python:3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM python:3@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/Dockerfile:1 dependencylegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
trails/feeds/fareit.py:23 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
trails/feeds/cybercrimetracker.py:23 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
trails/feeds/atmos.py:23 injectionlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docker/docker-compose.yml:14 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
docker/Dockerfile:23 dockerlegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in thirdparty/six/__init__.py:740
Found a known-risky pattern (exec_used). Review and replace if possible.
thirdparty/six/__init__.py:740 owaspexec_used
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
core/common.py:281 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
html/js/errorhandler.js:19 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/common.py:274 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/common.py:61 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/settings.py:447 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:377 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:330 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:355 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:61 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:344 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/update.py:82 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/log.py:264 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:343 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:820 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:598 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:406 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:490 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:448 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:286 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:91 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/httpd.py:862 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
core/datatype.py:34 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
sensor.py:1076 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
sensor.py:1106 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
sensor.py:1017 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
sensor.py:882 qualitylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `pcapy-ng` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `pcapy-ng` with `pcapy-ng==<version>` and manage upgrades through PRs / Dependabot.
requirements.txt:1 dependencylegacy
medium Legacy security path_traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
core/common.py:191 path_traversallegacy
medium Legacy quality quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
server.py:60 qualitylegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/Dockerfile:1 dockerlegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-release.yml:17 supply-chaingithub-actionspinned-dependencies
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in core/settings.py:192
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
core/settings.py:192 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in sensor.py:1072
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
sensor.py:1072 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in html/js/thirdparty.min.js:1840
Found a known-risky pattern (weak_hash). Review and replace if possible.
html/js/thirdparty.min.js:1840 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — sensor.py:1078
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 79 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
html/js/errorhandler.js:13 qualitylegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:14 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:14 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
trails/feeds/ransomwaretrackerurl.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
trails/feeds/ransomwaretrackerip.py:7 qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/compat.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: html/js/errorhandler.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-release.yml:14 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `check_deprecated` in core/settings.py:503
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `flash_copy` in html/js/thirdparty.min.js:867
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:exec_module, thirdparty/six/__init__.py:exec_ This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:get_unbound_function, thirdparty/six/__init__.py:get_unbound_function This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:create_unbound_method, thirdparty/six/__init__.py:create_unbound_method This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:iterkeys, thirdparty/six/__init__.py:iterkeys This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:itervalues, thirdparty/six/__init__.py:itervalues This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:iteritems, thirdparty/six/__init__.py:iteritems This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:iterlists, thirdparty/six/__init__.py:iterlists This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:b, thirdparty/six/__init__.py:b This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:u, thirdparty/six/__init__.py:u This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: thirdparty/six/__init__.py:print_, thirdparty/six/__init__.py:print_ This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: core/httpd.py:finish_request, core/httpd.py:finish This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: core/common.py:cdn_ip, core/common.py:bogon_ip This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: trails/feeds/cybercrimetracker.py:fetch, trails/feeds/fareit.py:fetch, trails/feeds/atmos.py:fetch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 30 places
Functions with the same first-5-line body hash: trails/feeds/ransomwaretrackerip.py:fetch, trails/feeds/openphish.py:fetch, trails/feeds/blackholemonster.py:fetch, trails/feeds/binarydefense.py:fetch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/a…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: trails/feeds/gpfcomics.py:fetch, trails/feeds/cleantalk.py:fetch, trails/feeds/emergingthreatscip.py:fetch, trails/feeds/ciarmy.py:fetch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene)…
integrityduplicatedry
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — html/js/main.js:1091
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — html/js/thirdparty.min.js:722
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `exec_module` (body is just `pass`/`return`) — thirdparty/six/__init__.py:239
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `log_message` (body is just `pass`/`return`) — core/httpd.py:280
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: html/js/demo.js (2509 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: html/js/main.js (3054 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: html/js/thirdparty.min.js (1874 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: sensor.py (1357 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
trails/feeds/ciarmy.py:10 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
trails/feeds/bruteforceblocker.py:10 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
core/common.py:65 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0d172410-289d-4523-b02b-2f08ebb486f4/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0d172410-289d-4523-b02b-2f08ebb486f4/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.