google/skia

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	17.0	0.20	3.40
`documentation_score`	54.0	0.15	8.10
`practices_score`	32.0	0.15	4.80
`code_quality`	80.0	0.10	8.00
Overall		1.00	58.3

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/animated_gif.json (modules/canvaskit/tests/skottie_test.js:27)

`modules/canvaskit/tests/skottie_test.js:27` calls `GET /assets/animated_gif.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/animated_gif.json` If this points at an external API, prefix it with `https://…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/audio_external.json (modules/canvaskit/tests/skottie_test.js:245)

`modules/canvaskit/tests/skottie_test.js:245` calls `GET /assets/audio_external.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/audio_external.json` If this points at an external API, prefix it with `htt…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/brickwork-texture.jpg (modules/canvaskit/tests/rtshader_test.js:153)

`modules/canvaskit/tests/rtshader_test.js:153` calls `GET /assets/brickwork-texture.jpg` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/brickwork-texture.jpg` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/brickwork-texture.jpg (modules/canvaskit/tests/rtshader_test.js:248)

`modules/canvaskit/tests/rtshader_test.js:248` calls `GET /assets/brickwork-texture.jpg` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/brickwork-texture.jpg` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/Bungee-Regular.ttf (modules/canvaskit/tests/canvas2d_test.js:738)

`modules/canvaskit/tests/canvas2d_test.js:738` calls `GET /assets/Bungee-Regular.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/bungee-regular.ttf` If this points at an external API, prefix it with `http…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/Bungee-Regular.ttf (modules/canvaskit/tests/font_test.js:16)

`modules/canvaskit/tests/font_test.js:16` calls `GET /assets/Bungee-Regular.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/bungee-regular.ttf` If this points at an external API, prefix it with `https://`…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/flightAnim.gif (modules/canvaskit/tests/skottie_test.js:25)

`modules/canvaskit/tests/skottie_test.js:25` calls `GET /assets/flightAnim.gif` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/flightanim.gif` If this points at an external API, prefix it with `https://` so t…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/mandrill_512.png (modules/canvaskit/tests/canvas2d_test.js:574)

`modules/canvaskit/tests/canvas2d_test.js:574` calls `GET /assets/mandrill_512.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mandrill_512.png` If this points at an external API, prefix it with `https://…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/mandrill_512.png (modules/canvaskit/tests/canvas2d_test.js:580)

`modules/canvaskit/tests/canvas2d_test.js:580` calls `GET /assets/mandrill_512.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mandrill_512.png` If this points at an external API, prefix it with `https://…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/mandrill_512.png (modules/canvaskit/tests/core_test.js:155)

`modules/canvaskit/tests/core_test.js:155` calls `GET /assets/mandrill_512.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mandrill_512.png` If this points at an external API, prefix it with `https://` so…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/mandrill_512.png (modules/canvaskit/tests/rtshader_test.js:156)

`modules/canvaskit/tests/rtshader_test.js:156` calls `GET /assets/mandrill_512.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mandrill_512.png` If this points at an external API, prefix it with `https://…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/mandrill_512.png (modules/canvaskit/tests/rtshader_test.js:251)

`modules/canvaskit/tests/rtshader_test.js:251` calls `GET /assets/mandrill_512.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mandrill_512.png` If this points at an external API, prefix it with `https://…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/map-shield.json (modules/canvaskit/tests/skottie_test.js:29)

`modules/canvaskit/tests/skottie_test.js:29` calls `GET /assets/map-shield.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/map-shield.json` If this points at an external API, prefix it with `https://` so…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/NotoColorEmoji.ttf (modules/canvaskit/tests/paragraph_test.js:21)

`modules/canvaskit/tests/paragraph_test.js:21` calls `GET /assets/NotoColorEmoji.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/notocoloremoji.ttf` If this points at an external API, prefix it with `http…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/NotoSerif-BoldItalic.ttf (modules/canvaskit/tests/paragraph_test.js:14)

`modules/canvaskit/tests/paragraph_test.js:14` calls `GET /assets/NotoSerif-BoldItalic.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/notoserif-bolditalic.ttf` If this points at an external API, prefix i…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/NotoSerif-Regular.ttf (modules/canvaskit/tests/font_test.js:7)

`modules/canvaskit/tests/font_test.js:7` calls `GET /assets/NotoSerif-Regular.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/notoserif-regular.ttf` If this points at an external API, prefix it with `http…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/NotoSerif-Regular.ttf (modules/canvaskit/tests/paragraph_test.js:7)

`modules/canvaskit/tests/paragraph_test.js:7` calls `GET /assets/NotoSerif-Regular.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/notoserif-regular.ttf` If this points at an external API, prefix it with …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/NotoSerif-Regular.ttf (modules/canvaskit/tests/skottie_test.js:37)

`modules/canvaskit/tests/skottie_test.js:37` calls `GET /assets/NotoSerif-Regular.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/notoserif-regular.ttf` If this points at an external API, prefix it with `…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/Roboto-Regular.otf (modules/canvaskit/tests/bidi_test.js:7)

`modules/canvaskit/tests/bidi_test.js:7` calls `GET /assets/Roboto-Regular.otf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/roboto-regular.otf` If this points at an external API, prefix it with `https://` …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/Roboto-Regular.otf (modules/canvaskit/tests/paragraph_test.js:28)

`modules/canvaskit/tests/paragraph_test.js:28` calls `GET /assets/Roboto-Regular.otf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/roboto-regular.otf` If this points at an external API, prefix it with `http…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/RobotoSlab-VariableFont_wght.ttf (modules/canvaskit/tests/paragraph_test.js:35)

`modules/canvaskit/tests/paragraph_test.js:35` calls `GET /assets/RobotoSlab-VariableFont_wght.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/robotoslab-variablefont_wght.ttf` If this points at an extern…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/skottie_basic_slots.json (modules/canvaskit/tests/skottie_test.js:31)

`modules/canvaskit/tests/skottie_test.js:31` calls `GET /assets/skottie_basic_slots.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/skottie_basic_slots.json` If this points at an external API, prefix it …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/skottie_inline_font.json (modules/canvaskit/tests/skottie_test.js:35)

`modules/canvaskit/tests/skottie_test.js:35` calls `GET /assets/skottie_inline_font.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/skottie_inline_font.json` If this points at an external API, prefix it …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/test_glyphs-glyf_colr_1.ttf (modules/canvaskit/tests/font_test.js:24)

`modules/canvaskit/tests/font_test.js:24` calls `GET /assets/test_glyphs-glyf_colr_1.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/test_glyphs-glyf_colr_1.ttf` If this points at an external API, prefix …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /assets/text_edit.json (modules/canvaskit/tests/skottie_test.js:33)

`modules/canvaskit/tests/skottie_test.js:33` calls `GET /assets/text_edit.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/text_edit.json` If this points at an external API, prefix it with `https://` so t…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /gold_rpc/healthz (modules/canvaskit/tests/init_with_gold_server.js:21)

`modules/canvaskit/tests/init_with_gold_server.js:21` calls `GET /gold_rpc/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/gold_rpc/healthz` If this points at an external API, prefix it with `https://` so th…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://cdn.skia.org/misc/lego_loader.json (demos.skia.org/demos/web_worker/main.js:9)

`demos.skia.org/demos/web_worker/main.js:9` calls `GET https://cdn.skia.org/misc/lego_loader.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/cdn.skia.org/misc/lego_loader.json` If this points at an exter…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://cdn.skia.org/misc/lego_loader.json (demos.skia.org/demos/web_worker/worker.js:9)

`demos.skia.org/demos/web_worker/worker.js:9` calls `GET https://cdn.skia.org/misc/lego_loader.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/cdn.skia.org/misc/lego_loader.json` If this points at an ext…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://upload.wikimedia.org/wikipedia/commons/3/30/Large_Gautama_Buddha_statue_in_Buddha_Park_of_Ravangla%2C_Sikkim.jpg (demos.skia.org/demos/image_decode_web_worker/main.js:8)

`demos.skia.org/demos/image_decode_web_worker/main.js:8` calls `GET https://upload.wikimedia.org/wikipedia/commons/3/30/Large_Gautama_Buddha_statue_in_Buddha_Park_of_Ravangla%2C_Sikkim.jpg` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path…

Dangling fetchFetch

high System graph security security conf 1.00 Insecure pattern 'eval_used' in platform_tools/android/apps/skottie/src/main/res/raw/workout_monkey_stay_healthy.json:1

Found a known-risky pattern (eval_used). Review and replace if possible.

platform_tools/android/apps/skottie/src/main/res/raw/workout_monkey_stay_healthy.json:1 Eval used

high System graph security security conf 1.00 Insecure pattern 'eval_used' in resources/skottie/skottie-sksl-effect-2.json:408

Found a known-risky pattern (eval_used). Review and replace if possible.

resources/skottie/skottie-sksl-effect-2.json:408 Eval used

high System graph security security conf 1.00 Insecure pattern 'exec_used' in gn/gn_to_bp_utils.py:101

Found a known-risky pattern (exec_used). Review and replace if possible.

gn/gn_to_bp_utils.py:101 Exec used

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.

medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.

Add a .gitignore appropriate for your language/framework.

low Security checks quality Error handling conf 0.55 ✓ Repobility 2 occurrences Broad exception handler needs review

This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.

lines 471, 609

PRESUBMIT.py:471, 609 (2 hits)

Error handlingquality

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — demos.skia.org/demos/image_decode_web_worker/main.js:8

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — demos.skia.org/demos/web_worker/main.js:9

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — demos.skia.org/demos/web_worker/worker.js:9

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — modules/canvaskit/interface.js:1254

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — modules/canvaskit/skp.js:3

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — tools/lottiecap/lottiecap.js:195

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph hardware Supply chain conf 1.00 2 occurrences Docker base image uses a mutable or implicit tag: alpine:latest

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

lines 3, 16

infra/docker/binary-size/Dockerfile:3, 16 (2 hits)

containersPinned dependencies

medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: launcher.gcr.io/google/clang-debian9

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/cross-compile/docker/cross-linux-arm64/Dockerfile:1 containersPinned dependencies

medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: launcher.gcr.io/google/debian12

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/docker/cmake-release/Dockerfile:10 containersPinned dependencies

medium System graph hardware Supply chain conf 1.00 Dockerfile ADD downloads remote content without checksum

Remote build inputs can change or be replaced upstream. Use Dockerfile ADD --checksum or download with an explicit digest/signature verification step.

infra/docker/cmake-release/Dockerfile:31 containersChecksum

medium System graph hardware Security conf 1.00 Dockerfile runs as root: bazel/rbe/gce_linux_container/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/bots/assets/arm64_sysroot/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/bots/assets/clang_linux/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/bots/assets/clang_ubuntu_noble/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/bots/assets/mesa_intel_driver_linux/mesa-driver-builder/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/bots/assets/mesa_intel_driver_linux_22/mesa-driver-builder/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/canvaskit/docker/canvaskit-emsdk/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/cross-compile/docker/cross-linux-arm64/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/debugger-app/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/docker/binary-size/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/docker/cmake-release/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/docker/debian9/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/fiddler-backend/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/gcc/Debian11-x86/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/gcc/Debian11/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/gcc/Ubuntu18/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/jsfiddle/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/lottiecap/docker/gold-lottie-web-puppeteer/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/shaders/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/skottie/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/wasm-common/docker/emsdk-base/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/wasm-common/docker/gold-karma-chrome-tests/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/wasm-common/docker/perf-karma-chrome-tests/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in gn/is_clang.py:14

Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.

gn/is_clang.py:14 Subprocess shell true

medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in gn/run_sksllex.py:28

Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.

gn/run_sksllex.py:28 Subprocess shell true

medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in infra/bots/recipe_modules/flavor/resources/scp.py:17

Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.

infra/bots/recipe_modules/flavor/resources/scp.py:17 Subprocess shell true

medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in third_party/libgrapheme/generate_headers.py:17

Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.

third_party/libgrapheme/generate_headers.py:17 Subprocess shell true

medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in tools/skp/webpages_playback.py:263

Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.

tools/skp/webpages_playback.py:263 Subprocess shell true

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — experimental/tools/pdf-comparison.py:78

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/bazel_build.py:52

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/codesign_ios.py:26

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/find_msvc.py:32

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/find_xcode_sysroot.py:15

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/is_clang.py:14

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/minify_sksl.py:56

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gn/push_to_android.py:18

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/android_ndk_darwin/create.py:39

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/arm64_sysroot/create.py:26

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazel_build_task_driver/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazelisk_linux_amd64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazelisk_linux_arm64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazelisk_mac_amd64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazelisk_mac_arm64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/bazelisk_win_amd64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/binutils_linux_x64/create.py:39

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/clang_linux/create.py:21

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/clang_ubuntu_noble/create.py:22

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/cockroachdb/create.py:29

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/dwritecore/create.py:36

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/gsutil/create.py:30

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/jq/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/jq_mac_arm64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/kubectl/create.py:25

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/kubeval/create.py:28

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/kubeval_mac_amd64/create.py:28

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/mesa_intel_driver_linux/create.py:33

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/mesa_intel_driver_linux_22/create.py:24

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/mockery/create.py:29

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/node/create.py:23

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/patch_linux_amd64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/skp/create.py:137

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/skp/create_and_upload.py:49

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/skparagraph/create.py:57

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/yq/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/assets/yq_mac_arm64/create.py:27

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/buildstats/buildstats_cpp.py:44

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/buildstats/buildstats_flutter.py:47

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/buildstats/buildstats_wasm.py:36

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/check_deps.py:29

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/git_utils.py:64

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/checkout/resources/assert_git_cipd.py:10

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/doxygen/resources/generate_and_upload_doxygen.py:65

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/dump_adb_log.py:12

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/ios_debug_cmd.py:20

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/ios_xcode_run.py:46

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/scale_cpu.py:14

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/scp.py:16

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/set_cpu_online.py:15

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/set_cpu_scaling_governor.py:15

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/set_gpu_scaling.py:15

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/setup_device_for_asan.py:19

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/symbolize_stack_trace.py:18

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipe_modules/flavor/resources/win_ssh_cmd.py:31

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/recipes.py:134

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — infra/bots/utils.py:25

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — platform_tools/android/skp_gen/android_skp_capture.py:84

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — PRESUBMIT.py:241

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third_party/dawn/build_dawn.py:189

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third_party/dawn/build_tint.py:118

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third_party/dawn/cmake_utils.py:101

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third_party/libgrapheme/generate_headers.py:17

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/calmbench/calmbench.py:150

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/find_run_binary.py:27

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/infra/git.py:18

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/macsdk_dir.py:45

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/merge_static_libs.py:36

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/raster_pipeline/llvm_mca_analysis.py:138

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/skpbench/_adb.py:30

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/skpbench/skpbench.py:186

`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/skqp/create_apk.py:105

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected

No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.

CI/CD securityCoverage

medium System graph network Security conf 1.00 Privileged port 152 in use

Port 152 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

infra/gcc/Ubuntu18/Dockerfile Ports

medium System graph network Security conf 1.00 Privileged port 256 in use

Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

infra/gcc/Ubuntu18/Dockerfile Ports

medium System graph network Security conf 1.00 Privileged port 51 in use

Port 51 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

infra/fiddler-backend/Dockerfile Ports

medium System graph network Security conf 1.00 Privileged port 867 in use

Port 867 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

infra/skottie/Dockerfile Ports

low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior.

low Security checks quality Error handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

bazel/exporter/bazel_query_command.go:95

low Security checks quality Quality conf 0.60 3 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

3 files, 3 locations

bench/HardStopGradientBench_ScaleNumHardStops.cpp:10

bench/MatrixBench.cpp:12

bench/MorphologyBench.cpp:22

duplicationquality

low System graph quality Maintenance conf 1.00 33 TODO/FIXME markers

High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.

low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

Deployment

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:10.3

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/bots/assets/mesa_intel_driver_linux/mesa-driver-builder/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:11-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/gcc/Debian11/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:11-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/gcc/Debian11-x86/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:9-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/docker/debian9/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:bookworm

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/bots/assets/mesa_intel_driver_linux_22/mesa-driver-builder/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: emscripten/emsdk:4.0.7

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/wasm-common/docker/emsdk-base/Dockerfile:1 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: gcr.io/skia-public/emsdk-base:3.1.26_v2

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/canvaskit/docker/canvaskit-emsdk/Dockerfile:3 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: gcr.io/skia-public/lottie-web-puppeteer:v2

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/lottiecap/docker/gold-lottie-web-puppeteer/Dockerfile:6 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:8.11

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

infra/lottiecap/docker/lottie-web-puppeteer/Dockerfile:5 containersPinned dependencies

low System graph software Dead code candidate conf 1.00 File has no detected symbols: demos.skia.org/demos/image_decode_web_worker/worker.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: demos.skia.org/demos/path_performance/worker.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: demos.skia.org/demos/web_worker/main.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: demos.skia.org/demos/web_worker/worker.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tools/mskp_parser.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/.eslintrc.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/bindings/core.d.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/bindings/embind.d.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/bindings/extension.d.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/go/gen_types/testdata/expectedambientnamespace1.d.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/interface/extension.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: experimental/tskit/interface/public_api.d.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/bazel_build.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/call.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/checkdir.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/codesign_ios.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/cp.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/find_headers.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/find_xcode_sysroot.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/highest_version_dir.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/is_clang.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/make_gm_gni.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/minify_sksl.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/push_to_android.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/rm.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/run_sksllex.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: gn/toolchain/num_cpus.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/cpu.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/debugger.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/font.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/htmlcanvas/_namedcolors.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/htmlcanvas/postamble.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/htmlcanvas/preamble.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/karma.bazel.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/karma.conf.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/pathops.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/postamble.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/preamble.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/skottie.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/skp.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/tests/font_test.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/tests/init_with_gold_server.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/tests/legacy_init.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/tests/paragraph_test.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: modules/canvaskit/tests/path_test.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: resources/sksl/es2_conformance/import_conformance_tests.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: resources/sksl/update_fuzzer.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: tools/fiddle/make_all_examples_cpp.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: tools/malisc/malisc.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: tools/milestone.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph quality Tests conf 1.00 Low test-to-source ratio

53 tests / 452 src (ratio 0.12).

low System graph quality Integrity conf 1.00 10 occurrences Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: PRESUBMIT_test_mocks.py:AffectedFiles, PRESUBMIT_test_mocks.py:AffectedFiles This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

10 occurrences

repo-level (10 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 7 occurrences Near-duplicate function bodies in 3 places

Functions with the same first-5-line body hash: PRESUBMIT_test_mocks.py:LocalPaths, PRESUBMIT_test_mocks.py:LocalPath, PRESUBMIT_test_mocks.py:LocalPaths This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why t…

7 occurrences

repo-level (7 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places

Functions with the same first-5-line body hash: tools/skpbench/_hardware_pixel2.py:sanity_check, tools/skpbench/_hardware_pixel.py:sanity_check, tools/skpbench/_hardware_nexus_6p.py:sanity_check, tools/skpbench/_hardware_pixel_c.py:sanity_check This is *the* AI-coder failure mode (4× more duplicat…

duplicatesduplication

low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 45 places

Functions with the same first-5-line body hash: infra/bots/assets/node/create.py:main, infra/bots/assets/clang_linux/create.py:main, infra/bots/assets/clang_win/create.py:main, infra/bots/assets/go_win/create.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — se…

duplicatesduplication

low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 6 places

Functions with the same first-5-line body hash: infra/bots/assets/armhf_sysroot/create.py:main, infra/bots/assets/chromebook_arm64_gles/create.py:main, infra/bots/assets/chromebook_arm_gles/create.py:main, infra/bots/assets/chromebook_x86_64_gles/create.py:main This is *the* AI-coder failure mode …

duplicatesduplication

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `88_v2` in infra/bots/recipes/test_canvaskit.py:24

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `env_copy` in tools/skqp/create_apk.py:164

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `to_copy` in infra/bots/assets/binutils_linux_x64/create.py:30

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `to_copy` in infra/bots/assets/chromebook_arm64_gles/create.py:48

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `to_copy` in infra/bots/assets/chromebook_arm_gles/create.py:47

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `to_copy` in infra/bots/assets/chromebook_x86_64_gles/create.py:47

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph software Dead code conf 1.00 Possibly dead Python function: BUILD_glob

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/BUILD_simulator.py:62

low System graph software Dead code conf 1.00 Possibly dead Python function: CheckChangeOnCommit

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:808

low System graph software Dead code conf 1.00 Possibly dead Python function: CheckChangeOnUpload

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:653

low System graph software Dead code conf 1.00 Possibly dead Python function: compare_differing_pngs

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

experimental/tools/pdf-comparison.py:295

low System graph software Dead code conf 1.00 Possibly dead Python function: compare_identical

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

experimental/tools/pdf-comparison.py:259

low System graph software Dead code conf 1.00 Possibly dead Python function: CopywriteChecker

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:112

low System graph software Dead code conf 1.00 Possibly dead Python function: CrlfReplacer

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:95

low System graph software Dead code conf 1.00 Possibly dead Python function: do_shard

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

experimental/tools/pdf-comparison.py:185

low System graph software Dead code conf 1.00 Possibly dead Python function: EOFOneAndOnlyOneNewlineAdder

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:119

low System graph software Dead code conf 1.00 Possibly dead Python function: Escape

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

gn/gn_to_cmake.py:53

low System graph software Dead code conf 1.00 Possibly dead Python function: ExpandPlaceholders

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

gn/gn_to_cmake.py:324

low System graph software Dead code conf 1.00 Possibly dead Python function: find_path_to_program

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/find_run_binary.py:36

low System graph software Dead code conf 1.00 Possibly dead Python function: GetApprovers

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:693

low System graph software Dead code conf 1.00 Possibly dead Python function: GetDescription

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:685

low System graph software Dead code conf 1.00 Possibly dead Python function: GetOwnerEmail

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:679

low System graph software Dead code conf 1.00 Possibly dead Python function: GetReviewers

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:688

low System graph software Dead code conf 1.00 Possibly dead Python function: GetSubject

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:682

low System graph software Dead code conf 1.00 Possibly dead Python function: invoke

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/gdb/bitmap.py:51

low System graph software Dead code conf 1.00 Possibly dead Python function: noop

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/BUILD_simulator.py:18

low System graph software Dead code conf 1.00 Possibly dead Python function: PostUploadHook

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

PRESUBMIT.py:757

low System graph software Dead code conf 1.00 Possibly dead Python function: process_bench_pattern

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/calmbench/ab.py:265

low System graph software Dead code conf 1.00 Possibly dead Python function: process_symbol

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/raster_pipeline/llvm_mca_analysis.py:243

low System graph software Dead code conf 1.00 Possibly dead Python function: rasterize

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

experimental/tools/pdf-comparison.py:235

low System graph software Dead code conf 1.00 Possibly dead Python function: run_command

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/find_run_binary.py:14

low System graph software Dead code conf 1.00 Possibly dead Python function: select_simulator

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/BUILD_simulator.py:21

low System graph software Dead code conf 1.00 Possibly dead Python function: spin

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/calmbench/ab.py:160

low System graph software Dead code conf 1.00 Possibly dead Python function: SvnEOLChecker

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:128

low System graph software Dead code conf 1.00 Possibly dead Python function: TabReplacer

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:102

low System graph software Dead code conf 1.00 Possibly dead Python function: TrailingWhitespaceRemover

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

tools/sanitize_source_files.py:87

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — demos.skia.org/demos/textedit/textapi_utils.js:8

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/tskit/interface/core.ts:18

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/tskit/interface/load.ts:14

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/external_test/typescript_browser/module_uses_ck.ts:13

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/external_test/typescript_browser_es6/module_uses_ck.ts:7

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/htmlcanvas/_namedcolors.js:163

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/karma.bazel.js:9

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/npm_build/node.example.js:45

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/npm_build/textapi_utils.js:8

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/npm_build/types/canvaskit-wasm-tests.ts:735

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/npm_build/types/index.d.ts:4052

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/rt_shader.js:12

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/bazel_test_reporter.js:22

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/canvas2d_test.js:254

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/core_test.js:1173

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/init_with_gold_server.js:7

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/legacy_init.js:7

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/legacy_test_reporter.js:88

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/tests/util.js:45

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — modules/canvaskit/webgpu.js:95

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/lottie-web-perf/lottie-web-perf.js:68

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/lottiecap/lottiecap.js:93

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/perf-canvaskit-puppeteer/benchmark.js:97

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js:126

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/perf-canvaskit-puppeteer/skp_data_prep.js:58

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/run-wasm-gm-tests/run-wasm-gm-tests.js:103

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/skottie-wasm-perf/skottie-wasm-perf.js:74

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph quality Integrity conf 1.00 Stub function `noop` (body is just `pass`/`return`) — tools/BUILD_simulator.py:18

Likely an AI scaffold that was never filled in. Remove or implement.

Empty handlerDead code

low System graph api Wiring conf 1.00 Unused endpoint: GET /

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /lottie.js

`tools/lottiecap/lottiecap.js` declares `GET /lottie.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /lottie.json

`tools/lottiecap/lottiecap.js` declares `GET /lottie.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /res/canvaskit.js

`tools/skottie-wasm-perf/skottie-wasm-perf.js` declares `GET /res/canvaskit.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /res/canvaskit.wasm

`tools/skottie-wasm-perf/skottie-wasm-perf.js` declares `GET /res/canvaskit.wasm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /res/lottie.js

`tools/lottie-web-perf/lottie-web-perf.js` declares `GET /res/lottie.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /res/lottie.json

`tools/skottie-wasm-perf/skottie-wasm-perf.js` declares `GET /res/lottie.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/benchmark.js

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/benchmark.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/canvas_perf.js

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/canvas_perf.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/canvaskit.js

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/canvaskit.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/canvaskit.wasm

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/canvaskit.wasm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/hashes.txt

`tools/run-wasm-gm-tests/run-wasm-gm-tests.js` declares `GET /static/hashes.txt` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/lottie.json

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/lottie.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docume…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/resource_listing.json

`tools/run-wasm-gm-tests/run-wasm-gm-tests.js` declares `GET /static/resource_listing.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/test.skp

`tools/perf-canvaskit-puppeteer/perf-canvaskit-with-puppeteer.js` declares `GET /static/test.skp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/wasm_gm_tests.js

`tools/run-wasm-gm-tests/run-wasm-gm-tests.js` declares `GET /static/wasm_gm_tests.js` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /static/wasm_gm_tests.wasm

`tools/run-wasm-gm-tests/run-wasm-gm-tests.js` declares `GET /static/wasm_gm_tests.wasm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…

Unused endpoint

Complete repo analysis