Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
28 of your 55 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 23.71s · analysis 28.92s · 60.3 MB · GitHub API rate-limit (preflight)

spring-projects/spring-framework

https://github.com/spring-projects/spring-framework · scanned 2026-06-05 09:44 UTC (5 days, 16 hours ago) · 10 languages

215 raw signals (47 security + 168 graph) 11/13 scanners ran 82nd percentile · Java · huge (>500K LoC) System graph score 72 (higher by 10)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 16 hours ago · v2 · 87 actionable findings from 2 signal sources. 44 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
76.8
/100
Security checks
82
20 findings
System graph
72
77.8% cov · 67 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 80.0 0.20 16.00
documentation_score 75.0 0.15 11.25
practices_score 77.0 0.15 11.55
code_quality 80.0 0.10 8.00
Overall 1.00 81.5
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 7 Medium 4 Low 61 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 20 System graph 67 Crowd 0 Layer: Security 7 Quality 61 Software 8 Cicd 2 Api 1 Frontend 7 Data 1
Scan summary Quality grade A- (82/100). Dimensions: security 100, maintainability 65. 47 findings (22 security). 1,227,463 lines analyzed.

Showing 73 of 87 actionable findings. 131 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
framework-docs/src/main/java/org/springframework/docs/integration/schedulingtaskexecutorusage/TaskExecutorExample.java:46
critical System graph security Secrets conf 1.00 Possible secret in spring-web/src/main/java/org/springframework/web/util/WhatWgUrlParser.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
spring-web/src/main/java/org/springframework/web/util/WhatWgUrlParser.java:2052
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.
Review and fix per the pattern semantics. See CWE-476 / for context.
framework-docs/src/main/kotlin/org/springframework/docs/web/websocket/stomp/websocketstompauthenticationtokenbased/WebSocketConfiguration.kt:40
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 9582 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
gradle/wrapper/gradle-wrapper.jar:1
high Security checks software Xxe conf 1.00 [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.
Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…
spring-beans/src/main/java/org/springframework/beans/factory/xml/DefaultDocumentLoader.java:94
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 34 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
8 files, 34 locations
.github/workflows/verify.yml:33, 39, 44, 67 (8 hits)
.github/workflows/release-milestone.yml:16, 60, 89 (6 hits)
.github/workflows/release.yml:15, 59, 88 (6 hits)
.github/workflows/backport-bot.yml:21, 23 (4 hits)
.github/workflows/build-pull-request.yml:13, 22 (4 hits)
.github/workflows/build-and-deploy-snapshot.yml:16 (2 hits)
.github/workflows/ci.yml:38 (2 hits)
.github/workflows/deploy-docs.yml:22 (2 hits)
CI/CD securitySupply chainGitHub Actions
high System graph security security conf 1.00 Insecure pattern 'eval_used' in spring-context/src/main/java/org/springframework/scripting/bsh/BshScriptUtils.java:125
Found a known-risky pattern (eval_used). Review and replace if possible.
spring-context/src/main/java/org/springframework/scripting/bsh/BshScriptUtils.java:125 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in spring-context/src/main/java/org/springframework/scripting/support/StandardScriptFactory.java:194
Found a known-risky pattern (eval_used). Review and replace if possible.
spring-context/src/main/java/org/springframework/scripting/support/StandardScriptFactory.java:194 Eval used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/update-antora-ui-spring.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in spring-core/src/main/java/org/springframework/util/DigestUtils.java:38
Found a known-risky pattern (weak_hash). Review and replace if possible.
spring-core/src/main/java/org/springframework/util/DigestUtils.java:38 Weak hash
medium System graph data Coverage conf 1.00 ORM models found but no DB engine detected
The repo defines tables/models but no DB connection string was found. Likely lives in env vars or a config file the scanner didn't read.
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 6 locations
spring-aop/src/main/java/org/springframework/aop/aspectj/AspectJAfterThrowingAdvice.java:12
spring-aop/src/main/java/org/springframework/aop/aspectj/annotation/SingletonMetadataAwareAspectInstanceFactory.java:13
spring-aop/src/testFixtures/java/org/springframework/aop/testfixture/mixin/LockMixin.java:6
spring-beans/src/main/java/org/springframework/beans/factory/support/BeanDefinitionDefaults.java:13
spring-beans/src/main/java/org/springframework/beans/factory/support/ManagedSet.java:33
spring-beans/src/main/java/org/springframework/beans/factory/xml/SimplePropertyNamespaceHandler.java:13
duplicationquality
low System graph quality Maintenance conf 1.00 140 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: spring-test/src/test/resources/META-INF/web-resources/resources/Spring.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: spring-test/src/test/webapp/resources/Spring.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: spring-webmvc/src/test/resources/org/springframework/web/servlet/resource/testalternatepath/js/bar.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: spring-webmvc/src/test/resources/org/springframework/web/servlet/resource/testalternatepath/js/foo.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: spring-webflux/src/test/resources/org/springframework/web/reactive/result/view/script/jython/render.py:render, spring-webmvc/src/test/resources/org/springframework/web/servlet/view/script/jython/render.py:render This is *the* AI-coder failure mode (4…
duplicatesduplication
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webflux/src/test/resources/org/springframework/web/reactive/resource/test/js/bar.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webflux/src/test/resources/org/springframework/web/reactive/resource/test/js/foo.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webflux/src/test/resources/org/springframework/web/reactive/resource/testalternatepath/js/baz.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webmvc/src/test/resources/org/springframework/web/servlet/resource/test/js/bar.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webmvc/src/test/resources/org/springframework/web/servlet/resource/test/js/foo.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — spring-webmvc/src/test/resources/org/springframework/web/servlet/resource/testalternatepath/js/baz.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/main/java/org/springframework/beans/factory/support/AbstractAutowireCapableBeanFactory.java (2060 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/main/java/org/springframework/beans/factory/support/AbstractBeanFactory.java (2143 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/main/java/org/springframework/beans/factory/support/ConstructorResolver.java (1459 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/main/java/org/springframework/beans/factory/support/DefaultListableBeanFactory.java (2813 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/main/java/org/springframework/beans/factory/xml/BeanDefinitionParserDelegate.java (1530 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/test/java/org/springframework/beans/AbstractPropertyAccessorTests.java (2102 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/test/java/org/springframework/beans/factory/annotation/AutowiredAnnotationBeanPostProcessorTests.java (4614 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/test/java/org/springframework/beans/factory/DefaultListableBeanFactoryTests.java (3911 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-beans/src/test/java/org/springframework/beans/propertyeditors/CustomEditorTests.java (1573 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context-support/src/main/java/org/springframework/mail/javamail/MimeMessageHelper.java (1230 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/main/java/org/springframework/context/annotation/ConfigurationClassPostProcessor.java (1101 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/main/java/org/springframework/context/support/AbstractApplicationContext.java (1673 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/main/java/org/springframework/validation/DataBinder.java (1475 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/test/java/org/springframework/aop/framework/AbstractAopProxyTests.java (1909 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/test/java/org/springframework/beans/factory/xml/XmlBeanFactoryTests.java (1926 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/test/java/org/springframework/context/annotation/ConfigurationClassPostProcessorTests.java (2215 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-context/src/test/java/org/springframework/validation/DataBinderTests.java (2378 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/asm/ClassReader.java (3893 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/asm/Frame.java (1490 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/asm/MethodWriter.java (2394 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/asm/SymbolTable.java (1485 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/core/annotation/AnnotationUtils.java (1369 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/core/io/support/PathMatchingResourcePatternResolver.java (1335 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/core/ResolvableType.java (1853 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/util/ClassUtils.java (1637 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/main/java/org/springframework/util/StringUtils.java (1451 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/test/java/org/springframework/core/annotation/AnnotatedElementUtilsTests.java (1583 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/test/java/org/springframework/core/annotation/AnnotationUtilsTests.java (1840 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/test/java/org/springframework/core/annotation/MergedAnnotationsTests.java (3814 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-core/src/test/java/org/springframework/core/ResolvableTypeTests.java (2052 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-expression/src/test/java/org/springframework/expression/spel/EvaluationTests.java (1594 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-expression/src/test/java/org/springframework/expression/spel/SpelCompilationCoverageTests.java (7958 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-expression/src/test/java/org/springframework/expression/spel/SpelReproTests.java (2446 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-jdbc/src/main/java/org/springframework/jdbc/core/JdbcOperations.java (1095 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-jdbc/src/main/java/org/springframework/jdbc/core/JdbcTemplate.java (1825 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-jdbc/src/test/java/org/springframework/jdbc/datasource/DataSourceTransactionManagerTests.java (1765 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-jms/src/main/java/org/springframework/jms/listener/DefaultMessageListenerContainer.java (1604 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-tx/src/main/java/org/springframework/transaction/jta/JtaTransactionManager.java (1212 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-tx/src/main/java/org/springframework/transaction/support/AbstractPlatformTransactionManager.java (1363 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-web/src/main/java/org/springframework/http/HttpHeaders.java (2358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-web/src/main/java/org/springframework/web/util/WhatWgUrlParser.java (3121 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webflux/src/main/java/org/springframework/web/reactive/function/server/RouterFunctions.java (1502 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webmvc/src/main/java/org/springframework/web/servlet/DispatcherServlet.java (1408 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webmvc/src/main/java/org/springframework/web/servlet/function/RouterFunctions.java (1358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webmvc/src/test/java/org/springframework/web/servlet/config/MvcNamespaceTests.java (1145 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java (1442 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java (4288 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/1fb91653-6199-4d9e-9279-e8af71f85d8f/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/1fb91653-6199-4d9e-9279-e8af71f85d8f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.