Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
263 of your 585 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 16.91s · analysis 40.92s · 63.7 MB · GitHub API rate-limit (preflight)

apache/arrow

https://github.com/apache/arrow · scanned 2026-06-05 21:28 UTC (4 days, 11 hours ago) · 10 languages

1477 raw signals (493 security + 984 graph) 11/13 scanners ran 92nd percentile · C · huge (>500K LoC) System graph score 64 (higher by 14)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 11 hours ago · v2 · 462 actionable findings from 2 signal sources. 522 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.9
/100
Security checks
68
101 findings
System graph
64
100.0% cov · 361 findings
Critical
9
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 85.0 0.25 21.25
testing_score 87.0 0.20 17.40
documentation_score 99.0 0.15 14.85
practices_score 86.0 0.15 12.90
code_quality 60.0 0.10 6.00
Overall 1.00 78.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 9 High 19 Medium 48 Low 111 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 101 System graph 361 Crowd 0 Layer: Software 53 Quality 338 Cicd 18 Security 13 Frontend 2 Network 3 Hardware 35
Scan summary Quality grade B+ (78/100). Dimensions: security 85, maintainability 40. 493 findings (126 security). 542,740 lines analyzed.

Showing 181 of 462 actionable findings. 984 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security Security .env file committed to repository
Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials.
.env
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.
Review and fix per the pattern semantics. See CWE-95 / for context.
r/R/dplyr-eval.R:143
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
r/R/dplyr-eval.R:143
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED025] Php Eval: eval() executes arbitrary PHP. Code injection.
Review and fix per the pattern semantics. See CWE-95 / for context.
r/R/dplyr-eval.R:143
high Security checks quality Quality conf 1.00 ✓ Repobility 4 occurrences [MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
Add `import queue` at the top of the file.
4 files, 4 locations
dev/archery/archery/bot.py:416
dev/archery/archery/crossbow/cli.py:150
dev/archery/archery/crossbow/core.py:1155
python/pyarrow/interchange/column.py:480
critical Security checks security secrets conf 1.00 [SEC009] .env File Committed: .env file with secrets committed to repository.
Add .env to .gitignore. Rotate all exposed credentials.
.env
critical Security checks cicd CI/CD security conf 0.96 2 occurrences Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
lines 1883, 1891
compose.yaml:1883, 1891 (2 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 25 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
3 files, 25 locations
.github/workflows/cpp_extra.yml:158, 159, 186, 187, 410, 411, 432, 433, +8 more (16 hits)
.github/workflows/r_extra.yml:173, 174, 191, 192, 217, 218 (6 hits)
.github/workflows/r.yml:107, 108, 133 (3 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
r/R/install-arrow.R:70
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
r/R/install-arrow.R:70
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.
Review and fix per the pattern semantics. See CWE-476 / for context.
r/R/dplyr-mutate.R:113
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED108] `self.bytes_literal` used but never assigned in __init__: Method `__format__` of class `CString` reads `self.bytes_literal`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.bytes_literal = <default>` in __init__, or add a class-level default.
lines 366, 496, 527, 537, 697, 702, 704, 733, +14 more
cpp/gdb_arrow.py:366, 496, 527, 537, 697, 702, 704, 733, +14 more (25 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 20 occurrences [MINED118] Dockerfile FROM `amd64/ubuntu:24.04` not pinned by digest: `FROM amd64/ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM amd64/ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
12 files, 12 locations
ci/docker/python-sdist.dockerfile:17
ci/docker/python-wheel-windows-test-vs2022-base.dockerfile:22
ci/docker/python-wheel-windows-vs2022-base.dockerfile:54
cpp/examples/minimal_build/minimal.dockerfile:17
cpp/examples/minimal_build/system_dependency.dockerfile:17
cpp/examples/tutorial_examples/tutorial.dockerfile:17
dev/release/binary/Dockerfile:17
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile:17
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `conda-python-no-numpy` unpinned: `container/services image: conda-python-no-numpy` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `conda-python-no-numpy@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/python.yml:99
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ubuntu-cpp-sanitizer` unpinned: `container/services image: ubuntu-cpp-sanitizer` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ubuntu-cpp-sanitizer@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/cpp.yml:94
high Security checks software dependencies conf 0.90 ✓ Repobility 18 occurrences [MINED131] pre-commit hook `https://github.com/hadolint/hadolint` pinned to mutable rev `v2.12.0`: `.pre-commit-config.yaml` references `https://github.com/hadolint/hadolint` at `rev: v2.12.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
lines 38, 52, 73, 95, 103, 111, 133, 148, +10 more
.pre-commit-config.yaml:38, 52, 73, 95, 103, 111, 133, 148, +10 more (18 hits)
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
c_glib/tool/generate-version-header.py:51
cpp/src/arrow/dataset/file_ipc.cc:55
cpp/src/arrow/dataset/file_orc.cc:52
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
dev/release/download_rc_binaries.py:151
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
dev/release/utils-binary.sh:39
high Security checks cicd CI/CD security conf 0.90 5 occurrences Compose service adds dangerous Linux capabilities
Drop all capabilities by default and add only narrowly required capabilities after review.
lines 409, 497, 1492, 1839
compose.yaml:409, 497, 1492, 1839 (5 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
compose.yaml:1883 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
compose.yaml:1883 CI/CD securitycontainers
high System graph security Secrets conf 1.00 .env file present in repo: .env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
medium Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED124] requirements.txt: `breathe` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `breathe` with `breathe==<version>` and manage upgrades through PRs / Dependabot.
5 files, 25 locations
python/requirements-test.txt:1, 2, 3, 4, 5, 6, 7 (7 hits)
python/requirements-wheel-test.txt:1, 2, 3, 4, 5, 6, 21 (7 hits)
docs/requirements.txt:5, 6, 7, 8, 9 (5 hits)
python/requirements-wheel-build.txt:1, 6, 7, 8 (4 hits)
python/requirements-build.txt:1, 5 (2 hits)
low Security checks security Injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
cpp/src/arrow/compute/kernels/scalar_cast_internal.cc:130
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
python/pyarrow/util.py:293
medium Security checks software Resource exhaustion conf 1.00 [SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap → memory/disk exhaustion DoS (10kb → 4GB classic 'zip bomb').
Wrap reader with `io.LimitReader(r, MAX_BYTES)`. In Python, iterate `ZipFile.infolist()` and check each entry's `file_size`. Cap total uncompressed bytes (e.g. 100MB).
python/pyarrow/util.py:293
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
cpp/tools/parquet/parquet_dump_footer.cc:120
low Security checks quality Error handling conf 0.55 ✓ Repobility 15 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
9 files, 15 locations
dev/archery/archery/integration/runner.py:320, 450, 524, 574 (4 hits)
cpp/build-support/asan_symbolize.py:93, 130 (2 hits)
cpp/src/arrow/acero/hash_join_graphs.py:47, 71 (2 hits)
dev/archery/archery/docker/core.py:245, 278 (2 hits)
cpp/src/arrow/util/bpacking_simd_codegen.py:275
dev/archery/archery/lang/python.py:180
dev/archery/archery/utils/lint.py:100
dev/merge_arrow_pr.py:135
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 Compose service `impala` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
compose.yaml:1891 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.72 Compose service adds dangerous Linux capabilities
Drop all capabilities by default and add only narrowly required capabilities after review.
compose.yaml:621 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
compose.yaml:1883 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 25 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
12 files, 12 locations
dev/release/binary/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile:18
dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-10/Dockerfile:18
CI/CD securitycontainers
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-10/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-8/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-9/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-release/yum/amazon-linux-2023/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow-release/yum/centos-9-stream/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/ubuntu-jammy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/ubuntu-noble/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/apt/ubuntu-resolute/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/yum/almalinux-10/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/yum/almalinux-8/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/yum/almalinux-9/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/yum/amazon-linux-2023/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: dev/tasks/linux-packages/apache-arrow/yum/centos-9-stream/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
msys2/setup-msys2@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 4 locations
.github/workflows/dev.yml:100 (2 hits)
.github/workflows/cpp_windows.yml:92
.github/workflows/ruby.yml:260
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
5 files, 5 locations
.github/workflows/cpp_extra.yml
.github/workflows/package_linux.yml
.github/workflows/release.yml
.github/workflows/release_candidate.yml
.github/workflows/ruby.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in cpp/tools/binary_symbol_explore.py:77
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
cpp/tools/binary_symbol_explore.py:77 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in dev/release/02-source.sh:98
Found a known-risky pattern (weak_hash). Review and replace if possible.
dev/release/02-source.sh:98 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in dev/release/binary-task.rb:666
Found a known-risky pattern (weak_hash). Review and replace if possible.
dev/release/binary-task.rb:666 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — cpp/build-support/asan_symbolize.py:157
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/archery/archery/ci/core.py:35
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/archery/archery/crossbow/core.py:547
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/archery/archery/crossbow/reports.py:237
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/archery/archery/utils/command.py:78
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/merge_arrow_pr.py:63
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — dev/release/download_rc_binaries.py:39
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — python/examples/parquet_encryption/sample_vault_kms_client.py:62
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — python/pyarrow/__init__.py:331
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — python/pyarrow/util.py:243
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/stale.yml Ports
medium System graph network Security conf 1.00 Privileged port 11 in use
Port 11 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/stale.yml Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 69 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
4 files, 69 locations
compose.yaml:218, 248, 267, 304, 341, 409, 451, 473, +52 more (61 hits)
python/examples/minimal_build/compose.yaml:20, 30, 38, 46 (4 hits)
cpp/examples/minimal_build/compose.yaml:20, 30, 40 (3 hits)
cpp/examples/tutorial_examples/compose.yaml:20
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 69 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
4 files, 69 locations
compose.yaml:218, 248, 267, 304, 341, 409, 451, 473, +52 more (61 hits)
python/examples/minimal_build/compose.yaml:20, 30, 38, 46 (4 hits)
cpp/examples/minimal_build/compose.yaml:20, 30, 40 (3 hits)
cpp/examples/tutorial_examples/compose.yaml:20
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 13 occurrences Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
12 files, 12 locations
dev/release/binary/Dockerfile:24
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile:30
dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile:36
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.74 6 occurrences Dockerfile leaves apt package indexes in the image layer
End the apt install layer with `rm -rf /var/lib/apt/lists/*`.
6 files, 6 locations
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile:30
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile:30
dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile:36
dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile:36
dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile:36
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
7 files, 7 locations
c_glib/arrow-dataset-glib/dataset.cpp:209
cpp/src/arrow/dataset/file_orc.h:8
cpp/src/arrow/filesystem/filesystem.h:162
cpp/src/arrow/filesystem/gcsfs.h:61
cpp/src/arrow/filesystem/localfs.h:37
cpp/src/arrow/filesystem/mockfs.h:25
cpp/src/arrow/filesystem/s3fs.h:120
duplicationquality
low System graph quality Maintenance conf 1.00 79 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: almalinux:10
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-10/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: almalinux:8
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-8/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: almalinux:9
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-9/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: amazonlinux:2023
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-release/yum/amazon-linux-2023/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/release/binary/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:forky
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:trixie
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: quay.io/centos/centos:stream9
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-release/yum/centos-9-stream/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:jammy
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:noble
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile:17 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:resolute
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile:17 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: c_glib/doc/urlmap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cmake-format.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cpp/build-support/emscripten-test-init.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dev/archery/setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dev/release/check-rat-report.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dev/release/utils-update-docs-versions.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/source/_static/versionwarning.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/_compute_docstrings.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/benchmark.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/cffi.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/csv.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/cuda.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/flight.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/json.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/parquet/encryption.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/substrait.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/tests/arrow_7980.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/tests/read_record_batch.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/pyarrow/tests/test_deprecations.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: python/scripts/test_imports.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 136 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 108 locations
.github/workflows/cpp_extra.yml:139, 150, 231, 245, 291, 392, 403, 465, +9 more (22 hits)
.github/workflows/r.yml:81, 90, 100, 122, 154, 160, 183, 212, +3 more (11 hits)
.github/workflows/ruby.yml:84, 90, 96, 155, 187, 254, 267, 291, +3 more (11 hits)
.github/workflows/integration.yml:69, 75, 81, 87, 93, 99, 105, 114, +1 more (9 hits)
.github/workflows/python.yml:109, 115, 121, 189, 195, 220, 266, 272, +1 more (9 hits)
.github/workflows/dev.yml:50, 63, 91, 96 (8 hits)
.github/workflows/r_extra.yml:153, 159, 165, 205 (8 hits)
.github/workflows/cpp.yml:118, 131, 179, 235, 251, 366, 413 (7 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: dev/archery/archery/integration/datagen.py:column_class, dev/archery/archery/integration/datagen.py:column_class, dev/archery/archery/integration/datagen.py:column_class, dev/archery/archery/integration/datagen.py:column_class This is *the* AI-coder …
duplicatesduplication
low System graph quality Integrity conf 1.00 12 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: dev/merge_arrow_pr.py:show, dev/merge_arrow_pr.py:show This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
12 occurrences
repo-level (12 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 22 places
Functions with the same first-5-line body hash: dev/archery/archery/integration/datagen.py:generate_column, dev/archery/archery/integration/datagen.py:generate_column, dev/archery/archery/integration/datagen.py:generate_column, dev/archery/archery/integration/datagen.py:generate_column This is *th…
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: dev/archery/archery/integration/tester_go.py:validate, dev/archery/archery/integration/tester_java.py:validate, dev/archery/archery/integration/tester_rust.py:validate This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: dev/archery/archery/integration/datagen.py:get_json, dev/archery/archery/integration/datagen.py:get_json, dev/archery/archery/integration/datagen.py:get_json, dev/archery/archery/integration/datagen.py:get_json This is *the* AI-coder failure mode (4×…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: dev/archery/archery/integration/datagen.py:numpy_type, dev/archery/archery/integration/datagen.py:numpy_type, dev/archery/archery/integration/datagen.py:numpy_type, dev/archery/archery/integration/datagen.py:numpy_type This is *the* AI-coder failure …
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_can_definitely_zero_copy` in python/pyarrow/pandas_compat.py:645
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_link_or_copy` in python/scripts/update_stub_docstrings.py:205
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `allow_copy` in python/pyarrow/interchange/buffer.py:52
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `allow_copy` in python/pyarrow/interchange/column.py:203
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `allow_copy` in python/pyarrow/interchange/dataframe.py:49
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `allow_copy` in python/pyarrow/interchange/from_dataframe.py:63
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `allow_copy` in python/pyarrow/tests/interchange/test_conversion.py:493
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `dataset_v2` in python/pyarrow/parquet/core.py:1293
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `index_copy` in python/pyarrow/fs.py:234
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_release_unused` in python/pyarrow/tests/test_memory.py:125
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_singleton_blocks_zero_copy` in python/pyarrow/tests/test_pandas.py:3889
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_timedelta_with_nulls_v1` in python/pyarrow/tests/test_feather.py:493
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_to_numpy_zero_copy` in python/pyarrow/tests/test_array.py:180
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: bytes_per_seconds_fmt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/benchmark/compare.py:35
low System graph software Dead code conf 1.00 Possibly dead Python function: callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/lang/python.py:198
low System graph software Dead code conf 1.00 Possibly dead Python function: case_wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/integration/runner.py:241
low System graph software Dead code conf 1.00 Possibly dead Python function: check_language
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/cli.py:296
low System graph software Dead code conf 1.00 Possibly dead Python function: credentials
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/core.py:191
low System graph software Dead code conf 1.00 Possibly dead Python function: find_unused_port
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/integration/util.py:158
low System graph software Dead code conf 1.00 Possibly dead Python function: group_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/benchmark/jmh.py:192
low System graph software Dead code conf 1.00 Possibly dead Python function: group_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/benchmark/google.py:173
low System graph software Dead code conf 1.00 Possibly dead Python function: is_client
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/integration/runner.py:136
low System graph software Dead code conf 1.00 Possibly dead Python function: is_default_branch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/core.py:901
low System graph software Dead code conf 1.00 Possibly dead Python function: is_server
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/integration/runner.py:133
low System graph software Dead code conf 1.00 Possibly dead Python function: is_target
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/release/download_rc_binaries.py:283
low System graph software Dead code conf 1.00 Possibly dead Python function: items_per_seconds_fmt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/benchmark/compare.py:24
low System graph software Dead code conf 1.00 Possibly dead Python function: markdown_escape
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/utils/report.py:24
low System graph software Dead code conf 1.00 Possibly dead Python function: missing_patterns
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/core.py:1096
low System graph software Dead code conf 1.00 Possibly dead Python function: push_update_reference
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/core.py:185
low System graph software Dead code conf 1.00 Possibly dead Python function: run_gold
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/integration/runner.py:120
low System graph software Dead code conf 1.00 Possibly dead Python function: show_help
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/bot.py:50
low System graph software Dead code conf 1.00 Possibly dead Python function: strip_ci_directives
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/merge_arrow_pr.py:109
low System graph software Dead code conf 1.00 Possibly dead Python function: update_tips
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/core.py:188
low System graph software Dead code conf 1.00 Possibly dead Python function: url
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/crossbow/reports.py:68
low System graph software Dead code conf 1.00 Possibly dead Python function: validate_arrow_sources
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/utils/cli.py:44
low System graph software Dead code conf 1.00 Possibly dead Python function: version_tuple
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/merge_arrow_pr.py:200
low System graph software Dead code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/utils/command.py:45
low System graph software Dead code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
dev/archery/archery/utils/git.py:28
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — .github/workflows/dev_pr/helpers.js:58
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `_get_dictionary` (body is just `pass`/`return`) — dev/archery/archery/integration/datagen.py:62
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `check_returncode` (body is just `pass`/`return`) — dev/archery/archery/testing.py:47
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `date` (body is just `pass`/`return`) — dev/archery/archery/crossbow/reports.py:296
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `display_hint` (body is just `pass`/`return`) — cpp/gdb_arrow.py:1615
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `fields` (body is just `pass`/`return`) — dev/archery/archery/utils/report.py:42
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `load_pyodide` (body is just `pass`/`return`) — python/scripts/run_emscripten_tests.py:208
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `push_update_reference` (body is just `pass`/`return`) — dev/archery/archery/crossbow/core.py:185
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `release` (body is just `pass`/`return`) — python/pyarrow/vendored/version.py:179
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Complexity conf 1.00 Very large file: cpp/gdb_arrow.py (2451 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: dev/archery/archery/crossbow/core.py (1400 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: dev/archery/archery/integration/datagen.py (2055 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/parquet/core.py (2508 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_array.py (4470 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_compute.py (4177 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_convert_builtin.py (2620 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_csv.py (2221 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_dataset.py (5942 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_extension_type.py (2194 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_flight.py (2823 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_fs.py (2287 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_io.py (2237 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_pandas.py (5378 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: python/pyarrow/tests/test_table.py (4098 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/22ac6ece-0010-4fbd-8208-25335a665c2d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/22ac6ece-0010-4fbd-8208-25335a665c2d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.