Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.91s · analysis 8.19s · 17.8 MB · GitHub API rate-limit (preflight)

jd-opensource/OxyGent

https://github.com/jd-opensource/OxyGent · scanned 2026-05-31 01:24 UTC (5 days, 7 hours ago) · 10 languages

707 findings (257 legacy + 450 scanner) 61st percentile · Python · medium (20-100K LoC) Scanner says 57 (higher by 6)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 482 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
51.3
/100
Repobility
46
257 legacy
9-layer
57
88.9% cov · 225 gaps
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 34.2 0.25 8.55
testing_score 93.0 0.20 18.60
documentation_score 100.0 0.15 15.00
practices_score 77.0 0.15 11.55
code_quality 30.6 0.10 3.06
Overall 1.00 62.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 249 Medium 18 Low 173 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 257 9-layer 225 Crowd 0 Layer: Security 94 Quality 246 Software 77 Frontend 11 Cicd 4 Api 50
Scan summary Repository scanned at 56.9/100 with 88.9% coverage. It contains 4381 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 225 findings — concentrated in software (58), security (56), api (50). Risk profile is high: 0 critical, 53 high, 10 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 411 of 482 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
oxygent/embedding_cache.py:128 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
oxygent/embedding_cache.py:128 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `asyncio` used but not imported
The file uses `asyncio.something(...)` but never imports `asyncio`. This raises NameError at runtime the first time the line executes.
function_hubs/chart/flow_image_gen_tools.py:984 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
oxygent/schemas/oxy.py:576 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
oxygent/mas.py:1733 qualitylegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}.
oxygent/routes.py:1395 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/rating_stats/{trace_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/rating_stats/{trace_id}.
oxygent/routes.py:986 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/trace/{trace_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/trace/{trace_id}.
oxygent/routes.py:1003 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /history/{kb_name}/{trigger_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /history/{kb_name}/{trigger_id}.
applications/oxybank/app/api/endpoints/trigger/history.py:91 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}.
oxygent/routes.py:883 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/current.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/current.
oxygent/routes.py:919 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/history.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/history.
oxygent/routes.py:951 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{kb_name}/{trigger_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{kb_name}/{trigger_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:87 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /rating/{trace_id}/rebuild_stats.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /rating/{trace_id}/rebuild_stats.
oxygent/routes.py:1363 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{kb_name}/{trigger_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{kb_name}/{trigger_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:130 authlegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
mcp_servers/kubernetes_mcp_server/config_tools.py:72 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py:205 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
applications/oxybank/app/api/log/log_config.py:40 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
applications/oxybank/utils/files_process.py:4 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
applications/oxybank/utils/file_util.py:4 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
applications/oxybank/app/api/models.py:64 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
Review and fix per the pattern semantics. See CWE-78 / for context.
oxygent/preset_tools/shell_tools.py:26 qualitylegacy
high Legacy security injection conf 0.85 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
applications/oxybank/app/api/endpoints/annotation/data.py:175 injectionlegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
oxygent/web/js/flowchart.js:55 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
function_hubs/chart/web/js/app.js:28 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
function_hubs/chart/static_files_utils.py:123 xsslegacy
high Legacy quality quality conf 1.00 [SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / WarningPolicy disables SSH host-key verification — vulnerable to MITM. Ported from bandit B507 / dlint DUO133 (Apache-2.0 / BSD-3).
Use `paramiko.RejectPolicy()` and pre-populate known_hosts via `client.load_system_host_keys()`.
oxygent/oxy/agents/shell_use_agent.py:40 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
oxygent/preset_tools/python_tools.py:26 qualitylegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
function_hubs/train_ticket_tools.py:139 injectionlegacy
high Legacy security crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
oxygent/oxy/agents/shell_use_agent.py:40 cryptolegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._check_trace_exists` used but never assigned in __init__
Method `create_rating` of class `EvaluationManager` reads `self._check_trace_exists`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:178 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._create_empty_stats` used but never assigned in __init__
Method `_update_rating_stats` of class `EvaluationManager` reads `self._create_empty_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:336 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._create_empty_stats` used but never assigned in __init__
Method `_update_rating_stats` of class `EvaluationManager` reads `self._create_empty_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:293 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._embed_and_cache` used but never assigned in __init__
Method `_get_multiple` of class `EmbeddingCache` reads `self._embed_and_cache`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:185 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._embed_and_cache` used but never assigned in __init__
Method `_get_multiple` of class `EmbeddingCache` reads `self._embed_and_cache`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_client_ip` used but never assigned in __init__
Method `create_rating` of class `EvaluationManager` reads `self._get_client_ip`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:195 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_es_client` used but never assigned in __init__
Method `get_rating_stats` of class `EvaluationManager` reads `self._get_es_client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:348 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_es_client` used but never assigned in __init__
Method `create_rating` of class `EvaluationManager` reads `self._get_es_client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:175 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_hits_total` used but never assigned in __init__
Method `get_rating_stats` of class `EvaluationManager` reads `self._get_hits_total`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:359 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_hits_total` used but never assigned in __init__
Method `_update_rating_stats` of class `EvaluationManager` reads `self._get_hits_total`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:295 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_hits_total` used but never assigned in __init__
Method `_check_trace_exists` of class `EvaluationManager` reads `self._get_hits_total`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:246 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_multiple` used but never assigned in __init__
Method `get` of class `EmbeddingCache` reads `self._get_multiple`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_or_queue` used but never assigned in __init__
Method `_get_multiple` of class `EmbeddingCache` reads `self._get_or_queue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:179 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._get_single` used but never assigned in __init__
Method `get` of class `EmbeddingCache` reads `self._get_single`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:170 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._refresh_index` used but never assigned in __init__
Method `_update_rating_stats` of class `EvaluationManager` reads `self._refresh_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:326 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._refresh_index` used but never assigned in __init__
Method `create_rating` of class `EvaluationManager` reads `self._refresh_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:205 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._update_rating_stats` used but never assigned in __init__
Method `create_rating` of class `EvaluationManager` reads `self._update_rating_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/evaluation_manager.py:208 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_md5` used but never assigned in __init__
Method `_get_or_queue` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:205 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_md5` used but never assigned in __init__
Method `_get_single` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:197 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_md5` used but never assigned in __init__
Method `set` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:159 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_md5` used but never assigned in __init__
Method `is_in` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:156 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.save` used but never assigned in __init__
Method `__exit__` of class `EmbeddingCache` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:223 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.save` used but never assigned in __init__
Method `set` of class `EmbeddingCache` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:162 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.set` used but never assigned in __init__
Method `_embed_and_cache` of class `EmbeddingCache` reads `self.set`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:214 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.set` used but never assigned in __init__
Method `_get_single` of class `EmbeddingCache` reads `self.set`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
oxygent/embedding_cache.py:201 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/ci.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/github-script` pinned to mutable ref `@v7`
`uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/auto-manage-issues.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v4`
`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/ci.yml:22 dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Blocking call `input` inside async function `start_cli_mode`
`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
oxygent/mas.py:1245 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Blocking call `time.sleep` inside async function `main`
`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
examples/a2a/demo_a2a_oxygent_task_followup_client.py:66 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Blocking call `time.sleep` inside async function `on_message_send_stream`
`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py:119 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI DELETE /api/prompts/{prompt_key} has no auth
Handler `delete_prompt` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:631 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI DELETE /rating/clear_all has no auth
Handler `clear_all_rating_data` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:1032 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI DELETE /rating/{rating_id} has no auth
Handler `delete_rating` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:1396 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST (unknown path) has no auth
Handler `unified` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
examples/a2a/langchain_interop/demo_langchain_a2a_server.py:106 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST (unknown path) has no auth
Handler `unified` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
examples/a2a/langgraph_interop/demo_langgraph_a2a_server.py:118 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /api/prompts/ has no auth
Handler `create_prompt` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:501 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /api/prompts/optimize has no auth
Handler `optimize_prompt` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:1440 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /api/prompts/{prompt_key}/revert/{target_version} has no auth
Handler `revert_prompt_to_version` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:704 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /call has no auth
Handler `call` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:272 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /generate has no auth
Handler `generate_flowchart` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
function_hubs/chart/flowchart_api.py:50 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /level has no auth
Handler `set_log_level_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/oxybank/app/api/log/log_config.py:67 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /rating has no auth
Handler `create_rating` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:843 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /rating/setup_indices has no auth
Handler `setup_rating_indices` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:1055 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /rating/{trace_id}/rebuild_stats has no auth
Handler `rebuild_rating_stats` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:1364 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /save-flowchart has no auth
Handler `save_flowchart` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
function_hubs/chart/flowchart_api.py:25 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /save_script has no auth
Handler `save_script` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:363 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /upload has no auth
Handler `upload_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:109 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_deposit has no auth
Handler `user_profile_deposit` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_bank_router.py:31 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_deposit has no auth
Handler `user_profile_deposit` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_manual_api.py:31 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_deposit has no auth
Handler `user_profile_deposit` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_api_router.py:24 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_retrieve has no auth
Handler `user_profile_retrieve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_bank_router.py:20 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_retrieve has no auth
Handler `user_profile_retrieve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_manual_api.py:15 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /user_profile_retrieve has no auth
Handler `user_profile_retrieve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/bank_manager_by_api_router.py:10 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /{kb_name} has no auth
Handler `create_kb_query_interface` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
applications/oxybank/app/api/dynamic/query_endpoint.py:30 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI PUT /api/prompts/{prompt_key} has no auth
Handler `update_prompt` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
oxygent/routes.py:542 qualitylegacy
high 9-layer quality integrity conf 1.00 Blocking `requests.post(...)` inside `async def workflow` — examples/backend/demo_human_in_the_loop.py:16
Sync I/O inside an async function blocks the event loop. While `requests.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_t…
examples/backend/demo_human_in_the_loop.py:16 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def main` — examples/a2a/demo_a2a_oxygent_task_followup_client.py:66
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
examples/a2a/demo_a2a_oxygent_task_followup_client.py:66 integritysync-io-in-asyncperformance
high 9-layer security auth conf 1.00 FastAPI DELETE `clear_all_rating_data` without auth dependency — oxygent/routes.py:1031
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:1031 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_knowledge_base` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_base.py:177
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_base.py:177 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_prompt` without auth dependency — oxygent/routes.py:630
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:630 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_rating` without auth dependency — oxygent/routes.py:1395
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:1395 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/crud.py:168
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/crud.py:168 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `disable_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/crud.py:247
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/crud.py:247 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `enable_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/crud.py:211
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/crud.py:211 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `approve_data` without auth dependency — applications/oxybank/app/api/endpoints/annotation/data.py:179
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/data.py:179 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `call` without auth dependency — oxygent/routes.py:271
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:271 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cancel_task_slash` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:783
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:783 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cancel_task` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:777
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:777 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_kb_query_interface` without auth dependency — applications/oxybank/app/api/dynamic/query_endpoint.py:25
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/dynamic/query_endpoint.py:25 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_knowledge_base` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_base.py:99
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_base.py:99 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_prompt` without auth dependency — oxygent/routes.py:500
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:500 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_rating` without auth dependency — oxygent/routes.py:842
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:842 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/crud.py:22
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/crud.py:22 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `deposit_batch` without auth dependency — applications/oxybank/app/api/endpoints/annotation/deposit.py:67
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/deposit.py:67 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `deposit` without auth dependency — applications/oxybank/app/api/endpoints/annotation/deposit.py:19
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/deposit.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `generate_flowchart` without auth dependency — function_hubs/chart/flowchart_api.py:49
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
function_hubs/chart/flowchart_api.py:49 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `get_task_slash` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:771
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:771 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `get_task` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:765
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:765 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_kb_data` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_file.py:591
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_file.py:591 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_kb_file` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_file.py:345
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_file.py:345 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_to_kb` without auth dependency — applications/oxybank/app/api/endpoints/annotation/kb.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/kb.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `manual_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/manual.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/manual.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `optimize_prompt` without auth dependency — oxygent/routes.py:1439
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:1439 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `rebuild_rating_stats` without auth dependency — oxygent/routes.py:1363
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:1363 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `reject_data` without auth dependency — applications/oxybank/app/api/endpoints/annotation/data.py:231
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/data.py:231 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `revert_prompt_to_version` without auth dependency — oxygent/routes.py:700
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:700 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `save_flowchart` without auth dependency — function_hubs/chart/flowchart_api.py:24
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
function_hubs/chart/flowchart_api.py:24 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `save_script` without auth dependency — oxygent/routes.py:362
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:362 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `send_message_slash` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:759
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:759 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `send_message` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:753
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:753 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `set_log_level_endpoint` without auth dependency — applications/oxybank/app/api/log/log_config.py:66
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/log/log_config.py:66 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `setup_rating_indices` without auth dependency — oxygent/routes.py:1054
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:1054 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `unified_entry_slash` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:748
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:748 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `unified_entry` without auth dependency — oxygent/transport/a2a/a2a_server_gateway.py:743
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/transport/a2a/a2a_server_gateway.py:743 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `update_kb_schema` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_base.py:328
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_base.py:328 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file` without auth dependency — oxygent/routes.py:108
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:108 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_kb_file` without auth dependency — applications/oxybank/app/api/endpoints/knowledge_file.py:185
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/knowledge_file.py:185 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_deposit` without auth dependency — applications/bank_manager_by_api_router.py:23
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_api_router.py:23 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_deposit` without auth dependency — applications/bank_manager_by_bank_router.py:30
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_bank_router.py:30 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_deposit` without auth dependency — applications/bank_manager_by_manual_api.py:30
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_manual_api.py:30 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_retrieve` without auth dependency — applications/bank_manager_by_api_router.py:9
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_api_router.py:9 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_retrieve` without auth dependency — applications/bank_manager_by_bank_router.py:19
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_bank_router.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `user_profile_retrieve` without auth dependency — applications/bank_manager_by_manual_api.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/bank_manager_by_manual_api.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_annotation` without auth dependency — applications/oxybank/app/api/endpoints/annotation/data.py:125
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/annotation/data.py:125 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_prompt` without auth dependency — oxygent/routes.py:541
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
oxygent/routes.py:541 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_trigger` without auth dependency — applications/oxybank/app/api/endpoints/trigger/crud.py:130
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
applications/oxybank/app/api/endpoints/trigger/crud.py:130 authowaspauth.fastapi.unauth_mutation
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in oxygent/preset_tools/python_tools.py:26
Found a known-risky pattern (exec_used). Review and replace if possible.
oxygent/preset_tools/python_tools.py:26 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in oxygent/databases/db_vector/vearch_db.py:961
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
oxygent/databases/db_vector/vearch_db.py:961 owasptls_verify_false
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/prompts/{prompt_key}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/prompts/{prompt_key}.
oxygent/routes.py:630 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/clear_all.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/clear_all.
oxygent/routes.py:1031 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}.
oxygent/routes.py:1395 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}.
oxygent/routes.py:476 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}/history.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}/history.
oxygent/routes.py:681 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /debug/rating_stats/{trace_id}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /debug/rating_stats/{trace_id}.
oxygent/routes.py:986 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/prompts/.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/prompts/.
oxygent/routes.py:500 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating.
oxygent/routes.py:842 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating/setup_indices.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating/setup_indices.
oxygent/routes.py:1054 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/prompts/{prompt_key}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/prompts/{prompt_key}.
oxygent/routes.py:541 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{kb_name}/{trigger_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{kb_name}/{trigger_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:168 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/prompts/search/.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/prompts/search/.
oxygent/routes.py:654 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/disable.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/disable.
applications/oxybank/app/api/endpoints/trigger/crud.py:247 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/enable.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/enable.
applications/oxybank/app/api/endpoints/trigger/crud.py:211 authlegacy
medium Legacy security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
authlegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py:205 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
mcp_servers/kubernetes_mcp_server/config_tools.py:72 error_handlinglegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
oxygent/preset_tools/shell_tools.py:26 injectionlegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
oxygent/embedding_cache.py:128 deserializationlegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
applications/oxybank/web/src/router/routes.ts:95 redoslegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
mcp_servers/kubernetes_mcp_server/config_tools.py:60 qualitylegacy
high Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py:32 qualitylegacy
high Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
examples/a2a/agentscope_interop/demo_agentscope_a2a_server.py:31 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
function_hubs/train_ticket_tools.py:226 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:651 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:631 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:140 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:599 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:133 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:878 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:412 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:338 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:280 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:966 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:806 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:525 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:299 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:1117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:1093 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:1042 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:957 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:892 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:760 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:659 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:605 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:458 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:428 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
mcp_servers/tts_tools.py:153 qualitylegacy
high Legacy security auth conf 0.82 Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
applications/oxybank/web/src/views/knowledge/recall/index.vue:253 authlegacy
high Legacy security auth conf 0.82 Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
applications/oxybank/web/src/views/annotation/index.vue:387 authlegacy
high Legacy security auth conf 0.82 Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
applications/oxybank/web/src/utils/auth.ts:20 authlegacy
high Legacy security auth conf 0.82 Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
applications/oxybank/web/src/utils/auth.ts:13 authlegacy
high Legacy security auth conf 0.82 Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
applications/oxybank/web/src/api/index.ts:60 authlegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:69 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:67 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:63 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:59 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:55 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:51 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:47 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:43 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:39 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:35 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:31 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:27 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:23 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:20 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
applications/oxybank/web/src/api/apiDefinitions.ts:19 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/docs_zh/introduction/tools/opensource-mcp-tools.md:21 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/docs_zh/introduction/getting-started/install.md:15 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/docs_en/introduction/tools/opensource-mcp-tools.md:21 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/docs_en/introduction/getting-started/install.md:15 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
README_zh.md:89 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
README.md:91 dependencylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — applications/oxybank/web/src/composables/useAnnotationPlatform.ts:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — function_hubs/chart/web/js/app.js:18
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — oxygent/web/js/prompt-manager.js:365
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in oxygent/preset_tools/shell_tools.py:30
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
oxygent/preset_tools/shell_tools.py:30 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/app/api/endpoints/knowledge_file.py:138
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/app/api/endpoints/knowledge_file.py:138 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/app/api/models.py:64
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/app/api/models.py:64 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/web/openapi/swagger.json:300
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/web/openapi/swagger.json:300 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in oxygent/schemas/oxy.py:89
Found a known-risky pattern (weak_hash). Review and replace if possible.
oxygent/schemas/oxy.py:89 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — examples/backend/demo_human_in_the_loop.py:16
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — function_hubs/train_ticket_tools.py:101
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
low Legacy software race_condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
oxygent/preset_tools/file_tools.py:55 race_conditionlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
oxygent/preset_tools/__init__.py:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
oxygent/oxy/llms/openai_llm.py:100 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
oxygent/oxy/agents/shell_use_agent.py:144 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
oxygent/oxy/agents/react_agent.py:112 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/math_tools_streamable.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/math_tools_streamable.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/math_tools_sse.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/kubernetes_mcp_server/helm_tools.py:18 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/kubernetes_mcp_server/core_tools/pods.py:229 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/kubernetes_mcp_server/core_tools/nodes.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/kubernetes_mcp_server/core_tools/namespaces.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
mcp_servers/browser/search.py:208 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
function_hubs/chart/web/js/app.js:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/web/src/views/knowledge/types.ts:89 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/web/src/views/knowledge/index.vue:26 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/web/src/views/knowledge/detail/index.vue:19 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/web/src/views/knowledge/detail/components/DocumentTable.vue:160 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/web/src/views/error/500.vue:61 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/utils/files_process.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/core/storer/doc_manager/es_kb_file_manager.py:186 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/core/storer/doc_manager/es_kb_chunk_manager.py:131 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/core/storer/doc_manager/annotation_manager.py:245 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
applications/oxybank/app/api/endpoints/knowledge_base.py:427 qualitylegacy
low 9-layer quality integrity conf 1.00 23 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `APP_ENV`, `BASE_URL`, `CHATRHINO_750B_API_KEY`, `CHATRHINO_750B_BASE_URL`, `CHATRHINO_750B_MODEL_NAME`, `DEFAULT_VLM_API_KEY`, `DEFAULT_VLM_BASE_URL`, `DEFAULT_VLM_MODEL_NAME` + 15 more. Add them (with a placeholder/comment) to .env.example so onb…
integrityconfig-drift
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/app/api/router.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/alova.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/auto-imports.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/commitlint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/components.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/api/apiDefinitions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/api/axios.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/api/modules/user.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/config/enums.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/config/theme.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/constant/const.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/locales/en-US.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/locales/zh-CN.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/router/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/types/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/types/axios.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/types/env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/types/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/utils/auth.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/utils/storage.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/views/annotation/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/views/knowledge/mock.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/src/views/knowledge/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: applications/oxybank/web/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: function_hubs/chart/web/js/app.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: oxygent/banner.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: oxygent/prompts.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: oxygent/web/js/mermaid-source.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: oxygent/web/js/mermaid.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/auto-manage-issues.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:19 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:22 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `children_copy` in oxygent/oxy/agents/remote_agent.py:50
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `core_v1` in mcp_servers/kubernetes_mcp_server/core_tools/events.py:89
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `core_v1` in mcp_servers/kubernetes_mcp_server/core_tools/namespaces.py:67
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `core_v1` in mcp_servers/kubernetes_mcp_server/core_tools/nodes.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `core_v1` in mcp_servers/kubernetes_mcp_server/core_tools/pods.py:68
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_get_org_returns_marked_copy` in tests/unittest/test_remote_agent.py:68
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
93 tests / 373 src (ratio 0.25).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 10 places
Functions with the same first-5-line body hash: examples/agents/demo_document_analysis_agent.py:main, examples/agents/demo_chat_agent_stream.py:main, examples/live_prompts/demo_live_prompt.py:main, examples/llms/demo_disable_system_prompt.py:main This is *the* AI-coder failure mode (4× more duplic…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: function_hubs/code_interpreter_tools.py:execute_code, function_hubs/code_interpreter_tools.py:execute_code This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: function_hubs/train_ticket_tools.py:get_stations_of_city, function_hubs/train_ticket_tools.py:get_stations This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/a2a/demo_a2a_oxygent_task_followup_client.py:call_once, examples/a2a/demo_a2a_oxygent_client.py:call_once This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docum…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/a2a/langchain_interop/demo_langchain_a2a_server.py:extract_text, examples/a2a/langgraph_interop/demo_langgraph_a2a_server.py:extract_text This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-cod…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/a2a/langchain_interop/demo_langchain_a2a_server.py:build_message, examples/a2a/langgraph_interop/demo_langgraph_a2a_server.py:build_message This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-c…
integrityduplicatedry

Showing first 300 of 411. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.