← Back to scan
File as GitHub Issue repo: facebook/hhvm

Push this scan report to facebook/hhvm

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Missing import: `string` used but not imported

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(..… third-party/thrift/src/thrift/lib/py/ut…:48
CRIT MINED107 [MINED107] Missing import: `struct` used but not imported: The file uses `struct.somethin… third-party/thrift/src/thrift/lib/py/ut…:44
CRIT MINED107 [MINED107] Missing import: `socket` used but not imported: The file uses `socket.somethin… third-party/thrift/src/thrift/lib/py/se…:150
CRIT MINED107 [MINED107] Missing import: `string` used but not imported: The file uses `string.somethin… third-party/thrift/src/thrift/lib/py/pr…:637
CRIT MINED107 [MINED107] Missing import: `string` used but not imported: The file uses `string.somethin… third-party/thrift/src/thrift/lib/py/pr…:173
CRIT MINED107 [MINED107] Missing import: `struct` used but not imported: The file uses `struct.somethin… third-party/thrift/src/thrift/lib/pytho…:503
CRIT MINED005 [MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection. hphp/hack/src/heap/globalStorage.ml:32
CRIT MINED022 [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf. hphp/hack/src/utils/cgroup/cGroup.ml:14
CRIT MINED022 [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf. hphp/hack/src/server/serverInitTypes.ml:53
CRIT MINED022 [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf. hphp/hack/src/diagnostics/user_diagnost…:261
CRIT MINED015 [MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection. hphp/hack/src/simplihack/simplihack_int…:9
CRIT MINED015 [MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection. hphp/hack/src/milner/milner.ml:157
CRIT MINED015 [MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection. hphp/hack/src/client/ide_service/code_a…:68
HIGH MINED002 [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check. hphp/hack/src/typing/typing_argument.ml:148
HIGH MINED002 [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check. hphp/hack/src/typing/type_mapper_forget…:42
HIGH MINED041 [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but convent… hphp/hack/src/hackrs/ty/reason.rs:182
HIGH MINED041 [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but convent… hphp/hack/src/hackc/hhbc/unit_cbindgen.…:11
HIGH MINED041 [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but convent… hphp/hack/src/hackc/ffi/ffi_ffi_cbindge…:16
HIGH MINED039 [MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path. hphp/hack/src/hackc/ir/ir_core/func_bui…:238
HIGH MINED039 [MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path. hphp/hack/src/hackc/ir/conversions/text…:31
HIGH MINED039 [MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path. hphp/hack/src/diagnostics/diagnostics.rs:43
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … hphp/hack/src/decl/remote_old_decl_clie…:122
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … hphp/hack/src/client_and_server/serverR…:141
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … hphp/hack/src/client/ide_service/client…:143
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… hphp/hack/src/globals/globalConfig.ml:20
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… hphp/hack/src/dfind/dfind_add_file.ml:115
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… hphp/hack/src/batch/batch_init.ml:69
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … hphp/hack/src/depgraph/depgraph_reader/…:67
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … hphp/hack/src/asdl_to_rust/lrgen/lrgen.…:33
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … hphp/hack/src/asdl_to_rust/asdl_to_rust…:38
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). hphp/hack/src/hackc/ffi_bridge/compiler…:105
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). hphp/hack/src/hackc/decl_provider/decl_…:26
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). hphp/doc/tcdump_json_schema.ts:28
HIGH COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 32 (SonarSo… hphp/hack/src/hh_asdiff/hh_asdiff.py:169
HIGH DKR006 Dockerfile pipes a remote script into a shell third-party/watchman/src/watchman/build…:18
HIGH DKR006 Dockerfile pipes a remote script into a shell third-party/watchman/src/watchman/build…:6
HIGH DKR014 Dockerfile copies the entire context without .dockerignore third-party/proxygen/src/proxygen/https…:15
HIGH DKR015 Docker build context is very large .dockerignore
HIGH MINED118 [MINED118] Dockerfile FROM `martenseemann/quic-network-simulator-endpoint:latest` not pin… third-party/proxygen/src/proxygen/https…:23
HIGH MINED118 [MINED118] Dockerfile FROM `martenseemann/quic-network-simulator-endpoint:latest` not pin… third-party/proxygen/src/proxygen/https…:4
HIGH MINED118 [MINED118] Dockerfile FROM `ubuntu:focal` not pinned by digest: `FROM ubuntu:focal` resol… third-party/mcrouter/src/mcrouter/scrip…:2
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/u… third-party/fizz/src/.github/workflows/…:135
HIGH MINED115 [MINED115] Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.9`: `uses… third-party/fizz/src/.github/workflows/…:34
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:30
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/u… third-party/fizz/src/.github/workflows/…:128
HIGH MINED115 [MINED115] Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.9`: `uses… third-party/fizz/src/.github/workflows/…:46
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:42
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setu… third-party/fizz/src/.github/workflows/…:174
HIGH MINED115 [MINED115] Action `ocaml/setup-ocaml` pinned to mutable ref `@v2`: `uses: ocaml/setup-oca… third-party/fizz/src/.github/workflows/…:169
HIGH MINED115 [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolna… third-party/fizz/src/.github/workflows/…:160
HIGH MINED115 [MINED115] Action `facebook/install-dotslash` pinned to mutable ref `@latest`: `uses: fac… third-party/fizz/src/.github/workflows/…:157
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:154
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:138
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setu… third-party/fizz/src/.github/workflows/…:126
HIGH MINED115 [MINED115] Action `ocaml/setup-ocaml` pinned to mutable ref `@v2`: `uses: ocaml/setup-oca… third-party/fizz/src/.github/workflows/…:121
HIGH MINED115 [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolna… third-party/fizz/src/.github/workflows/…:112
HIGH MINED115 [MINED115] Action `facebook/install-dotslash` pinned to mutable ref `@latest`: `uses: fac… third-party/fizz/src/.github/workflows/…:109
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:106
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:88
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setu… third-party/fizz/src/.github/workflows/…:79
HIGH MINED115 [MINED115] Action `ocaml/setup-ocaml` pinned to mutable ref `@v2`: `uses: ocaml/setup-oca… third-party/fizz/src/.github/workflows/…:74
HIGH MINED115 [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolna… third-party/fizz/src/.github/workflows/…:66
HIGH MINED115 [MINED115] Action `facebook/install-dotslash` pinned to mutable ref `@latest`: `uses: fac… third-party/fizz/src/.github/workflows/…:63
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:60
HIGH MINED115 [MINED115] Action `facebook/install-dotslash` pinned to mutable ref `@latest`: `uses: fac… third-party/fizz/src/.github/workflows/…:10
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… third-party/fizz/src/.github/workflows/…:7
HIGH MINED118 [MINED118] Dockerfile FROM `ghcr.io/xtruder/nix-devcontainer:v1` not pinned by digest: `F… .devcontainer/Dockerfile:1
HIGH MINED113 [MINED113] Express POST /sourceList has no auth: Express route POST /sourceList declared … third-party/fb-mysql/8.0.20/extra/dukta…:1864
HIGH MINED113 [MINED113] Express POST /source has no auth: Express route POST /source declared without … third-party/fb-mysql/8.0.20/extra/dukta…:1863
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/pool.py:632
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/pool.py:390
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/pool.py:294
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/__init__…:300
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/__init__…:234
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/__init__…:115
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/__init__…:73
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/tbb/__init__…:224
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/tbb/src/python/setup.py:47
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/fb-mysql/8.0.20/extra/dukta…:19
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/fb-mysql/8.0.20/extra/dukta…:45
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/folly/src/folly/coro/script…:503
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… third-party/folly/src/folly/coro/script…:241
MED COMP001 [COMP001] High cognitive complexity: Function `report_summary` has cognitive complexity 1… hphp/hack/src/hh_asdiff/hh_asdiff.py:127
MED DKR003 Dockerfile base image uses the latest tag third-party/proxygen/src/proxygen/https…:23
MED DKR003 Dockerfile base image uses the latest tag third-party/proxygen/src/proxygen/https…:4
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DKR009 Dockerfile separates apt update from install third-party/proxygen/src/proxygen/https…:8
MED DKR018 Database dump or local database file is included in Docker build context .dockerignore
MED DKR001 Docker final stage has no non-root USER third-party/watchman/src/watchman/build…:2
MED DKR001 Docker final stage has no non-root USER third-party/watchman/src/watchman/build…:2
MED DKR001 Docker final stage has no non-root USER third-party/watchman/src/watchman/build…:2
MED DKR001 Docker final stage has no non-root USER third-party/watchman/src/watchman/build…:2
MED DKR001 Docker final stage has no non-root USER third-party/proxygen/src/proxygen/https…:23
MED DKR001 Docker final stage has no non-root USER third-party/mcrouter/src/mcrouter/scrip…:3
MED DKR001 Docker final stage has no non-root USER third-party/mcrouter/src/mcrouter/scrip…:22
MED DKR001 Docker final stage has no non-root USER .devcontainer/Dockerfile:1
MED AIC001 Parallel implementation file sits beside a canonical file third-party/fb-mysql/8.0.20/extra/icu/s…:1
MED AIC001 Parallel implementation file sits beside a canonical file hphp/runtime/vm/jit/vasm-copy.cpp:1
MED AIC001 Parallel implementation file sits beside a canonical file hphp/runtime/vm/jit/cfg-clean.cpp:1
MED AIC004 Suspicious implementation file appears unreferenced third-party/fb-mysql/8.0.20/sql/sql_que…:1
MED AIC004 Suspicious implementation file appears unreferenced third-party/fb-mysql/8.0.20/include/mys…:1
MED AIC004 Suspicious implementation file appears unreferenced hphp/hack/src/elab/passes/validate_meth…:1
MED CORE_NO_CI No CI/CD configuration found
LOW COMP001 [COMP001] High cognitive complexity: Function `split_lines` has cognitive complexity 13 (… hphp/hack/src/hh_asdiff/parsing.py:28
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/hhvm_cxx/hhvm_hhbc_…:1
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/hhvm_cxx/hhvm_hhbc_…:3
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/hhvm_cxx/hhvm_hhbc_…:1
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/emitter/instruction…:124
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/emitter/emit_memoiz…:334
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/hackc/cli/asm_ir.rs:11
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/elab/passes/validate_clas…:81
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/diagnostics/fmt_raw.rs:15
LOW AIC003 Duplicated implementation block across source files hphp/hack/src/deps/rust/prim_defs.rs:8
LOW AIC003 Duplicated implementation block across source files hphp/compiler/package.h:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/package.h:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/option.h:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/option.h:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/option.cpp:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/option.cpp:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/decl-provider.h:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/decl-provider.h:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/decl-provider.cpp:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/decl-provider.cpp:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/compiler.h:3
LOW AIC003 Duplicated implementation block across source files hphp/compiler/compiler.h:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/compiler-systemlib.h:1
LOW AIC003 Duplicated implementation block across source files hphp/compiler/compiler-systemlib.cpp:1
LOW AIC003 Duplicated implementation block across source files third-party/fb-mysql/8.0.20/sql/sql_upd…:1
LOW AIC003 Duplicated implementation block across source files third-party/fb-mysql/8.0.20/sql/sql_rew…:1
LOW AIC003 Duplicated implementation block across source files third-party/fb-mysql/8.0.20/sql/sql_que…:1
LOW AIC003 Duplicated implementation block across source files third-party/fb-mysql/8.0.20/sql/mdl_con…:1
LOW AIC003 Duplicated implementation block across source files hphp/runtime/vm/jit/vasm-copy.cpp:1
LOW AIC003 Duplicated implementation block across source files hphp/runtime/vm/jit/ssa-tmp.h:1
LOW AIC003 Duplicated implementation block across source files hphp/runtime/vm/jit/ssa-tmp.cpp:1
LOW DKR011 Dockerfile installs recommended OS packages third-party/proxygen/src/proxygen/https…:13
LOW AIC007 Generated build artifact directory is present at repository root build:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file third-party/fb-mysql/8.0.20/sql/sql_que…:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file third-party/fb-mysql/8.0.20/sql/sql_upd…:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file third-party/fb-mysql/8.0.20/sql/sql_rew…:1
LOW AIC002 Source file name looks like an AI patch artifact third-party/fb-mysql/8.0.20/sql/sql_que…:1
LOW AIC002 Source file name looks like an AI patch artifact third-party/fb-mysql/8.0.20/sql/sql_rew…:1
LOW AIC002 Source file name looks like an AI patch artifact third-party/fb-mysql/8.0.20/sql/mdl_con…:1
LOW AIC002 Source file name looks like an AI patch artifact third-party/fb-mysql/8.0.20/include/mys…:1
LOW AIC002 Source file name looks like an AI patch artifact hphp/runtime/vm/jit/ssa-tmp.h:1
LOW AIC002 Source file name looks like an AI patch artifact hphp/runtime/vm/jit/ssa-tmp.cpp:1
LOW AIC002 Source file name looks like an AI patch artifact hphp/hack/src/elab/passes/validate_meth…:1
INFO MINED075 [MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking fo… hphp/hack/src/utils/cgroup/cgroupWatche…:125
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … hphp/hack/src/typing/type_mapper_forget…:42
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … hphp/hack/src/providers/provider_utils.…:143
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … hphp/hack/src/providers/lfu_cache.ml:135
INFO MINED046 [MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger. hphp/hack/src/hackfmt/doc.ml:186
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… hphp/hack/src/providers/provider_backen…:245
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… hphp/hack/src/dfind/dfind_env.mli:42
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… hphp/hack/src/dfind/dfind_env.ml:51
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… hphp/hack/src/hackc/ffi/vector.rs:42
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… hphp/hack/src/deps/deps_rust/typing_dep…:91
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… hphp/hack/src/depgraph/depgraph_reader/…:31
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… hphp/hack/src/typing/typing_enforceable…:202
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… hphp/hack/src/decl/pos/pos_or_decl.mli:58
INFO MINED048 [MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues. hphp/hack/src/naming/naming_sqlite.mli:17
INFO MINED048 [MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues. hphp/hack/src/diagnostics/user_diagnost…:15
INFO MINED048 [MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues. hphp/hack/src/decl/decl_counters.ml:54
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… hphp/hack/src/elab/passes/elab_const_ex…:214
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… hphp/hack/src/depgraph/depgraph_reader/…:36
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… hphp/hack/src/client/ide_service/rust_b…:136
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. hphp/hack/src/hackc/compile/dump_expr_t…:66
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. hphp/hack/src/hackc/compile/cargo/optio…:18
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. hphp/hack/src/asdl_to_rust/asdl_to_rust…:43
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… hphp/compiler/compiler.h:5
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… hphp/compiler/compiler-systemlib.h:5
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… hphp/compiler/compiler-systemlib.cpp:5
Reset to top 5 171 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `facebook/hhvm`

**Score: 63/100 (B)**  ·  240 findings  ·  scanned 2026-06-05 18:10 UTC  ·  1,579,583 LOC

| Severity | Count |
|---|---|
| CRITICAL | 13 |
| HIGH | 56 |
| MEDIUM | 34 |
| LOW | 43 |

📊 [Full filterable report](https://repobility.com/scan/4717a4c5-1b58-4d0c-83a5-90f6bd950c54/)  ·  ![scorecard](https://repobility.com/scan/4717a4c5-1b58-4d0c-83a5-90f6bd950c54/report.png?v=1780683039-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `stat` used but not imported
   `third-party/thrift/src/thrift/lib/py/util/Decorators.py:48` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `struct` used but not imported
   `third-party/thrift/src/thrift/lib/py/util/__init__.py:44` · ✓ Repobility
3. **CRITICAL** `MINED107` — Missing import: `socket` used but not imported
   `third-party/thrift/src/thrift/lib/py/server/TAsyncioServer.py:150` · ✓ Repobility
4. **CRITICAL** `MINED107` — Missing import: `string` used but not imported
   `third-party/thrift/src/thrift/lib/py/protocol/TSimpleJSONProtocol.py:637` · ✓ Repobility
5. **CRITICAL** `MINED107` — Missing import: `string` used but not imported
   `third-party/thrift/src/thrift/lib/py/protocol/TJSONProtocol.py:173` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/4717a4c5-1b58-4d0c-83a5-90f6bd950c54/_
Already filed
'facebook' is on the known-megaproject org list. These projects use auto-triage bots and established security disclosure channels. Unsolicited automated issues from Repobility would be perceived as AI-generated spam. For security findings, follow the project's SECURITY.md policy. For non-security findings, open a focused PR or community discussion instead.
Already filed
This repo publishes a SECURITY.md policy and the scan contains 3 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'facebook/hhvm' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
151/258 findings (59%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.