x-stream/xstream

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

https://github.com/x-stream/xstream.git · scanned 2026-05-16 12:55 UTC (3 weeks, 3 days ago) · 10 languages

24 raw signals (20 security + 4 graph) 67th percentile · Java · medium (20-100K LoC) System graph score 100 (lower by 24)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 3 days ago · v1 · 2 actionable findings from 1 signal source. 16 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

77.8% cov · 0 findings

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 1 Medium 0 Low 1 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 2 System graph 0 Crowd 0 Layer: Quality 1 Software 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (76/100). Dimensions: security 100, maintainability 60. 20 findings. 81,914 lines analyzed.

Showing 2 of 2 actionable findings. 18 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks software Xxe conf 1.00 3 occurrences [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.

Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…

3 files, 3 locations

xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java:137

xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java:110

xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java:119

low Security checks quality Quality conf 0.60 15 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

12 files, 14 locations

xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalIntConverter.java:13, 14 (2 hits)

xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalLongConverter.java:13, 14 (2 hits)

xstream/src/java/com/thoughtworks/xstream/converters/extended/ActivationDataFlavorJakartaConverter.java:27

xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicIntegerConverter.java:16

xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicLongConverter.java:16

xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java:195

xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalDoubleConverter.java:13

xstream/src/java/com/thoughtworks/xstream/converters/reflection/ExternalizableConverter.java:44

duplicationquality

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/724af68f-c22d-4d85-ab71-03d8bfbaaace/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/724af68f-c22d-4d85-ab71-03d8bfbaaace/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.