CleverRaven/Cataclysm-DDA

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

92 of your 132 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Upstream (GitHub) caused delay on this scan — not Repobility.

GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
Clone from GitHub took 54.52s for a 151.4 MB repo slow.
Repobility's analysis ran in 24.19s after the clone landed.

https://github.com/CleverRaven/Cataclysm-DDA · scanned 2026-06-05 20:11 UTC (1 week, 2 days ago) · 10 languages

322 raw signals (124 security + 198 graph) 11/13 scanners ran System graph score 87 (lower by 4)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 123 actionable findings from 2 signal sources. 99 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 75 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	100.0	0.25	25.00
`testing_score`	76.0	0.20	15.20
`documentation_score`	75.0	0.15	11.25
`practices_score`	96.0	0.15	14.40
`code_quality`	41.0	0.10	4.10
Overall		1.00	82.7

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: layer: quality × excluding tests × Reset all

Severity: Critical 0 High 13 Medium 21 Low 57 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 48 System graph 75 Crowd 0 Layer: Quality 54 Cicd 7 Security 6 Software 45 Api 1 Frontend 2 Hardware 8

Exclude dismissed / FP Exclude test files

Scan summary Quality grade A- (83/100). Dimensions: security 100, maintainability 85. 124 findings (21 security). 963,058 lines analyzed.

Showing 25 of 123 actionable findings. 222 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED107] Missing import: `json` used but not imported: The file uses `json.something(...)` but never imports `json`. This raises NameError at runtime the first time the line executes.

Add `import json` at the top of the file.

12 files, 12 locations

lang/string_extractor/parsers/ammunition_type.py:5

lang/string_extractor/parsers/body_part.py:11

lang/string_extractor/parsers/city.py:5

lang/string_extractor/parsers/examine_action.py:20

lang/string_extractor/parsers/faction.py:8

lang/string_extractor/parsers/fault_fix.py:11

lang/string_extractor/parsers/gate.py:5

lang/string_extractor/parsers/item_action.py:6

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED036] Python Os System Call: os.system() invokes shell with no escaping.

Review and fix per the pattern semantics. See CWE-78 / for context.

3 files, 3 locations

tools/json_tools/adjust_values.py:32

tools/json_tools/convert_armor.py:298

tools/json_tools/convert_item_damage.py:119

high Security checks quality Quality conf 1.00 ✓ Repobility 24 occurrences [MINED108] `self._summ_type` used but never assigned in __init__: Method `summ_type` of class `CDDAPullRequest` reads `self._summ_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._summ_type = <default>` in __init__, or add a class-level default.

2 files, 24 locations

tools/generate_changelog.py:180, 184, 188, 189, 203, 213, 215, 216, +3 more (18 hits)

tools/windows_limit_memory.py:533, 624, 633, 648, 650, 651 (6 hits)

medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `parse_dynamic_line` (list): `def parse_dynamic_line(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.

Use None as the default and create the collection inside the function: `def parse_dynamic_line(x=None): x = x or []`

lang/string_extractor/parsers/talk_topic.py:50

medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `write_to_pot` (list): `def write_to_pot(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.

Use None as the default and create the collection inside the function: `def write_to_pot(x=None): x = x or []`

lang/string_extractor/pot_export.py:121

medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).

Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.

src/third-party/snmalloc/ds_core/defines.h:123

medium Security checks quality Quality Average file size is 550 lines (recommend <300)

Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.

low Security checks quality Error handling conf 0.55 ✓ Repobility 4 occurrences Broad exception handler needs review

This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.

4 files, 4 locations

tools/json_tools/cddatags.py:71

tools/json_tools/lister.py:48

tools/json_tools/update-translate-dialogue-mod.py:82

tools/json_tools/util.py:38

Error handlingquality

high Security checks quality Quality conf 0.82 Parallel implementation file sits beside a canonical file

Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.

lang/string_extractor/parsers/fault_fix.py:1

medium Security checks quality Quality conf 0.78 Suspicious implementation file appears unreferenced

Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.

tools/gfx_tools/png_update.py:1

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — build-scripts/ci-iwyu-run.py:116

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — build-scripts/get_affected_files.py:99

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/build_shaders.py:67

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/generate_changelog.py:470

`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/update_blueprint_needs.py:137

runtime safetyRobustness

medium System graph quality Tests conf 1.00 Very low test-to-source ratio

4 test file(s) for 175 source file(s) (ratio 0.02). Consider adding integration or unit tests for critical paths.

Coverage

low Security checks quality Quality conf 0.64 Duplicate top-level symbol appears in a patch-style file

Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol.

tools/gfx_tools/png_update.py:1

high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact

Rename it to the domain concept it implements or merge it into the existing module it was meant to change.

tools/gfx_tools/png_update.py:1

low System graph quality Integrity conf 1.00 12 occurrences Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: build-scripts/post-diff-as-comments.py:parse_hunks, build-scripts/post-diff-as-comments.py:parse_hunk This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'…

12 occurrences

repo-level (12 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 7 occurrences Near-duplicate function bodies in 3 places

Functions with the same first-5-line body hash: tools/merge_maps.py:get_data, tools/copy_from.py:get_data, tools/vehicle_reformatter.py:get_data This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…

7 occurrences

repo-level (7 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places

Functions with the same first-5-line body hash: tools/generate_changelog.py:is_active, tools/generate_changelog.py:is_active, tools/generate_changelog.py:is_active, tools/generate_changelog.py:is_active This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.h…

duplicatesduplication

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `can_copy` in tools/copy_from.py:53

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_tile_entries_for_unused` in tools/gfx_tools/compose.py:369

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Stub function `dummy_parser` (body is just `pass`/`return`) — lang/string_extractor/parser.py:99

Likely an AI scaffold that was never filled in. Remove or implement.

Empty handlerDead code

low System graph quality Complexity conf 1.00 Very large file: tools/generate_changelog.py (1393 lines)

Files with >800 lines often hide complexity hotspots and discourage tests.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/74ca0b50-7228-42e5-8a73-a70ebe684044/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/74ca0b50-7228-42e5-8a73-a70ebe684044/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.