Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
75 of your 95 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

frappe/erpnext

https://github.com/frappe/erpnext.git · scanned 2026-05-20 01:10 UTC (2 weeks, 2 days ago) · 10 languages

932 findings (95 legacy + 837 scanner) 11/13 scanners ran 66th percentile · Python · medium (20-100K LoC) Scanner says 71 (lower by 3)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 2 days ago · v3 · 374 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
73.6
/100
Repobility
76
95 legacy
9-layer
71
100.0% cov · 279 gaps
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 40.0 0.20 8.00
documentation_score 63.0 0.15 9.45
practices_score 64.0 0.15 9.60
code_quality 69.0 0.10 6.90
Overall 1.00 68.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 66 Medium 20 Low 244 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 95 9-layer 279 Crowd 0 Layer: Quality 207 Security 11 Software 94 Api 1 Frontend 22 Cicd 39
Scan summary Repository scanned at 71.1/100 with 100.0% coverage. It contains 19857 nodes across 8 cross-layer flows, written primarily in mixed languages. Engine surfaced 279 findings — concentrated in quality (149), software (62), cicd (39). Risk profile is high: 0 critical, 2 high, 17 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 294 of 374 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
erpnext/accounts/doctype/bank_transaction_rule/bank_transaction_rule.py:117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_taxes_from_item_tax_template` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.add_taxes_from_item_tax_template`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_taxes_from_item_tax_template = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:120 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.as_dict` used but never assigned in __init__: Method `on_update` of class `ERPNextAddress` reads `self.as_dict`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.as_dict = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:47 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_accounting_dimensions` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_accounting_dimensions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_accounting_dimensions = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:138 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_accounting_dimensions` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_accounting_dimensions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_accounting_dimensions = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:137 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_common_party_accounting` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_common_party_accounting`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_common_party_accounting = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:126 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_discounts_and_margin` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_discounts_and_margin`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_discounts_and_margin = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:141 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_loyalty_point_program` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_loyalty_point_program`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_loyalty_point_program = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:145 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_payment_schedule_in_print` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_payment_schedule_in_print`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_payment_schedule_in_print = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:135 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.enable_subscription` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_subscription`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.enable_subscription = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:149 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get_doc_before_save` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get_doc_before_save`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get_doc_before_save = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get` used but never assigned in __init__: Method `update_company_address` of class `ERPNextAddress` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:26 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:128 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:122 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `link_address` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_your_company_address = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:20 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `update_company_address` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_your_company_address = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:28 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `validate_reference` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_your_company_address = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:31 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.links` used but never assigned in __init__: Method `validate_reference` of class `ERPNextAddress` reads `self.links`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.links = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:31 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.name` used but never assigned in __init__: Method `on_update` of class `ERPNextAddress` reads `self.name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.name = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:48 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.show_payment_schedule_in_print` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.show_payment_schedule_in_print`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.show_payment_schedule_in_print = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:134 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.update_company_address` used but never assigned in __init__: Method `validate` of class `ERPNextAddress` reads `self.update_company_address`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.update_company_address = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:13 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.update_property_for_accounting_dimension` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.update_property_for_accounting_dimension`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.update_property_for_accounting_dimension = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:157 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.validate_and_sync_auto_reconcile_config` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_and_sync_auto_reconcile_config`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.validate_and_sync_auto_reconcile_config = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:156 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.validate_auto_tax_settings` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_auto_tax_settings`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.validate_auto_tax_settings = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:116 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.validate_reference` used but never assigned in __init__: Method `validate` of class `ERPNextAddress` reads `self.validate_reference`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.validate_reference = <default>` in __init__, or add a class-level default.
erpnext/accounts/custom/address.py:12 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.validate_stale_days` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_stale_days`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.validate_stale_days = <default>` in __init__, or add a class-level default.
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:132 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:92 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:78 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:69 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/generate-pot-file.yml:24 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/semantic-commits.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docs-checker.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:41 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/label-base-on-title.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/labeler` pinned to mutable ref `@v3`: `uses: actions/labeler@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/labeler@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/labeller.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/generate-pot-file.yml:34 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/semantic-commits.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:60 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-python@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/generate-pot-file.yml:29 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-python@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docs-checker.yml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-python@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/patch.yml:52 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `alpine:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/docker-release.yml:13 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `mariadb:11.8` unpinned: `container/services image: mariadb:11.8` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `mariadb:11.8@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/patch.yml:32 dependencylegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in banking/src/components/features/BankReconciliation/BankEntryModal.tsx:255
Found a known-risky pattern (eval_used). Review and replace if possible.
banking/src/components/features/BankReconciliation/BankEntryModal.tsx:255 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in banking/src/components/features/BankReconciliation/Rules/RuleForm.tsx:452
Found a known-risky pattern (eval_used). Review and replace if possible.
banking/src/components/features/BankReconciliation/Rules/RuleForm.tsx:452 owaspeval_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium Legacy quality practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
practiceslegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
erpnext/accounts/doctype/bank_transaction_rule/bank_transaction_rule.py:117 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
erpnext/accounts/doctype/bank_statement_import/bank_statement_import.py:162 qualitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
erpnext/accounts/doctype/bank_statement_import_log/bank_statement_import_log.js:8 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
banking/src/pages/BankStatementImporter.tsx:237 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
banking/src/components/common/LinkFieldCombobox.tsx:246 securitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — banking/src/components/features/BankReconciliation/BankClearanceSummary.tsx:210
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — banking/src/components/features/BankReconciliation/BankReconciliationStatement.tsx:196
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — banking/src/components/features/BankReconciliation/BankTransactionList.tsx:250
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — banking/src/components/features/BankReconciliation/IncorrectlyClearedEntries.tsx:184
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — banking/src/main.tsx:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Frontend route `:id` has no Link/navigate to it — banking/src/App.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pre-commit/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linters.yml:24 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/generate-pot-file.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in banking/src/components/features/BankReconciliation/BankClearanceSummary.tsx:210
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
banking/src/components/features/BankReconciliation/BankClearanceSummary.tsx:210 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in banking/src/components/features/BankReconciliation/BankReconciliationStatement.tsx:196
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
banking/src/components/features/BankReconciliation/BankReconciliationStatement.tsx:196 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in banking/src/components/features/BankReconciliation/BankTransactionList.tsx:250
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
banking/src/components/features/BankReconciliation/BankTransactionList.tsx:250 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in banking/src/components/features/BankReconciliation/IncorrectlyClearedEntries.tsx:184
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
banking/src/components/features/BankReconciliation/IncorrectlyClearedEntries.tsx:184 owaspdangerous_innerhtml
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — .github/helper/documentation.py:44
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — erpnext/setup/utils.py:134
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — erpnext/templates/pages/help.py:30
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — erpnext/templates/pages/search_help.py:50
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
banking/src/components/ui/textarea.tsx:12 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
banking/src/components/ui/select.tsx:24 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
banking/src/components/features/BankReconciliation/TransferModal.tsx:180 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
banking/src/components/features/BankReconciliation/Rules/RuleForm.tsx:444 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
banking/src/components/features/BankReconciliation/MatchAndReconcile.tsx:137 qualitylegacy
low 9-layer quality maintenance conf 1.00 53 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: commitlint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/hooks.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/blanket_order/blanket_order.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/bom/bom_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/bom_creator/bom_creator_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/bom_update_tool/bom_update_tool.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/downtime_entry/downtime_entry.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/job_card/job_card_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/manufacturing_settings/manufacturing_settings.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/master_production_schedule/master_production_schedule.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/master_production_schedule/test_master_production_schedule.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/material_request_plan_item/material_request_plan_item.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/production_plan/production_plan.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/production_plan/production_plan_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/routing/routing.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/sales_forecast/sales_forecast.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/sales_forecast/sales_forecast_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/sales_forecast/test_sales_forecast.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/work_order/work_order_calendar.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/work_order/work_order_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/workstation/_test_workstation.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/workstation/workstation_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/workstation_operating_component_account/test_workstation_operating_component_account.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/doctype/workstation_operating_component_account/workstation_operating_component_account.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/manufacturing/page/visual_plant_floor/visual_plant_floor.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/activity_cost/activity_cost.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/activity_type/activity_type.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/activity_type/test_activity_type.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/project/project_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/project_template/project_template.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/project_type/project_type.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/project_update/project_update.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/projects_settings/projects_settings.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/task/task.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/task/task_calendar.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/task/task_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/task/task_tree.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/task_type/task_type.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/timesheet/timesheet_calendar.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/doctype/timesheet/timesheet_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/report/daily_timesheet_summary/daily_timesheet_summary.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/report/delayed_tasks_summary/delayed_tasks_summary.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/report/project_summary/project_summary.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/report/project_wise_stock_tracking/project_wise_stock_tracking.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/projects/web_form/tasks/tasks.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/subcontracting/doctype/subcontracting_bom/subcontracting_bom.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/subcontracting/doctype/subcontracting_order/subcontracting_order_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt_list.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/label-base-on-title.yml:15 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/patch.yml:41 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/patch.yml:52 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/patch.yml:60 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/patch.yml:69 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/patch.yml:78 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-checker.yml:16 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-checker.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/generate-pot-file.yml:24 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/generate-pot-file.yml:29 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/generate-pot-file.yml:34 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:16 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/backport.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linters.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linters.yml:33 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `args_copy` in erpnext/accounts/doctype/pricing_rule/pricing_rule.py:372
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `array_copy` in erpnext/telephony/doctype/incoming_call_settings/incoming_call_settings.js:12
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `create_attachment_copy` in erpnext/utilities/transaction_base.py:91
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ctx_copy` in erpnext/stock/get_item_details.py:1584
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `data_copy` in erpnext/accounts/report/financial_statements.py:737
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `dn_fields_copy` in erpnext/stock/doctype/delivery_note/delivery_note.js:472
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `do_not_copy` in erpnext/selling/doctype/sales_order/test_sales_order.py:1485
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `field_copy` in erpnext/accounts/doctype/purchase_invoice/purchase_invoice.js:458
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `field_copy` in erpnext/accounts/doctype/sales_invoice/sales_invoice.js:558
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `field_copy` in erpnext/buying/doctype/purchase_order/purchase_order.js:637
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `field_copy` in erpnext/selling/doctype/sales_order/sales_order.js:1263
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `field_copy` in erpnext/stock/doctype/purchase_receipt/purchase_receipt.js:369
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `fields_to_copy` in erpnext/controllers/accounts_controller.py:3599
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `gle_copy` in erpnext/accounts/doctype/period_closing_voucher/period_closing_voucher.py:379
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `gle_copy` in erpnext/accounts/doctype/process_period_closing_voucher/process_period_closing_voucher.py:365
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/accounts/report/gross_profit/test_gross_profit.py:399
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/manufacturing/doctype/bom/test_bom.py:489
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/stock/doctype/serial_and_batch_bundle/test_serial_and_batch_bundle.py:1106
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/stock/doctype/stock_entry/test_stock_entry.py:1400
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/stock/doctype/stock_ledger_entry/test_stock_ledger_entry.py:934
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ignore_no_copy` in erpnext/stock/serial_batch_bundle.py:1098
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/manufacturing/doctype/bom/bom.py:1055
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/manufacturing/doctype/bom_secondary_item/bom_secondary_item.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/manufacturing/doctype/job_card/job_card.py:301
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/manufacturing/doctype/work_order/test_work_order.py:4436
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/patches/v16_0/co_by_product_patch.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/stock/doctype/stock_entry/stock_entry.py:3426
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:392
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_legacy` in erpnext/subcontracting/doctype/subcontracting_receipt/test_subcontracting_receipt.py:1197
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `item_row_copy` in erpnext/accounts/doctype/pos_invoice/test_pos_invoice.py:116
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `item_row_copy` in erpnext/accounts/doctype/sales_invoice/test_sales_invoice.py:535
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `mock_process_v2` in erpnext/accounts/doctype/payment_request/test_payment_request.py:1229
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_copy` in erpnext/regional/italy/setup.py:75
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_copy` in erpnext/stock/doctype/item_variant_settings/item_variant_settings.js:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_copy` in erpnext/stock/doctype/item_variant_settings/item_variant_settings.py:50
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_copy` in erpnext/support/doctype/service_level_agreement/service_level_agreement.py:930
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `row_copy` in erpnext/buying/report/purchase_order_analysis/purchase_order_analysis.py:155
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `row_copy` in erpnext/buying/report/requested_items_to_order_and_receive/requested_items_to_order_and_receive.py:130
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `row_copy` in erpnext/selling/report/sales_order_analysis/sales_order_analysis.py:170
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `start_date_copy` in erpnext/maintenance/doctype/maintenance_schedule/maintenance_schedule.py:162
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `to_copy` in erpnext/accounts/party.py:340
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `y_old` in erpnext/selling/page/sales_funnel/sales_funnel.js:170
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
374 tests / 2963 src (ratio 0.13).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 10 places
Functions with the same first-5-line body hash: erpnext/projects/doctype/project/project.py:get_list_context, erpnext/stock/doctype/material_request/material_request.py:get_list_context, erpnext/stock/doctype/delivery_note/delivery_note.py:get_list_context, erpnext/accounts/doctype/purchase_invoice…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:on_cancel, erpnext/assets/doctype/asset_capitalization/asset_capitalization.py:on_cancel This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:update_status_updater_args, erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:update_status This is *the* AI-coder failure mode (4× more dup…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:make_subcontract_return_against_rejected_warehouse, erpnext/subcontracting/doctype/subcontracting_receipt/subcontracting_receipt.py:make_subcontract_return This is *the* …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py:populate_items_table, erpnext/subcontracting/doctype/subcontracting_order/subcontracting_order.py:populate_items_table This is *the* AI-coder failure mode (4× m…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py:create_work_order, erpnext/manufacturing/doctype/production_plan/production_plan.py:create_work_order This is *the* AI-coder failure mode (4× more duplication i…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py:show_list_created_message, erpnext/manufacturing/doctype/production_plan/production_plan.py:show_list_created_message This is *the* AI-coder failure mode (4× mo…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/projects/doctype/timesheet/timesheet.py:get_timesheet_detail_rate, erpnext/projects/doctype/timesheet/timesheet.py:get_timesheet This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene)…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/bom_creator/bom_creator.py:create_boms, erpnext/manufacturing/doctype/bom_creator/bom_creator.py:create_bom This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/work_order/work_order.py:validate_warehouse_belongs_to_company, erpnext/manufacturing/doctype/work_order/work_order.py:validate_warehouse This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/work_order/work_order.py:create_job_card, erpnext/manufacturing/doctype/work_order/work_order.py:create_job_card This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hy…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/workstation/workstation.py:validate, erpnext/manufacturing/doctype/workstation_type/workstation_type.py:validate This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hy…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/workstation/workstation.py:validate_duplicate_operating_component, erpnext/manufacturing/doctype/workstation_type/workstation_type.py:validate_duplicate_operating_component This is *the* AI-coder failure mode (4× more du…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/workstation/workstation.py:set_hour_rate, erpnext/manufacturing/doctype/workstation_type/workstation_type.py:set_hour_rate This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/master_production_schedule/master_production_schedule.py:get_material_requests_data, erpnext/manufacturing/doctype/master_production_schedule/master_production_schedule.py:get_material_requests This is *the* AI-coder fai…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/master_production_schedule/master_production_schedule.py:get_sales_orders_data, erpnext/manufacturing/doctype/master_production_schedule/master_production_schedule.py:get_sales_orders This is *the* AI-coder failure mode …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/production_plan/production_plan.py:get_sub_assembly_items, erpnext/manufacturing/doctype/production_plan/production_plan.py:get_sub_assembly_items This is *the* AI-coder failure mode (4× more duplication in vibe-coded re…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py:make_rm_return, erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py:make_subcontracting_delivery, erpnext/subcontracting/do…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: erpnext/manufacturing/notification/material_request_receipt_notification/material_request_receipt_notification.py:get_context, erpnext/accounts/notification/notification_for_new_fiscal_year/notification_for_new_fiscal_year.py:get_context, erpnext/supp…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: erpnext/manufacturing/doctype/bom_creator/bom_creator.py:get_children, erpnext/manufacturing/doctype/bom_creator/bom_creator.py:add_item, erpnext/manufacturing/doctype/bom_creator/bom_creator.py:add_sub_assembly, erpnext/manufacturing/doctype/bom_crea…
integrityduplicatedry
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer software dead-code conf 1.00 Possibly dead Python function: after_delete
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/projects/doctype/task/task.py:318 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: before_save
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/subcontracting/doctype/subcontracting_bom/subcontracting_bom.py:35 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: before_save
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/manufacturing/doctype/bom_creator/bom_creator.py:73 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: before_submit
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/manufacturing/doctype/bom_creator/bom_creator.py:163 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: call_command
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/commands/__init__.py:7 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/__init__.py:178 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/deprecation_dumpster.py:87 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: has_webform_permission
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/projects/doctype/task/task.py:296 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: innerfn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/erpnext_integrations/utils.py:11 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_row_updated
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/projects/doctype/project/project.py:187 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_perpetual_inventory
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/__init__.py:58 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: validate_webhooks_request
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
erpnext/erpnext_integrations/utils.py:10 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — banking/src/components/features/BankReconciliation/TransferModal.tsx:129
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — banking/src/components/ui/error-banner.tsx:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — erpnext/assets/doctype/asset_movement/asset_movement.js:110
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — erpnext/erpnext_integrations/doctype/plaid_settings/plaid_settings.js:123
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — erpnext/selling/page/point_of_sale/pos_controller.js:733
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — erpnext/setup/doctype/driver/driver.js:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `add_regional_gl_entries` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_entry/payment_entry.py:3575
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `add_stock` (body is just `pass`/`return`) — erpnext/stock/valuation.py:16
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `autoname` (body is just `pass`/`return`) — erpnext/setup/doctype/sales_partner/sales_partner.py:46
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `check_if_already_pulled` (body is just `pass`/`return`) — erpnext/stock/doctype/material_request/material_request.py:112
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `db_insert` (body is just `pass`/`return`) — erpnext/bulk_transaction/doctype/bulk_transaction_log/bulk_transaction_log.py:27
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `format_row` (body is just `pass`/`return`) — erpnext/accounts/doctype/financial_report_template/financial_report_engine.py:1608
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_list` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_reconciliation_allocation/payment_reconciliation_allocation.py:39
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_list` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_reconciliation_invoice/payment_reconciliation_invoice.py:30
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_list` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_reconciliation_payment/payment_reconciliation_payment.py:34
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_regional_address_details` (body is just `pass`/`return`) — erpnext/accounts/party.py:292
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_regional_round_off_accounts` (body is just `pass`/`return`) — erpnext/controllers/taxes_and_totals.py:1237
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `on_trash` (body is just `pass`/`return`) — erpnext/buying/doctype/supplier_quotation/supplier_quotation.py:139
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `on_update` (body is just `pass`/`return`) — erpnext/maintenance/doctype/maintenance_visit/maintenance_visit.py:208
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `on_update` (body is just `pass`/`return`) — erpnext/support/doctype/warranty_claim/warranty_claim.py:77
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `save` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_reconciliation/payment_reconciliation.py:105
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `set_failed` (body is just `pass`/`return`) — erpnext/accounts/doctype/payment_request/payment_request.py:623
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `setup` (body is just `pass`/`return`) — erpnext/regional/australia/setup.py:5
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `setup` (body is just `pass`/`return`) — erpnext/regional/turkey/setup.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `update_regional_gl_entries` (body is just `pass`/`return`) — erpnext/stock/doctype/purchase_receipt/purchase_receipt.py:1718
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `update_regional_item_valuation_rate` (body is just `pass`/`return`) — erpnext/controllers/buying_controller.py:1214
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `validate_regional` (body is just `pass`/`return`) — erpnext/controllers/accounts_controller.py:4352
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `validate` (body is just `pass`/`return`) — erpnext/accounts/doctype/financial_report_template/financial_report_validation.py:107
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `validate` (body is just `pass`/`return`) — erpnext/quality_management/doctype/quality_goal/quality_goal.py:60
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: banking/src/components/features/BankReconciliation/RecordPaymentModal.tsx (1300 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/financial_report_template/financial_report_engine.py (2005 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/financial_report_template/test_financial_report_engine.py (2385 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/journal_entry/journal_entry.py (1827 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/payment_entry/payment_entry.js (1886 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/payment_entry/payment_entry.py (3576 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/payment_entry/test_payment_entry.py (2271 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/payment_reconciliation/test_payment_reconciliation.py (2475 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/payment_request/test_payment_request.py (1986 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py (2080 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/purchase_invoice/test_purchase_invoice.py (3275 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/sales_invoice/sales_invoice.py (3177 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/sales_invoice/test_sales_invoice.py (5188 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/doctype/tax_withholding_category/test_tax_withholding_category.py (4201 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/accounts/utils.py (2842 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/assets/doctype/asset/asset.py (1577 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/assets/doctype/asset/test_asset.py (2106 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/buying/doctype/purchase_order/test_purchase_order.py (1614 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/controllers/accounts_controller.py (4529 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/controllers/stock_controller.py (2433 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/controllers/subcontracting_controller.py (1546 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/controllers/tests/test_accounts_controller.py (2476 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/bom/bom.py (2015 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/job_card/job_card.py (1804 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/production_plan/production_plan.py (2275 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/production_plan/test_production_plan.py (2926 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/work_order/test_work_order.py (4744 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/manufacturing/doctype/work_order/work_order.py (2896 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/public/js/controllers/transaction.js (3334 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/selling/doctype/sales_order/sales_order.py (2247 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/selling/doctype/sales_order/test_sales_order.py (3029 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/delivery_note/test_delivery_note.py (2958 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/pick_list/pick_list.py (1744 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/pick_list/test_pick_list.py (1769 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/purchase_receipt/purchase_receipt.py (1742 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/purchase_receipt/test_purchase_receipt.py (5875 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/serial_and_batch_bundle/serial_and_batch_bundle.py (3529 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/stock_entry/stock_entry.py (4383 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/stock_entry/test_stock_entry.py (2617 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/stock_reconciliation/test_stock_reconciliation.py (1980 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/doctype/stock_reservation_entry/stock_reservation_entry.py (1900 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/get_item_details.py (1752 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/stock/stock_ledger.py (2506 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/subcontracting/doctype/subcontracting_receipt/test_subcontracting_receipt.py (2131 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: erpnext/tests/utils.py (3045 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
banking/proxyOptions.ts:10 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
banking/src/components/ui/dropdown-menu.tsx:63 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
banking/src/components/features/BankReconciliation/IncorrectlyClearedEntries.tsx:184 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
.github/helper/documentation.py:44 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/7bfa3179-7646-4f6c-9965-6c3558bc8cc9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/7bfa3179-7646-4f6c-9965-6c3558bc8cc9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.