Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
58 of your 107 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 48.18s for a 84.1 MB repo slow.
  • Repobility's analysis ran in 32.55s after the clone landed.

opentoonz/opentoonz

https://github.com/opentoonz/opentoonz.git · scanned 2026-05-20 21:40 UTC (2 weeks, 1 day ago) · 10 languages

388 findings (100 legacy + 288 scanner) 11/13 scanners ran Scanner says 73 (lower by 11)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 1 day ago · v3 · 296 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
70.4
/100
Repobility
67
200 legacy
9-layer
73
88.9% cov · 96 gaps
Critical
7
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 15.0 0.20 3.00
documentation_score 75.0 0.15 11.25
practices_score 67.0 0.15 10.05
code_quality 70.0 0.10 7.00
Overall 1.00 62.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 7 High 140 Medium 6 Low 101 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 200 9-layer 96 Crowd 0 Layer: Quality 155 Security 9 Software 126 Api 1 Network 1 Frontend 1 Cicd 3
Scan summary Repository scanned at 73.3/100 with 88.9% coverage. It contains 5134 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 96 findings — concentrated in software (50), quality (37), security (3). Risk profile is high: 1 critical, 0 high, 6 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 246 of 296 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/image/tzp/infoplt.c:42 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/image/tzp/infoplt.c:42 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/common/twain/ttwain_stateW.c:29 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/common/twain/ttwain_error.c:112 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/common/twain/ttwain_stateW.c:29 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
toonz/sources/common/twain/ttwain_error.c:112 qualitylegacy
critical 9-layer security secrets conf 1.00 Possible secret in thirdparty/Lz4/Lz4_131/contrib/djgpp/Makefile
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
thirdparty/Lz4/Lz4_131/contrib/djgpp/Makefile:97 secrets
high Legacy quality quality conf 1.00 ✓ Repobility [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
toonz/sources/toonz/history.cpp:27 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
toonz/sources/toonz/history.cpp:27 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
toonz/install/copy_plugin.sh:81 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
toonz/install/copy_plugin.sh:81 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._validate_path` used but never assigned in __init__: Method `validate_paths` of class `QrcValidator` reads `self._validate_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._validate_path = <default>` in __init__, or add a class-level default.
toonz/sources/toonz/toonz_qrc_validator.py:41 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._validate_path` used but never assigned in __init__: Method `validate_paths` of class `QrcValidator` reads `self._validate_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._validate_path = <default>` in __init__, or add a class-level default.
toonz/sources/toonz/toonz_qrc_validator.py:41 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:74 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:74 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:50 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:50 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:44 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:44 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:35 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:35 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:139 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_macos.yml:139 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:154 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:154 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:110 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_linux.yml:110 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `microsoft/setup-msbuild` pinned to mutable ref `@v2`: `uses: microsoft/setup-msbuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: microsoft/setup-msbuild@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:87 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `microsoft/setup-msbuild` pinned to mutable ref `@v2`: `uses: microsoft/setup-msbuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: microsoft/setup-msbuild@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/workflow_windows.yml:87 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` is a .o binary (521 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` is a .o binary (521 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` is a .o binary (707 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` is a .o binary (707 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` is a .o binary (563 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` is a .o binary (563 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` is a .o binary (685 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` is a .o binary (685 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` is a .o binary (691 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` is a .o binary (691 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` is a .o binary (941 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` is a .o binary (941 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` is a .o binary (713 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` is a .o binary (713 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` is a .o binary (979 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` is a .o binary (979 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` is a .o binary (691 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` is a .o binary (691 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` is a .o binary (941 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` is a .o binary (941 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` is a .o binary (713 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` is a .o binary (713 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` is a .o binary (979 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` is a .o binary (979 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` is a .o binary (954 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` is a .o binary (954 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` is a .o binary (938 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` is a .o binary (938 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` is a .o binary (1,226 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` is a .o binary (1,226 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/dict.exe` committed in source repo: `thirdparty/lzo/2.03/dict.exe` is a .exe binary (19,968 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/dict.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/dict.exe` committed in source repo: `thirdparty/lzo/2.03/dict.exe` is a .exe binary (19,968 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/dict.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/lzopack.exe` committed in source repo: `thirdparty/lzo/2.03/lzopack.exe` is a .exe binary (24,576 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/lzopack.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/lzopack.exe` committed in source repo: `thirdparty/lzo/2.03/lzopack.exe` is a .exe binary (24,576 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/lzopack.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/precomp.exe` committed in source repo: `thirdparty/lzo/2.03/precomp.exe` is a .exe binary (31,232 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/precomp.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/precomp.exe` committed in source repo: `thirdparty/lzo/2.03/precomp.exe` is a .exe binary (31,232 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/precomp.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/precomp2.exe` committed in source repo: `thirdparty/lzo/2.03/precomp2.exe` is a .exe binary (31,744 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/precomp2.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/precomp2.exe` committed in source repo: `thirdparty/lzo/2.03/precomp2.exe` is a .exe binary (31,744 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/precomp2.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/simple.exe` committed in source repo: `thirdparty/lzo/2.03/simple.exe` is a .exe binary (10,752 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/simple.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/simple.exe` committed in source repo: `thirdparty/lzo/2.03/simple.exe` is a .exe binary (10,752 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/simple.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/tools/lzocompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzocompress.exe` is a .exe binary (8,192 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/tools/lzocompress.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/tools/lzocompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzocompress.exe` is a .exe binary (8,192 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/tools/lzocompress.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/tools/lzodecompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzodecompress.exe` is a .exe binary (8,192 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/tools/lzodecompress.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/lzo/2.03/tools/lzodecompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzodecompress.exe` is a .exe binary (8,192 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/lzo/2.03/tools/lzodecompress.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/superlu/libsuperlu_4.1.a` committed in source repo: `thirdparty/superlu/libsuperlu_4.1.a` is a .a binary (1,338,672 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/superlu/libsuperlu_4.1.a:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `thirdparty/superlu/libsuperlu_4.1.a` committed in source repo: `thirdparty/superlu/libsuperlu_4.1.a` is a .a binary (1,338,672 bytes) committed to a repo that otherwise has 4073 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
thirdparty/superlu/libsuperlu_4.1.a:1 dependencylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/toonz/batchserversviewer.cpp:116 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/toonz/batchserversviewer.cpp:116 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/include/toonzqt/imageutils.h:201 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/include/toonzqt/imageutils.h:201 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/include/toonz/autoclose.h:62 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
toonz/sources/include/toonz/autoclose.h:62 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
toonz/sources/toonz/toonz_qrc_validator.py:53 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
toonz/sources/toonz/toonz_qrc_validator.py:53 qualitylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
microsoft/setup-msbuild@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/workflow_windows.yml:87 supply-chaingithub-actionspinned-dependencies
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in thirdparty/openblas/xianyi-OpenBLAS-e6e87a2/Makefile:249
Found a known-risky pattern (weak_hash). Review and replace if possible.
thirdparty/openblas/xianyi-OpenBLAS-e6e87a2/Makefile:249 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — thirdparty/Lz4/Lz4_131/versionsTest/test-lz4-versions.py:23
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer network security conf 1.00 Privileged port 14 in use
Port 14 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
thirdparty/lzo/2.03/autoconf/ltmain.sh securityports
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
2 test file(s) for 105 source file(s) (ratio 0.02). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
toonz/sources/toonzfarm/tfarmclient/appmainshell.cpp:142 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
toonz/sources/toonzfarm/tfarmclient/appmainshell.cpp:142 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/kiss_fft/tools/psdpng.c:34 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/kiss_fft/tools/psdpng.c:34 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/glew/glew-1.9.0/include/GL/glxew.h:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/glew/glew-1.9.0/include/GL/glxew.h:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/glew/glew-1.9.0/auto/src/glew_utils.c:14 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/glew/glew-1.9.0/auto/src/glew_utils.c:14 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:8 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:8 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4io.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4cli.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/lz4cli.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:31 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:31 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fullbench.c:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fullbench.c:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fullbench.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/fullbench.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagencli.c:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagencli.c:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagencli.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.h:5 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagencli.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.h:5 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/datagen.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/bench.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/programs/bench.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.h:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.h:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.h:4 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.h:4 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/xxhash.c:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4hc.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4hc.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4hc.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4hc.c:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4frame_static.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4frame_static.h:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4frame.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
thirdparty/Lz4/Lz4_131/lib/lz4frame.h:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/multiplugin/multi.cpp:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/multiplugin/multi.cpp:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/multiplugin/multi.cpp:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/multiplugin/multi.cpp:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/geom/geom.cpp:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
plugins/geom/geom.cpp:1 qualitylegacy
low 9-layer quality maintenance conf 1.00 33 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/menudata.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_1.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_2.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_3.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_4.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_5.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_6.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_7.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_8.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/all_9.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/classes_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/enums_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/enumvalues_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/functions_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/groups_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/searchdata.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/typedefs_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_0.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_1.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_2.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_3.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_4.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_5.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_6.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_7.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_8.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: thirdparty/libjpeg-turbo/libjpeg-turbo-2.0.6/doc/html/search/variables_9.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/toonz/Resources/init.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/colorfx.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/image.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/tnzcore.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/tnztools.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/toonz.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/toonzlib.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/german/toonzqt.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/colorfx.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/image.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/tnzcore.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/tnztools.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/toonz.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/toonzlib.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/japanese/toonzqt.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/colorfx.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/image.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/tnzcore.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/tnztools.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/toonz.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/toonzlib.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: toonz/sources/translations/russian/toonzqt.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/workflow_windows.yml:50 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/workflow_windows.yml:154 supply-chaingithub-actionspinned-dependencies
low 9-layer quality complexity conf 1.00 Very large file: thirdparty/libpng-1.6.21/ltmain.sh (11147 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: thirdparty/libusb/libusb-1.0.9/ltmain.sh (8745 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: thirdparty/lzo/2.03/autoconf/ltmain.sh (6863 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: thirdparty/tiff-4.0.3/config/ltmain.sh (9655 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/chinese/tnztools.ts (2401 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/chinese/toonz.ts (19517 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/chinese/toonzqt.ts (3515 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/czech/tnztools.ts (2866 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/czech/toonz.ts (19058 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/czech/toonzqt.ts (3853 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/french/tnztools.ts (2289 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/french/toonz.ts (13725 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/french/toonzqt.ts (2813 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/german/tnztools.ts (2304 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/german/toonz.ts (18574 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/german/toonzqt.ts (3409 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/italian/tnztools.ts (2287 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/italian/toonz.ts (18064 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/italian/toonzqt.ts (3290 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/japanese/tnztools.ts (2400 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/japanese/toonz.ts (19211 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/japanese/toonzqt.ts (3450 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/korean/tnztools.ts (2332 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/korean/toonz.ts (18194 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/korean/toonzqt.ts (3191 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/norwegian_bokmal/tnztools.ts (2096 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/norwegian_bokmal/toonz.ts (16298 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/norwegian_bokmal/toonzqt.ts (3178 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/russian/tnztools.ts (2927 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/russian/toonzlib.ts (1277 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/russian/toonzqt.ts (4082 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/spanish/tnztools.ts (2399 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/spanish/toonz.ts (19103 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: toonz/sources/translations/spanish/toonzqt.ts (3456 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
toonz/sources/include/tiio_jpg_exif.h:6 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
toonz/sources/include/tiio_jpg_exif.h:6 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
toonz/sources/common/tsystem/tfilepath_io.cpp:18 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
toonz/sources/common/tsystem/tfilepath_io.cpp:18 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
plugins/multiplugin/multi.cpp:273 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
plugins/multiplugin/multi.cpp:273 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/895158db-3965-47f3-ab73-ba9a1a655881/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/895158db-3965-47f3-ab73-ba9a1a655881/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.