← Back to scan
File as GitHub Issue repo: oracle/graalvm-reachability-metadata

Push this scan report to oracle/graalvm-reachability-metadata

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

`self._copy_stream` used but never assigned in __init__

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED108 [MINED108] `self._issue` used but never assigned in __init__: Method `get_issue_by_number… forge/utility_scripts/fixture_github.py:156
HIGH MINED108 [MINED108] `self._resolve_carriage_returns` used but never assigned in __init__: Method `… forge/forge_metadata.py:1850
HIGH MINED108 [MINED108] `self._stderr_read_fd` used but never assigned in __init__: Method `start` of … forge/forge_metadata.py:1808
HIGH MINED108 [MINED108] `self._stdout_read_fd` used but never assigned in __init__: Method `start` of … forge/forge_metadata.py:1803
HIGH MINED108 [MINED108] `self._copy_stream` used but never assigned in __init__: Method `start` of cla… forge/forge_metadata.py:1807
HIGH MINED108 [MINED108] `self._copy_stream` used but never assigned in __init__: Method `start` of cla… forge/forge_metadata.py:1802
HIGH MINED108 [MINED108] `self._stderr_write_fd` used but never assigned in __init__: Method `start` of… forge/forge_metadata.py:1817
HIGH MINED108 [MINED108] `self._stdout_write_fd` used but never assigned in __init__: Method `start` of… forge/forge_metadata.py:1816
HIGH MINED108 [MINED108] `self._stderr_write_fd` used but never assigned in __init__: Method `start` of… forge/forge_metadata.py:1815
HIGH MINED108 [MINED108] `self._stdout_write_fd` used but never assigned in __init__: Method `start` of… forge/forge_metadata.py:1814
HIGH MINED108 [MINED108] `self._acquire_exclusive_file_lock` used but never assigned in __init__: Metho… forge/forge_metadata.py:1043
HIGH MINED108 [MINED108] `self.release` used but never assigned in __init__: Method `__exit__` of class… forge/forge_metadata.py:1038
HIGH MINED108 [MINED108] `self.acquire` used but never assigned in __init__: Method `__enter__` of clas… forge/forge_metadata.py:1034
HIGH MINED108 [MINED108] `self._acquire_exclusive_file_lock` used but never assigned in __init__: Metho… forge/forge_metadata.py:998
HIGH MINED108 [MINED108] `self.release` used but never assigned in __init__: Method `__exit__` of class… forge/forge_metadata.py:993
HIGH MINED108 [MINED108] `self.acquire` used but never assigned in __init__: Method `__enter__` of clas… forge/forge_metadata.py:989
HIGH MINED108 [MINED108] `self._forget_process_lock` used but never assigned in __init__: Method `_acqu… forge/forge_metadata.py:962
HIGH MINED108 [MINED108] `self._write_lock_owner` used but never assigned in __init__: Method `_acquire… forge/forge_metadata.py:966
HIGH MINED108 [MINED108] `self._forget_process_lock` used but never assigned in __init__: Method `_acqu… forge/forge_metadata.py:950
HIGH MINED108 [MINED108] `self._write_lock_owner` used but never assigned in __init__: Method `_acquire… forge/forge_metadata.py:955
HIGH MINED108 [MINED108] `self._forget_process_lock` used but never assigned in __init__: Method `relea… forge/forge_metadata.py:941
HIGH MINED108 [MINED108] `self._forget_process_lock` used but never assigned in __init__: Method `relea… forge/forge_metadata.py:929
HIGH MINED108 [MINED108] `self._forget_process_lock` used but never assigned in __init__: Method `acqui… forge/forge_metadata.py:924
HIGH MINED108 [MINED108] `self._acquire_exclusive_file_lock` used but never assigned in __init__: Metho… forge/forge_metadata.py:921
HIGH MINED108 [MINED108] `self._acquire_fcntl_lock` used but never assigned in __init__: Method `acquir… forge/forge_metadata.py:922
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… forge/utility_scripts/native_image_arti…:265
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … forge/utility_scripts/library_finalizat…:194
HIGH MINED034 [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command inje… forge/utility_scripts/gradle_test_runne…:61
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… forge/utility_scripts/shutdown_signal.py:81
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… forge/utility_scripts/gradle_test_runne…:325
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… forge/utility_scripts/gradle_test_runne…:113
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… forge/utility_scripts/shutdown_signal.py:33
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… forge/utility_scripts/gradle_environmen…:63
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… .github/actions/detect-file-changes/det…:197
HIGH COMP001 [COMP001] High cognitive complexity: Function `run` has cognitive complexity 28 (SonarSou… forge/ai_workflows/core/basic_iterative…:144
HIGH MINED134 [MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gra… gradle/wrapper/gradle-wrapper.jar:1
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4953
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5621
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5520
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4963
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3919
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:2785
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:6012
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5542
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5465
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5038
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5028
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:5000
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4917
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4853
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4806
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:4584
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3997
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3958
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3928
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3555
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:3419
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:2577
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:2440
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:1620
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… forge/forge_metadata.py:1606
MED COMP001 [COMP001] High cognitive complexity: Function `run` has cognitive complexity 24 (SonarSou… forge/ai_workflows/core/increase_dynami…:41
MED COMP001 [COMP001] High cognitive complexity: Function `_wait_for_response` has cognitive complexi… forge/ai_workflows/agents/codex_app_ser…:172
MED MINED124 [MINED124] requirements.txt: `PyYAML` has no version pin: Unpinned pip requirement means … forge/requirements.txt:3
MED MINED124 [MINED124] requirements.txt: `jsonschema` has no version pin: Unpinned pip requirement me… forge/requirements.txt:2
MED MINED124 [MINED124] requirements.txt: `pylint` has no version pin: Unpinned pip requirement means … forge/requirements.txt:1
MED AGT015 Remote install command pipes network code directly to a shell docs/support/index.html:472
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. forge/utility_scripts/gradle_test_runne…:61
LOW AIC003 Duplicated implementation block across source files tests/tck-build-logic/src/main/java/org…:14
LOW AIC003 Duplicated implementation block across source files tests/tck-build-logic/src/main/groovy/o…:45
LOW AIC003 Duplicated implementation block across source files tests/tck-build-logic/src/main/groovy/o…:72
LOW AIC003 Duplicated implementation block across source files tests/src/org.testcontainers/testcontai…:6
LOW AIC003 Duplicated implementation block across source files forge/utility_scripts/library_finalizat…:39
LOW AIC003 Duplicated implementation block across source files forge/utility_scripts/count_reachabilit…:43
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_new_library_s…:440
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_new_library_s…:314
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_improve_cover…:395
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/drivers/java_fail_wo…:80
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/drivers/java_fail_wo…:79
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/drivers/fix_ni_run.py:25
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/core/optimistic_dyna…:167
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/core/java_fix_iterat…:88
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/agents/pi_rpc_client…:29
LOW AIC003 Duplicated implementation block across source files forge/ai_workflows/agents/pi_agent.py:44
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_ni_run_fix.py:225
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_ni_run_fix.py:223
LOW AIC003 Duplicated implementation block across source files forge/git_scripts/make_pr_javac_fix.py:39
LOW AIC005 Duplicate top-level symbol appears in a patch-style file forge/git_scripts/make_pr_java_run_fix.…:1
LOW AIC002 Source file name looks like an AI patch artifact forge/git_scripts/make_pr_ni_run_fix.py:1
LOW AIC002 Source file name looks like an AI patch artifact forge/git_scripts/make_pr_javac_fix.py:1
LOW AIC002 Source file name looks like an AI patch artifact forge/git_scripts/make_pr_java_run_fix.…:1
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. forge/utility_scripts/native_image_arti…:22
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. forge/utility_scripts/dynamic_access_re…:51
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… forge/utility_scripts/count_reachabilit…:53
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… forge/utility_scripts/count_native_imag…:42
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… forge/ai_workflows/agents/agent.py:27
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/actions/detect-file-changes/det…:232
Reset to top 5 97 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `oracle/graalvm-reachability-metadata`

**Score: 78/100 (B+)**  ·  122 findings  ·  scanned 2026-06-05 20:44 UTC  ·  412,758 LOC

| Severity | Count |
|---|---|
| CRITICAL | 0 |
| HIGH | 36 |
| MEDIUM | 32 |
| LOW | 23 |

📊 [Full filterable report](https://repobility.com/scan/bcbb13c9-a034-4744-989c-05436b288eb4/)  ·  ![scorecard](https://repobility.com/scan/bcbb13c9-a034-4744-989c-05436b288eb4/report.png?v=1780692260-s2)

### Top findings

1. **HIGH** `MINED108` — `self._issue` used but never assigned in __init__
   `forge/utility_scripts/fixture_github.py:156` · ✓ Repobility
2. **HIGH** `MINED108` — `self._resolve_carriage_returns` used but never assigned in __init__
   `forge/forge_metadata.py:1850` · ✓ Repobility
3. **HIGH** `MINED108` — `self._stderr_read_fd` used but never assigned in __init__
   `forge/forge_metadata.py:1808` · ✓ Repobility
4. **HIGH** `MINED108` — `self._stdout_read_fd` used but never assigned in __init__
   `forge/forge_metadata.py:1803` · ✓ Repobility
5. **HIGH** `MINED108` — `self._copy_stream` used but never assigned in __init__
   `forge/forge_metadata.py:1807` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/bcbb13c9-a034-4744-989c-05436b288eb4/_
Megaproject â high spam risk
Could not determine 'oracle/graalvm-reachability-metadata' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
39/124 findings (31%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.