Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

openmrs/openmrs-core

https://github.com/openmrs/openmrs-core.git · scanned 2026-05-16 10:58 UTC (1 day, 8 hours ago) · 10 languages

318 findings (30 legacy + 288 scanner) 1/10 scanners ran 0th percentile · Java · medium (20-100K LoC) Scanner says 66 (lower by 6)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 8 hours ago · v3 · 119 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
69.4
/100
Repobility
73
23 legacy
9-layer
66
100.0% cov · 96 gaps
Critical
21
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 21 High 7 Medium 32 Low 52 Source: Legacy 23 9-layer 96 Crowd 0 Layer: Security 27 Cicd 33 Quality 39 Software 8 Api 1 Frontend 5 Network 2 Hardware 4
Scan summary Repository scanned at 65.5/100 with 100.0% coverage. It contains 1909 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 96 findings — concentrated in security (26), quality (26), cicd (24). Risk profile is high: 20 critical, 5 high, 16 medium. Recommended next step: open the security layer findings first — that's where the highest-impact wins live.

Showing 105 of 119 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
docker-compose.yml dockerlegacy
critical 9-layer security secrets conf 1.00 Possible secret in api/src/main/java/org/openmrs/api/db/hibernate/HibernateContextDAO.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
api/src/main/java/org/openmrs/api/db/hibernate/HibernateContextDAO.java:92 secrets
critical 9-layer security secrets conf 1.00 Possible secret in api/src/main/java/org/openmrs/util/databasechange/SourceMySqldiffFile.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
api/src/main/java/org/openmrs/util/databasechange/SourceMySqldiffFile.java:53 secrets
critical 9-layer security secrets conf 1.00 Possible secret in api/src/main/java/org/openmrs/util/OpenmrsConstants.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
api/src/main/java/org/openmrs/util/OpenmrsConstants.java:1070 secrets
critical 9-layer security secrets conf 1.00 Possible secret in liquibase/src/main/java/org/openmrs/liquibase/CoreDataTuner.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
liquibase/src/main/java/org/openmrs/liquibase/CoreDataTuner.java:33 secrets
critical 9-layer security secrets conf 1.00 Possible secret in web/src/main/java/org/openmrs/web/filter/initialization/DatabaseDetective.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
web/src/main/java/org/openmrs/web/filter/initialization/DatabaseDetective.java:28 secrets
critical 9-layer security secrets conf 1.00 Possible secret in web/src/main/java/org/openmrs/web/filter/initialization/InitializationWizardModel.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
web/src/main/java/org/openmrs/web/filter/initialization/InitializationWizardModel.java:40 secrets
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
Dockerfile:55 dockerlegacy
high Legacy quality testing No test files found
Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.
testinglegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
dependency-check/Dependency-Check_Action@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/dependency-check.yml:25 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in api/src/main/java/org/openmrs/logic/Rule.java:33
Found a known-risky pattern (eval_used). Review and replace if possible.
api/src/main/java/org/openmrs/logic/Rule.java:33 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-addon.js:139
Found a known-risky pattern (eval_used). Review and replace if possible.
webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-addon.js:139 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui.custom.min.js:726
Found a known-risky pattern (eval_used). Review and replace if possible.
webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui.custom.min.js:726 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in webapp/src/main/webapp/WEB-INF/view/scripts/jquery/dataTables/js/jquery.dataTables.min.js:363
Found a known-risky pattern (eval_used). Review and replace if possible.
webapp/src/main/webapp/WEB-INF/view/scripts/jquery/dataTables/js/jquery.dataTables.min.js:363 owaspeval_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
medium Legacy cicd docker conf 0.86 App service does not wait for database health
depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently.
docker-compose.yml dockerlegacy
medium Legacy cicd docker conf 0.86 Database dump or local database file is included in Docker build context
Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions.
.dockerignore dockerlegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore dockerlegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptSet.java:69 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptNumeric.java:72 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptNameTag.java:137 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptNameTag.java:73 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptNameTag.java:65 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptNameTag.java:63 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptName.java:123 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptName.java:117 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptDescription.java:71 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/ConceptAnswer.java:74 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/BaseOpenmrsMetadata.java:57 qualitylegacy
medium Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
api/src/main/java/org/openmrs/BaseCustomizableMetadata.java:23 qualitylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
transifex/cli-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/tx-push.yml:19 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:46 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/autobuild@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:78 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
ossf/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/scorecard.yml:35 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/upload-sarif@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/scorecard.yml:53 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
transifex/cli-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/tx-pull.yml:20 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/tx-pull.yml:26 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build.yaml:63 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/scorecard.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/tx-pull.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/build.yaml supply-chaingithub-actionsleast-privilege
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer network security conf 1.00 Privileged port 17 in use
Port 17 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile securityports
medium 9-layer network security conf 1.00 Privileged port 64 in use
Port 64 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile securityports
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 18 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
Dockerfile:115 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
Dockerfile:66 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
Dockerfile:17 dockerlegacy
low 9-layer quality maintenance conf 1.00 150 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: maven:3.9-$DEV_JDK
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:15 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: maven:3.9-$DEV_JDK
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:64 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: tomcat:11-$RUNTIME_JDK
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:113 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-datepicker-i18n.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-i18n.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-month-year-patch.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery/autocomplete/jquery.ui.autocomplete.autoSelect.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery/dataTables/js/jquery.dataTables.filteringDelay.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jqModal/jqModal.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jsTree/plugins/jquery.tree.checkbox.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jsTree/plugins/jquery.tree.themeroller.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:42 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-java@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:57 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/scorecard.yml:30 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/scorecard.yml:44 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-java@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-2.x.yaml:33 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-2.x.yaml:38 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/dependency-check.yml:15 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-java@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/dependency-check.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/dependency-check.yml:41 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-java@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build.yaml:45 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build.yaml:56 supply-chaingithub-actionspinned-dependencies
low 9-layer security owasp conf 1.00 Insecure pattern 'document_write' in webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jqModal/jqModal.js:62
Found a known-risky pattern (document_write). Review and replace if possible.
webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jqModal/jqModal.js:62 owaspdocument_write
low 9-layer quality integrity conf 1.00 Legacy-named symbol `drag_copy` in webapp/src/main/webapp/WEB-INF/view/scripts/jquery/jsTree/jquery.tree.min.js:1
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `yearsOld` in webapp/src/main/webapp/WEB-INF/view/scripts/jquery/autocomplete/OpenmrsAutoComplete.js:246
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/api/ConceptService.java (2202 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/api/db/hibernate/HibernateConceptDAO.java (2405 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/api/impl/ConceptServiceImpl.java (2343 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/api/impl/PatientServiceImpl.java (1638 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/Concept.java (1705 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/module/ModuleFactory.java (1597 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/util/OpenmrsConstants.java (1248 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/main/java/org/openmrs/util/OpenmrsUtil.java (2160 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/ConceptServiceTest.java (4064 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/db/PatientDAOTest.java (2556 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/EncounterServiceTest.java (3395 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/ObsServiceTest.java (2165 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/OrderServiceTest.java (4451 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/PatientServiceTest.java (3380 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/PersonServiceTest.java (2481 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/api/UserServiceTest.java (1779 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/hl7/handler/ORUR01HandlerTest.java (1225 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: api/src/test/java/org/openmrs/module/ModuleFileParserUnitTest.java (1414 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java (1992 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui.custom.min.js (1012 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/openmrsSearch.js (1211 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer quality integrity conf 1.00 Commented-code block (10 lines) in webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-i18n.js:3
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer api coverage conf 1.00 No API endpoints detected
The scanner did not find FastAPI/Flask/Express/NestJS/GraphQL/gRPC routes. If this repo exposes APIs, the framework may be unsupported.
coverage
info 9-layer frontend coverage conf 1.00 No frontend routes/components detected
No React/Vue/Next routes were found. This is fine for backend-only repos.
coverage
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — webapp/src/main/webapp/WEB-INF/csrfguard.js:328
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-addon.js:1189
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/jquery-ui-timepicker-i18n.js:3
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — webapp/src/main/webapp/WEB-INF/view/scripts/jquery-ui/js/openmrsSearch.js:421
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/beef9e59-2b65-4ca8-b71d-75f2aef97c23/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/beef9e59-2b65-4ca8-b71d-75f2aef97c23/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.