Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
8 of your 88 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.4s · analysis 4.66s · 1.6 MB · GitHub API rate-limit (preflight)

chenxiaolong/RSAF

https://github.com/chenxiaolong/RSAF · scanned 2026-06-05 21:55 UTC (4 days, 9 hours ago) · 10 languages

95 raw signals (85 security + 10 graph) System graph score 96 (lower by 43)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 9 hours ago · v2 · 80 actionable findings from 2 signal sources. 10 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
79.4
/100
Security checks
63
75 findings
System graph
96
88.9% cov · 5 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 80.0 0.15 12.00
security_score 55.0 0.25 13.75
testing_score 0.0 0.20 0.00
documentation_score 72.0 0.15 10.80
practices_score 65.0 0.15 9.75
code_quality 65.5 0.10 6.55
Overall 1.00 52.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 52 Medium 17 Low 3 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 75 System graph 5 Crowd 0 Layer: Software 68 Quality 9 Api 1 Frontend 1 Cicd 1
Scan summary Quality grade C- (53/100). Dimensions: security 55, maintainability 80. 85 findings (65 security). 11,293 lines analyzed.

Showing 72 of 80 actionable findings. 90 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.
Review and fix per the pattern semantics. See CWE-476 / for context.
3 files, 3 locations
app/src/androidTest/java/com/chiller3/rsaf/ImportExportTest.kt:43
app/src/main/java/com/chiller3/rsaf/rclone/KeepAliveService.kt:117
app/src/main/java/com/chiller3/rsaf/settings/SettingsViewModel.kt:135
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo
`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 54 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
gradle/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility go.mod replaces `github.com/t3rm1n4l/go-mega` — redirects to fork `github.com/chenxiaolong/go-mega`
`replace github.com/t3rm1n4l/go-mega => github.com/chenxiaolong/go-mega` overrides the canonical dependency with a different source (redirects to fork `github.com/chenxiaolong/go-mega`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone wh…
rcbridge/go.mod:12
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http2: GHSA-f6hv-jmp6-3vwv
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http2: GHSA-prj3-ccx8-p6x4
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http2: GHSA-w9fj-cfpg-grvv
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http2: GHSA-xpw8-rcwv-8f8p
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-57rv-r2g8-2cj3
Netty has HttpClientCodec response desynchronization
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-f6hv-jmp6-3vwv
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-pwqr-wmgm-9rr8
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-codec: GHSA-mj4r-2hfc-f8p6
Netty Lz4FrameDecoder is vulnerable to resource exhaustion
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 io.netty:netty-handler: GHSA-4g8c-wm8x-jfhw
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 org.bitbucket.b_c:jose4j: GHSA-3677-xxcr-wjqv
jose4j is vulnerable to DoS via compressed JWE content
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 org.bouncycastle:bcprov-jdk18on: GHSA-p93r-85wp-75v3
Bouncy Castle Has Covert Timing Channel Vulnerability
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 org.jdom:jdom2: GHSA-2363-cqg2-863c
XML External Entity (XXE) Injection in JDOM
gradle/verification-metadata.xml
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3955
CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
rcbridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
rcbridge/go.mod
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-38f8-5428-x5cv
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-5jpm-x58v-624v
Netty's HttpPostRequestDecoder can OOM
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-84h7-rjj3-6jx4
Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-m4cv-j2px-7723
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-v8h7-rr48-vmmv
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-xxqh-mfjm-7mv9
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-codec: GHSA-3p8m-j85q-pgmj
Netty's decoders vulnerable to DoS via zip bomb style attack
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-common: GHSA-389x-839f-4rhx
Denial of Service attack on windows app using Netty
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-common: GHSA-xq3w-v528-46rv
Denial of Service attack on windows app using netty
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 io.netty:netty-handler: GHSA-6mjq-h674-j845
netty-handler SniHandler 16MB allocation
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 org.apache.commons:commons-lang3: GHSA-j288-q9x7-2f5v
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 org.apache.httpcomponents:httpclient: GHSA-7r82-7xv7-xcpj
Cross-site scripting in Apache HttpClient
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 org.bouncycastle:bcpkix-jdk18on: GHSA-wg6q-6289-32hp
Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules
gradle/verification-metadata.xml
medium Security checks software dependencies conf 0.88 org.bouncycastle:bcprov-jdk18on: GHSA-c3fc-8qff-9hwx
Bouncy Castle has an LDAP injection
gradle/verification-metadata.xml
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — gradle/update_verification.py:51
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 4 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
4 files, 7 locations
app/src/main/java/com/chiller3/rsaf/settings/PasswordDialog.kt:67, 95 (2 hits)
app/src/main/java/com/chiller3/rsaf/settings/RemoteNameDialog.kt:77, 81 (2 hits)
app/src/main/java/com/chiller3/rsaf/settings/VfsOptionsDialog.kt:114, 116 (2 hits)
app/src/main/java/com/chiller3/rsaf/settings/SettingsScreen.kt:173
duplicationquality
low Security checks software dependencies conf 0.88 io.netty:netty-codec-http: GHSA-fghv-69vj-qj49
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions
gradle/verification-metadata.xml
low Security checks software dependencies conf 0.88 io.netty:netty-handler-proxy: GHSA-45q3-82m4-75jr
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
gradle/verification-metadata.xml
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/db7c8a0a-1cda-4008-b1b7-f5483ab5b940/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/db7c8a0a-1cda-4008-b1b7-f5483ab5b940/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.