https://github.com/stamparm/maltrail ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED111 Bare except continues silently |
medium | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED050 Stub Only Function |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED043 Http Not Https |
info | 4 |
SEC103 LDAP injection — non-constant search filter |
high | 3 |
MINED006 Overcatch Baseexception |
high | 2 |
AIC003 Duplicated implementation block across source files |
low | 2 |
MINED127 Known cryptominer signature in source |
critical | 2 |
DKR007 Docker build context has no .dockerignore |
medium | 1 |
MINED127
Known cryptominer signature in source
CWE-506
html/js/demo.js:30
· conf 0.90
[MINED127] Cryptominer signature: `supportxmr`: Source contains a known cryptominer signature (`supportxmr`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a…MINED127
Known cryptominer signature in source
CWE-506
html/js/demo.js:223
· conf 0.90
[MINED127] Cryptominer signature: `xmrig`: Source contains a known cryptominer signature (`xmrig`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
core/common.py:204
· conf 0.95
[COMP001] High cognitive complexity: Function `process` has cognitive complexity 45 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bran…CORE_NO_TESTS
No test files found
No test files foundDKC009
Compose service bind-mounts a sensitive host path
docker/docker-compose.yml:14
· conf 0.90
Compose service bind-mounts a sensitive host pathDKR014
Dockerfile copies the entire context without .dockerignore
docker/Dockerfile:23
· conf 0.92
Dockerfile copies the entire context without .dockerignoreMINED001
Bare Except Pass
CWE-755
core/common.py:137
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED006
Overcatch Baseexception
CWE-705
core/parallel.py:106
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
server.py:117
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:85
· conf 1.00
[MINED108] `self.socket` used but never assigned in __init__: Method `server_bind` of class `ThreadingServer` reads `self.socket`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:128
· conf 1.00
[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This rai…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:134
· conf 1.00
[MINED108] `self.data` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.data`, but no assignment to it exists in __init__ (and no class-level fallback). This rai…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:162
· conf 1.00
[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This rai…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:168
· conf 1.00
[MINED108] `self.headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:173
· conf 1.00
[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:174
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:180
· conf 1.00
[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:181
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:182
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:183
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:186
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:192
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:193
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:195
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:198
· conf 1.00
[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:199
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:200
· conf 1.00
[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This rai…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:210
· conf 1.00
[MINED108] `self._format` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self._format`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:212
· conf 1.00
[MINED108] `self.headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:213
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:222
· conf 1.00
[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:224
· conf 1.00
[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:228
· conf 1.00
[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED108
self.attribute used but never assigned in __init__
CWE-476
core/httpd.py:230
· conf 1.00
[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReqHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docker-release.yml:14
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3` not pinned by digest: `FROM python:3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
core/common.py:51
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC103
LDAP injection — non-constant search filter
trails/feeds/atmos.py:23
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC103
LDAP injection — non-constant search filter
trails/feeds/cybercrimetracker.py:23
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC103
LDAP injection — non-constant search filter
trails/feeds/fareit.py:23
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
core/parallel.py:75
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…DKR001
Docker final stage has no non-root USER
docker/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
core/common.py:281
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
html/js/errorhandler.js:19
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.MINED111
Bare except continues silently
core/common.py:61
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/common.py:274
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/datatype.py:34
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:91
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:286
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:343
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:406
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:448
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:490
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:598
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:820
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/httpd.py:862
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/log.py:264
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/settings.py:447
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:61
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:82
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:168
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:330
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:344
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:355
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
core/update.py:377
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
sensor.py:882
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
sensor.py:1017
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
sensor.py:1076
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
sensor.py:1106
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
requirements.txt:1
· conf 0.90
[MINED124] requirements.txt: `pcapy-ng` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats…SEC012
ZipSlip — Archive Path Traversal
core/common.py:191
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC123
Production stack trace / debug output exposed
server.py:60
· conf 1.00
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…AIC003
Duplicated implementation block across source files
trails/feeds/ransomwaretrackerip.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
trails/feeds/ransomwaretrackerurl.py:11
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
core/addr.py:36
· conf 0.95
[COMP001] High cognitive complexity: Function `expand_range` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
core/colorized.py:21
· conf 0.95
[COMP001] High cognitive complexity: Function `write` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…DKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:14
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:14
· conf 0.62
Compose service lacks no-new-privileges hardeningSEC132
String concat where the language has interpolation (AI style drift)
html/js/errorhandler.js:13
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 23 more): Same pattern found in 23 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
core/common.py:65
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
trails/feeds/bruteforceblocker.py:10
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
trails/feeds/ciarmy.py:10
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
core/common.py:138
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
core/enums.py:18
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
core/__init__.py:7
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED072
Python Pass Only Class
CWE-1188
core/enums.py:17
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/0d172410-289d-4523-b02b-2f08ebb486f4/.