https://github.com/hcengineering/platform.git ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 13 |
MINED052 Ts Any Typed |
info | 3 |
MINED054 Ts As Any |
info | 3 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
MINED045 Ts Non Null Assertion |
info | 3 |
MINED044 Js Console Log Prod |
info | 3 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 3 |
MINED043 Http Not Https |
info | 3 |
MINED018
Unsafe Deserialization Pickle
CWE-502
dev/import-tool/src/index.ts:184
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:221
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:271
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:403
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:500
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:584
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:699
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:724
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_ACCESS_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:781
· conf 0.90
[MINED116] Workflow uses `secrets.DEV_ID_P12_BASE64` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEV_ID_P12_BASE64…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:782
· conf 0.90
[MINED116] Workflow uses `secrets.DEV_ID_P12_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEV_ID_P12_PASS…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:783
· conf 0.90
[MINED116] Workflow uses `secrets.KEYCHAIN_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KEYCHAIN_PASSWORD…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:803
· conf 0.90
[MINED116] Workflow uses `secrets.APPLE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID }` lets a PR from…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:804
· conf 0.90
[MINED116] Workflow uses `secrets.APPLE_ID_APP_PASS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID_APP_PASS…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:805
· conf 0.90
[MINED116] Workflow uses `secrets.TEAM_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEAM_ID }` lets a PR from a…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:816
· conf 0.90
[MINED116] Workflow uses `secrets.R2_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCOUNT_ID }` lets…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:817
· conf 0.90
[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:818
· conf 0.90
[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCE…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:884
· conf 0.90
[MINED116] Workflow uses `secrets.DEV_ID_P12_BASE64` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEV_ID_P12_BASE64…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:885
· conf 0.90
[MINED116] Workflow uses `secrets.DEV_ID_P12_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEV_ID_P12_PASS…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:886
· conf 0.90
[MINED116] Workflow uses `secrets.KEYCHAIN_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KEYCHAIN_PASSWORD…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:906
· conf 0.90
[MINED116] Workflow uses `secrets.APPLE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID }` lets a PR from…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:907
· conf 0.90
[MINED116] Workflow uses `secrets.APPLE_ID_APP_PASS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID_APP_PASS…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:908
· conf 0.90
[MINED116] Workflow uses `secrets.TEAM_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEAM_ID }` lets a PR from a…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:919
· conf 0.90
[MINED116] Workflow uses `secrets.R2_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCOUNT_ID }` lets…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:920
· conf 0.90
[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/main.yml:921
· conf 0.90
[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCE…SEC079
Python: yaml.load without SafeLoader
dev/import-tool/src/index.ts:184
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC116
Ruby YAML.load / Marshal.load on untrusted input
dev/import-tool/src/index.ts:184
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/baseimage.yaml:26
· conf 0.90
[MINED115] Action `crazy-max/ghaction-setup-docker` pinned to mutable ref `@v5`: `uses: crazy-max/ghaction-setup-docker@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/baseimage.yaml:34
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/baseimage.yaml:38
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/baseimage.yaml:42
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v5`: `uses: pnpm/action-setup@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:71
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:77
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:81
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:130
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:142
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:147
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:153
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:168
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:172
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:176
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:199
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:204
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:208
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:237
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:242
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:246
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:307
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:320
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-npm.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-npm.yml:22
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-npm.yml:26
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
desktop/src/main/args.ts:22
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
desktop/src/main/settings.ts:38
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
desktop/src/ui/index.ts:192
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
common/scripts/update-package-versions.js:42
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
dev/tool/src/csv.ts:11
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
foundations/communication/packages/cockroach/src/db/base.ts:74
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
common/scripts/safe-publish.js:42
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
desktop/src/main/customMenu.ts:66
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
desktop/src/main/findInPage.ts:46
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
foundations/core/common/scripts/generate-coverage-html.js:31
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC007
Unsafe Deserialization
dev/import-tool/src/index.ts:184
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC045
eval()/exec() on stored or user-supplied data
common/scripts/check_model_version.js:2
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
common/scripts/show_tag.js:17
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
common/scripts/show_version.js:21
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
common/scripts/fix-packages.js:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
common/scripts/safe-publish.js:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
dev/prod/src/platform.ts:194
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
dev/prod/src/platform.ts:252
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
dev/prod/webpack.config.js:168
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
dev/tool/src/gmail.ts:69
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
dev/tool/src/gmail.ts:275
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/communication/common/scripts/install-run.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/communication/common/scripts/install-run-rush.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/communication/packages/query/src/label/query.ts:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/communication/packages/query/src/notifications/query.ts:331
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/core/common/scripts/install-run.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
foundations/core/common/scripts/install-run-rush.js:1
· conf 0.86
Duplicated implementation block across source filesMINED043
Http Not Https
CWE-319
desktop/src/main/settings.ts:72
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
dev/prod/src/app-integration-tools.ts:38
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
foundations/communication/packages/server/src/metadata.ts:22
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
common/scripts/bump.js:27
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
common/scripts/check_model_version.js:5
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
common/scripts/esbuild.js:24
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
desktop/src/ui/notifications.ts:273
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
dev/doc-import-tool/src/convert/convert.ts:47
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
dev/tool/src/mixin.ts:161
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
dev/tool/src/calendar.ts:176
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
dev/tool/src/gmail.ts:201
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
desktop/src/main/settings.ts:66
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
desktop/src/main/updater.ts:27
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
desktop/src/main/windowsSpecificSetup.ts:87
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
desktop/src/main/permissions.ts:39
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
desktop/src/main/settings.ts:42
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
desktop/src/ui/index.ts:56
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/1a8155c4-002f-4a0f-bd44-ca3a6ed02b15/.