https://github.com/nextai-translator/nextai-translator ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 24 |
MINED054 Ts As Any |
info | 4 |
MINED043 Http Not Https |
info | 4 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED052 Ts Any Typed |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
MINED068 Rust Unsafe Block |
info | 2 |
SEC015 Insecure Randomness for Security |
medium | 2 |
MINED003
Rust Unwrap In Prod
CWE-755
src-tauri/src/config.rs:55
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
src-tauri/src/fetch.rs:45
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
src-tauri/src/ocr.rs:139
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:17
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:21
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:22
· conf 0.90
[MINED115] Action `battila7/get-version-action` pinned to mutable ref `@v2`: `uses: battila7/get-version-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:34
· conf 0.90
[MINED115] Action `ncipollo/release-action` pinned to mutable ref `@v1`: `uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:48
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:52
· conf 0.90
[MINED115] Action `battila7/get-version-action` pinned to mutable ref `@v2`: `uses: battila7/get-version-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:53
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:59
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:65
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@nightly`: `uses: dtolnay/rust-toolchain@nightly` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yaml:77
· conf 0.90
[MINED115] Action `oNaiPs/secrets-to-env-action` pinned to mutable ref `@v1`: `uses: oNaiPs/secrets-to-env-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:18
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:22
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:29
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@nightly`: `uses: dtolnay/rust-toolchain@nightly` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:46
· conf 0.90
[MINED115] Action `tauri-apps/tauri-action` pinned to mutable ref `@dev`: `uses: tauri-apps/tauri-action@dev` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:56
· conf 0.90
[MINED115] Action `tauri-apps/tauri-action` pinned to mutable ref `@dev`: `uses: tauri-apps/tauri-action@dev` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:65
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:77
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:78
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-build.yaml:82
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/unit-test.yaml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/unit-test.yaml:17
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/unit-test.yaml:21
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/browser-extension/content_script/index.tsx:79
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/common/components/LogoWithText.tsx:67
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src-safari/Shared (App)/ViewController.swift:36
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC085
JS: child_process.exec with non-literal
src/common/components/Markdown.tsx:43
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.SEC015
Insecure Randomness for Security
src/common/engines/azure.ts:44
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
src/common/engines/openai.ts:22
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC045
eval()/exec() on stored or user-supplied data
src/common/components/Markdown.tsx:43
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
src/common/engines/azure.ts:44
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC087
JS: weak Math.random for crypto
src/common/engines/openai.ts:22
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
src/common/components/LogoWithText.tsx:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/components/Vocabulary.tsx:507
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/azure.ts:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/cerebras.ts:61
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/chatglm.ts:232
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/chatgpt.ts:251
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/claude.ts:68
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/claude.ts:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/cohere.ts:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/cohere.ts:83
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/cohere.ts:86
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/cohere.ts:99
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/gemini.ts:122
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/gemini.ts:124
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/gemini.ts:137
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/kimi.ts:115
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/kimi.ts:137
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/kimi.ts:152
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/engines/moonshot.ts:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/polyfills/tauri.ts:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/polyfills/userscript.ts:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/common/polyfills/userscript.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tauri/bindings.ts:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
vite.config.firefox.ts:3
· conf 0.86
Duplicated implementation block across source filesAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/release.py:37
· conf 0.95
[COMP001] High cognitive complexity: Function `create_new_tag` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nest…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
clip-extensions/popclip/nextai-translator.sh:2
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/common/components/CodeBlock.tsx:100
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src-tauri/src/fetch.rs:66
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
src/browser-extension/background/index.ts:193
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/common/components/SpeakerIcon.tsx:44
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/common/engines/chatglm.ts:154
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
src/common/components/Form/validators.ts:27
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/common/engines/azure.ts:33
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED047
Emoji In Source
src/common/lang/index.ts:301
· conf 0.10
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED049
Print Pii
CWE-532
src/browser-extension/background/index.ts:215
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
src/browser-extension/background/index.ts:122
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/common/components/Form/form.ts:87
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/common/components/Form/validators.ts:4
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED054
Ts As Any
CWE-704
src/browser-extension/background/index.ts:125
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/browser-extension/content_script/index.tsx:111
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/browser-extension/options/index.tsx:33
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
src/tauri/windows/WritingIndicatorWindow.tsx:148
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED068
Rust Unsafe Block
CWE-119
src-tauri/src/ax_context.rs:100
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
src-tauri/src/insertion.rs:47
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.SEC020
Secret Printed to Logs
src/browser-extension/background/index.ts:215
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/tauri/windows/TranslatorWindow.tsx:151
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/1d5f5f96-105b-468c-902d-367856583a87/.