https://github.com/pallets/flask ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 6 |
MINED111 Bare except continues silently |
medium | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 3 |
MINED050 Stub Only Function |
info | 3 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 3 |
SEC123 Production stack trace / debug output exposed |
medium | 2 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 2 |
MINED069 Debug True Prod |
info | 2 |
MINED001
Bare Except Pass
CWE-755
src/flask/cli.py:1036
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED004
Weak Crypto
CWE-327
src/flask/sessions.py:277
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/conftest.py:72
· conf 1.00
Phantom test coverage: test_appsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:67
· conf 1.00
Phantom test coverage: test_method_route_no_methodsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:152
· conf 1.00
Phantom test coverage: test_disallow_string_for_allowed_methodsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:945
· conf 1.00
Phantom test coverage: test_baseexception_error_handlingMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1086
· conf 1.00
Phantom test coverage: test_trapping_of_all_http_exceptionsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1396
· conf 1.00
Phantom test coverage: test_build_error_handler_reraiseMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1628
· conf 1.00
Phantom test coverage: test_werkzeug_passthrough_errorsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1790
· conf 1.00
Phantom test coverage: test_indexMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_cli.py:217
· conf 1.00
Phantom test coverage: test_locate_app_raisesMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:19
· conf 1.00
Phantom test coverage: test_config_from_pyfileMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:25
· conf 1.00
Phantom test coverage: test_config_from_objectMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:31
· conf 1.00
Phantom test coverage: test_config_from_file_jsonMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:38
· conf 1.00
Phantom test coverage: test_config_from_file_tomlMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:110
· conf 1.00
Phantom test coverage: test_config_from_mappingMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:132
· conf 1.00
Phantom test coverage: test_config_from_classMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:170
· conf 1.00
Phantom test coverage: test_redirect_with_appMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:180
· conf 1.00
Phantom test coverage: test_abort_no_appMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:199
· conf 1.00
Phantom test coverage: test_abort_with_appMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:220
· conf 1.00
Phantom test coverage: test_name_with_import_errorMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:364
· conf 1.00
Phantom test coverage: test_open_resource_exceptionsMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_testing.py:192
· conf 1.00
Phantom test coverage: test_session_transaction_needs_cookiesMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:18
· conf 1.00
Phantom test coverage: test_basic_viewMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:29
· conf 1.00
Phantom test coverage: test_method_based_viewMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:42
· conf 1.00
Phantom test coverage: test_view_patchingMINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:183
· conf 1.00
Phantom test coverage: test_endpoint_overrideMINED108
self.attribute used but never assigned in __init__
CWE-476
examples/celery/src/task_app/__init__.py:33
· conf 1.00
`self.run` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/config.py:124
· conf 1.00
`self.from_pyfile` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:155
· conf 1.00
`self._cookies` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:162
· conf 1.00
`self._add_cookies_to_wsgi` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:179
· conf 1.00
`self._update_cookies_from_response` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:196
· conf 1.00
`self._copy_environ` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:216
· conf 1.00
`self._copy_environ` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:220
· conf 1.00
`self._copy_environ` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:225
· conf 1.00
`self._copy_environ` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:228
· conf 1.00
`self._request_from_builder_args` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:173
· conf 1.00
`self.endpoint` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:190
· conf 1.00
`self.blueprint` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:205
· conf 1.00
`self.mimetype` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:206
· conf 1.00
`self.files` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:472
· conf 1.00
`self.expect_order` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:478
· conf 1.00
`self.expect_order` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:482
· conf 1.00
`self.expect_order` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:487
· conf 1.00
`self.expect_order` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_helpers.py:261
· conf 1.00
`self._gen` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_helpers.py:270
· conf 1.00
`self._gen` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_json.py:242
· conf 1.00
`self.object_hook` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_json_tag.py:56
· conf 1.00
`self.serializer` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:227
· conf 1.00
`self.Custom` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:262
· conf 1.00
`self.report_error` used but never assigned in __init__MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:290
· conf 1.00
`self.report_error` used but never assigned in __init__MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:22
· conf 0.80
FastAPI POST /add has no authMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:30
· conf 0.80
FastAPI POST /block has no authMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:36
· conf 0.80
FastAPI POST /process has no authMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_basic.py:236
· conf 0.80
FastAPI POST / has no authMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_basic.py:395
· conf 0.80
FastAPI POST / has no authMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_request.py:13
· conf 0.80
FastAPI POST / has no authSEC085
JS: child_process.exec with non-literal
src/flask/config.py:209
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
examples/tutorial/flaskr/__init__.py:21
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/flask/app.py:495
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/flask/config.py:316
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
examples/javascript/js_example/views.py:14
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
src/flask/cli.py:41
· conf 0.95
[COMP001] High cognitive complexity: Function `find_best_app` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
src/flask/cli.py:120
· conf 0.95
[COMP001] High cognitive complexity: Function `find_app_by_string` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …MINED111
Bare except continues silently
src/flask/app.py:1017
· conf 1.00
Bare except continues silentlyMINED111
Bare except continues silently
src/flask/app.py:1598
· conf 1.00
Bare except continues silentlyMINED111
Bare except continues silently
src/flask/cli.py:650
· conf 1.00
Bare except continues silentlyMINED111
Bare except continues silently
src/flask/cli.py:956
· conf 1.00
Bare except continues silentlySEC015
Insecure Randomness for Security
src/flask/sessions.py:150
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC045
eval()/exec() on stored or user-supplied data
src/flask/cli.py:1023
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/flask/config.py:209
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC123
Production stack trace / debug output exposed
src/flask/app.py:663
· conf 1.00
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…SEC123
Production stack trace / debug output exposed
src/flask/config.py:65
· conf 1.00
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…SEC127
AI agent stub — TODO: implement / pass placeholder body
src/flask/sansio/app.py:476
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…SEC127
AI agent stub — TODO: implement / pass placeholder body
src/flask/sansio/scaffold.py:220
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/tutorial/flaskr/auth.py:47
· conf 0.95
[COMP001] High cognitive complexity: Function `register` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bra…MINED043
Http Not Https
CWE-319
src/flask/config.py:331
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
src/flask/cli.py:1037
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/flask/config.py:165
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/flask/ctx.py:186
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED055
Npm Install No Lockfile
CWE-1357
.devcontainer/on-create-command.sh:5
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED069
Debug True Prod
CWE-489
src/flask/app.py:663
· conf 1.00
[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.MINED069
Debug True Prod
CWE-489
src/flask/config.py:65
· conf 1.00
[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.MINED072
Python Pass Only Class
CWE-1188
src/flask/sessions.py:112
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/236d5297-cc82-4271-839f-d82abeafbe5c/.