https://github.com/jd-opensource/OxyGent ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED111 Bare except continues silently |
medium | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 23 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 15 |
AUC003 [AUC003] Object-level route lacks visible authorization: A … |
high | 10 |
AUC004 [AUC004] Admin route does not show super_admin separation: … |
medium | 10 |
MINED110 Blocking call inside async function |
high | 7 |
AGT015 Remote install command pipes network code directly to a she… |
medium | 6 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
applications/oxybank/app/api/endpoints/trigger/crud.py:87
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
applications/oxybank/app/api/endpoints/trigger/crud.py:130
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
applications/oxybank/app/api/endpoints/trigger/history.py:91
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:883
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:919
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:951
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:986
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1003
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1363
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1395
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
applications/bank_manager_by_api_router.py:41
· conf 0.95
[COMP001] High cognitive complexity: Function `get_banks_from_router` has cognitive complexity 28 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand…MINED001
Bare Except Pass
CWE-755
applications/oxybank/app/api/log/log_config.py:40
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py:205
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
mcp_servers/kubernetes_mcp_server/config_tools.py:72
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED004
Weak Crypto
CWE-327
applications/oxybank/app/api/models.py:64
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
applications/oxybank/utils/files_process.py:4
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
applications/oxybank/utils/file_util.py:4
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED034
Python Subprocess Shell True
CWE-78
oxygent/preset_tools/shell_tools.py:26
· conf 1.00
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_base_agent.py:58
· conf 1.00
[MINED106] Phantom test coverage: test_pre_save_data: Test function `test_pre_save_data` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_base_agent.py:69
· conf 1.00
[MINED106] Phantom test coverage: test_post_save_data: Test function `test_post_save_data` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_base_mcp_client.py:104
· conf 1.00
[MINED106] Phantom test coverage: test_execute_without_session_raises: Test function `test_execute_without_session_raises` runs code but contains no assert / expect / should call — it passes regardle…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_db_factory.py:54
· conf 1.00
[MINED106] Phantom test coverage: test_different_type_raises: Test function `test_different_type_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_evaluation.py:38
· conf 1.00
[MINED106] Phantom test coverage: test_conversation_rating_missing_required: Test function `test_conversation_rating_missing_required` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_evaluation.py:89
· conf 1.00
[MINED106] Phantom test coverage: test_rating_request_missing_required: Test function `test_rating_request_missing_required` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_jimdb_redis.py:127
· conf 1.00
[MINED106] Phantom test coverage: test_lpush_unsupported_type: Test function `test_lpush_unsupported_type` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_jimdb_redis.py:162
· conf 1.00
[MINED106] Phantom test coverage: test_close: Test function `test_close` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verify…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_mcp_tools.py:72
· conf 1.00
[MINED106] Phantom test coverage: test_execute_without_client_raises: Test function `test_execute_without_client_raises` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_oxy_factory.py:25
· conf 1.00
[MINED106] Phantom test coverage: test_dangerous_classes_raise_security_error: Test function `test_dangerous_classes_raise_security_error` runs code but contains no assert / expect / should call — it…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_oxy_factory.py:33
· conf 1.00
[MINED106] Phantom test coverage: test_unknown_class_raises_security_error: Test function `test_unknown_class_raises_security_error` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_agent.py:58
· conf 1.00
[MINED106] Phantom test coverage: test_server_url_validation: Test function `test_server_url_validation` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:31
· conf 1.00
[MINED106] Phantom test coverage: test_base_url_none_raises: Test function `test_base_url_none_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:36
· conf 1.00
[MINED106] Phantom test coverage: test_base_url_empty_raises: Test function `test_base_url_empty_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:41
· conf 1.00
[MINED106] Phantom test coverage: test_base_url_whitespace_raises: Test function `test_base_url_whitespace_raises` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:54
· conf 1.00
[MINED106] Phantom test coverage: test_model_name_none_raises: Test function `test_model_name_none_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:59
· conf 1.00
[MINED106] Phantom test coverage: test_model_name_empty_raises: Test function `test_model_name_empty_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:64
· conf 1.00
[MINED106] Phantom test coverage: test_model_name_whitespace_raises: Test function `test_model_name_whitespace_raises` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:86
· conf 1.00
[MINED106] Phantom test coverage: test_headers_invalid_type_raises: Test function `test_headers_invalid_type_raises` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_remote_llm.py:95
· conf 1.00
[MINED106] Phantom test coverage: test_execute_not_implemented: Test function `test_execute_not_implemented` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_skill_agent.py:129
· conf 1.00
[MINED106] Phantom test coverage: test_from_frontmatter_missing_name: Test function `test_from_frontmatter_missing_name` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_skill_agent.py:137
· conf 1.00
[MINED106] Phantom test coverage: test_from_frontmatter_missing_description: Test function `test_from_frontmatter_missing_description` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_sse_agent.py:71
· conf 1.00
[MINED106] Phantom test coverage: test_url_validation: Test function `test_url_validation` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_sse_retry.py:113
· conf 1.00
[MINED106] Phantom test coverage: test_send_message_no_mas: Test function `test_send_message_no_mas` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unittest/test_stdio_mcp_client.py:144
· conf 1.00
[MINED106] Phantom test coverage: test_init_missing_file_raises: Test function `test_init_missing_file_raises` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:156
· conf 1.00
[MINED108] `self.get_md5` used but never assigned in __init__: Method `is_in` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:159
· conf 1.00
[MINED108] `self.get_md5` used but never assigned in __init__: Method `set` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:162
· conf 1.00
[MINED108] `self.save` used but never assigned in __init__: Method `set` of class `EmbeddingCache` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:168
· conf 1.00
[MINED108] `self._get_multiple` used but never assigned in __init__: Method `get` of class `EmbeddingCache` reads `self._get_multiple`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:170
· conf 1.00
[MINED108] `self._get_single` used but never assigned in __init__: Method `get` of class `EmbeddingCache` reads `self._get_single`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:179
· conf 1.00
[MINED108] `self._get_or_queue` used but never assigned in __init__: Method `_get_multiple` of class `EmbeddingCache` reads `self._get_or_queue`, but no assignment to it exists in __init__ (and no cl…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:185
· conf 1.00
[MINED108] `self._embed_and_cache` used but never assigned in __init__: Method `_get_multiple` of class `EmbeddingCache` reads `self._embed_and_cache`, but no assignment to it exists in __init__ (and…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:191
· conf 1.00
[MINED108] `self._embed_and_cache` used but never assigned in __init__: Method `_get_multiple` of class `EmbeddingCache` reads `self._embed_and_cache`, but no assignment to it exists in __init__ (and…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:197
· conf 1.00
[MINED108] `self.get_md5` used but never assigned in __init__: Method `_get_single` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:201
· conf 1.00
[MINED108] `self.set` used but never assigned in __init__: Method `_get_single` of class `EmbeddingCache` reads `self.set`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:205
· conf 1.00
[MINED108] `self.get_md5` used but never assigned in __init__: Method `_get_or_queue` of class `EmbeddingCache` reads `self.get_md5`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:214
· conf 1.00
[MINED108] `self.set` used but never assigned in __init__: Method `_embed_and_cache` of class `EmbeddingCache` reads `self.set`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
oxygent/embedding_cache.py:223
· conf 1.00
[MINED108] `self.save` used but never assigned in __init__: Method `__exit__` of class `EmbeddingCache` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). Th…AGT012
Agent control bridge may listen on a network interface without visible auth
examples/a2a/agentscope_interop/demo_agentscope_a2a_server.py:31
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py:32
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
mcp_servers/_mcp_testing_utilities/mcp_server_show_headers.py:4
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT015
Remote install command pipes network code directly to a shell
docs/docs_en/introduction/getting-started/install.md:15
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/docs_en/introduction/tools/opensource-mcp-tools.md:21
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/docs_zh/introduction/getting-started/install.md:15
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/docs_zh/introduction/tools/opensource-mcp-tools.md:21
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.md:91
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README_zh.md:89
· conf 0.70
Remote install command pipes network code directly to a shellAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:476
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:500
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:541
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:630
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:681
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:842
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:986
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1031
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1054
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
oxygent/routes.py:1395
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:168
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:211
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
applications/oxybank/app/api/endpoints/trigger/crud.py:247
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
oxygent/routes.py:654
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC012
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, p…ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py:205
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
mcp_servers/kubernetes_mcp_server/config_tools.py:72
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.JRN002
Browser storage is used for session token material
applications/oxybank/web/src/api/index.ts:60
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
applications/oxybank/web/src/utils/auth.ts:13
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
applications/oxybank/web/src/utils/auth.ts:20
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
applications/oxybank/web/src/views/annotation/index.vue:387
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
applications/oxybank/web/src/views/knowledge/recall/index.vue:253
· conf 0.82
Browser storage is used for session token materialJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:19
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:20
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:23
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:27
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:31
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:35
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:39
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:43
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:47
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:51
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:55
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:59
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:63
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:67
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
applications/oxybank/web/src/api/apiDefinitions.ts:69
· conf 0.74
Frontend API reference is not matched by discovered backend routesMINED111
Bare except continues silently
function_hubs/train_ticket_tools.py:226
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:133
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:140
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:153
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:280
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:299
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:338
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:412
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:428
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:458
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:525
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:599
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:605
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:631
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:651
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:659
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:760
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:806
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:878
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:892
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:957
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:966
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:1042
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:1093
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
mcp_servers/tts_tools.py:1117
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC005
Command Injection Risk
oxygent/preset_tools/shell_tools.py:26
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC007
Unsafe Deserialization
oxygent/embedding_cache.py:128
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC031
Catastrophic Backtracking Regex (ReDoS)
applications/oxybank/web/src/router/routes.ts:95
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…SEC034
Log Injection / Log Forging — unsanitized user input in log
examples/backend/demo_logger_setup.py:12
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
oxygent/preset_tools/shell_tools.py:25
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC045
eval()/exec() on stored or user-supplied data
oxygent/preset_tools/python_tools.py:26
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC136
AI-typical over-broad exception handler swallowing all errors
mcp_servers/kubernetes_mcp_server/config_tools.py:60
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
applications/oxybank/app/api/endpoints/knowledge_base.py:427
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/core/storer/doc_manager/annotation_manager.py:245
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/core/storer/doc_manager/es_kb_chunk_manager.py:131
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/core/storer/doc_manager/es_kb_file_manager.py:186
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/utils/files_process.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/web/src/views/error/500.vue:61
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/web/src/views/knowledge/detail/components/DocumentTable.vue:160
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/web/src/views/knowledge/detail/index.vue:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/web/src/views/knowledge/index.vue:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
applications/oxybank/web/src/views/knowledge/types.ts:89
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
function_hubs/chart/web/js/app.js:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/browser/search.py:208
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/kubernetes_mcp_server/core_tools/namespaces.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/kubernetes_mcp_server/core_tools/nodes.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/kubernetes_mcp_server/core_tools/pods.py:229
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/kubernetes_mcp_server/helm_tools.py:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/math_tools_sse.py:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/math_tools_streamable.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
mcp_servers/math_tools_streamable.py:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
oxygent/oxy/agents/react_agent.py:112
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
oxygent/oxy/agents/shell_use_agent.py:144
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
oxygent/oxy/llms/openai_llm.py:100
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
oxygent/preset_tools/__init__.py:20
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
applications/oxybank/app/api/dynamic/query_endpoint.py:30
· conf 0.95
[COMP001] High cognitive complexity: Function `create_kb_query_interface` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to unders…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
applications/oxybank/app/api/endpoints/trigger/history.py:20
· conf 0.95
[COMP001] High cognitive complexity: Function `query_history_by_kb` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …SEC006
XSS Risk
function_hubs/chart/static_files_utils.py:123
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
function_hubs/chart/web/js/app.js:28
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
oxygent/web/js/cascader.js:155
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC124
TOCTOU file access (os.access then open)
oxygent/preset_tools/file_tools.py:55
· conf 1.00
[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 78 more): Same pattern found in 78 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED004
Weak Crypto
CWE-327
[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED043
Http Not Https
CWE-319
applications/oxybank/core/model/trigger.py:106
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
applications/oxybank/utils/url_util.py:10
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
examples/a2a/langchain_interop/demo_langchain_a2a_server.py:83
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
applications/oxybank/web/src/composables/useFileUpload.ts:78
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
applications/oxybank/web/src/stores/modules/user.ts:50
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
applications/oxybank/web/src/views/knowledge/create/composables/useRetrival.ts:29
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
applications/oxybank/web/src/api/createApis.ts:46
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
applications/oxybank/web/src/api/index.ts:69
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 17 more): Same pattern found in 17 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py:206
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
mcp_servers/browser/core.py:327
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
mcp_servers/browser/tabs.py:64
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
applications/oxybank/web/src/api/createApis.ts:22
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
applications/oxybank/web/src/utils/auth.ts:41
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
applications/oxybank/web/src/utils/storage.ts:11
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
applications/oxybank/web/src/api/createApis.ts:90
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
applications/oxybank/web/src/composables/useFileUpload.ts:119
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
applications/oxybank/web/src/config/theme.ts:49
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED064
Python Input Call
oxygent/schemas/usage.py:20
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED067
Python Requests No Timeout
CWE-400
applications/oxybank/core/model/embedding/glm_embedding.py:175
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
examples/backend/demo_human_in_the_loop.py:16
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
function_hubs/train_ticket_tools.py:101
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.SEC006
XSS Risk
[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC020
Secret Printed to Logs
applications/oxybank/core/parser/factory.py:98
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
oxygent/utils/token_utils.py:206
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 additional files. Review if needed.SEC135
Auth/permission check missing on AI-generated endpoint
[SEC135] Auth/permission check missing on AI-generated endpoint (and 10 more): Same pattern found in 10 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/.