https://github.com/ansible-collections/community.general ·
lang: python ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED111 Bare except continues silently |
medium | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 25 |
MINED124 requirements.txt entry has no version pin |
medium | 19 |
MINED107 Missing Python import (NameError at runtime) |
critical | 13 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 10 |
DKC007 Compose service contains a literal secret environment value |
medium | 6 |
DKC006 Compose service does not declare a runtime user |
low | 4 |
COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
plugins/action/iptables_state.py:87
· conf 0.95
[COMP001] High cognitive complexity: Function `run` has cognitive complexity 65 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…DKC013
Database service has no persistent data volume
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:8
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:8
· conf 0.90
Database service has no persistent data volumeMINED001
Bare Except Pass
CWE-755
plugins/action/iptables_state.py:170
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
plugins/action/shutdown.py:28
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
plugins/cache/redis.py:166
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED004
Weak Crypto
CWE-327
plugins/modules/bitbucket_pipeline_known_host.py:131
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
plugins/modules/iso_extract.py:199
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
plugins/modules/jboss.py:141
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED006
Overcatch Baseexception
CWE-705
plugins/callback/logentries.py:164
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
plugins/modules/vertica_configuration.py:191
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
plugins/modules/vertica_info.py:295
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED021
Path Traversal Os Join
CWE-22
plugins/inventory/opennebula.py:126
· conf 1.00
[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.MINED021
Path Traversal Os Join
CWE-22
plugins/inventory/scaleway.py:320
· conf 1.00
[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.MINED021
Path Traversal Os Join
CWE-22
plugins/module_utils/_ssh.py:18
· conf 1.00
[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.MINED040
Python Yaml Load Unsafe
CWE-502
docs/docsite/reformat-yaml.py:17
· conf 1.00
[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_ini_file.py:23
· conf 1.00
[MINED106] Phantom test coverage: test_ignore_spaces_comment: Test function `test_ignore_spaces_comment` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_ini_file.py:29
· conf 1.00
[MINED106] Phantom test coverage: test_ignore_spaces_changed: Test function `test_ignore_spaces_changed` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_ini_file.py:35
· conf 1.00
[MINED106] Phantom test coverage: test_ignore_spaces_unchanged: Test function `test_ignore_spaces_unchanged` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_ini_file.py:41
· conf 1.00
[MINED106] Phantom test coverage: test_no_ignore_spaces_changed: Test function `test_no_ignore_spaces_changed` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_ini_file.py:47
· conf 1.00
[MINED106] Phantom test coverage: test_no_ignore_spaces_unchanged: Test function `test_no_ignore_spaces_unchanged` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_ethernet_network_info.py:53
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_all_enets: Test function `test_should_get_all_enets` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_fcoe_network_info.py:27
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_all_fcoe_network: Test function `test_should_get_all_fcoe_network` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_fcoe_network_info.py:35
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_fcoe_network_by_name: Test function `test_should_get_fcoe_network_by_name` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_network_set_info.py:29
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_all_network_sets: Test function `test_should_get_all_network_sets` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_network_set_info.py:47
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_all_network_sets_without_ethernet: Test function `test_should_get_all_network_sets_without_ethernet` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_network_set_info.py:59
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_network_set_by_name: Test function `test_should_get_network_set_by_name` runs code but contains no assert / expect / should call — it passes regardle…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_network_set_info.py:71
· conf 1.00
[MINED106] Phantom test coverage: test_should_get_network_set_by_name_without_ethernet: Test function `test_should_get_network_set_by_name_without_ethernet` runs code but contains no assert / expect …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:53
· conf 1.00
[MINED106] Phantom test coverage: test_should_add_new_san_manager: Test function `test_should_add_new_san_manager` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:66
· conf 1.00
[MINED106] Phantom test coverage: test_should_find_provider_uri_to_add: Test function `test_should_find_provider_uri_to_add` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:78
· conf 1.00
[MINED106] Phantom test coverage: test_should_not_update_when_data_is_equals: Test function `test_should_not_update_when_data_is_equals` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:92
· conf 1.00
[MINED106] Phantom test coverage: test_update_when_data_has_modified_attributes: Test function `test_update_when_data_has_modified_attributes` runs code but contains no assert / expect / should call …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:108
· conf 1.00
[MINED106] Phantom test coverage: test_update_should_not_send_connection_info_when_not_informed_on_data: Test function `test_update_should_not_send_connection_info_when_not_informed_on_data` runs cod…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:124
· conf 1.00
[MINED106] Phantom test coverage: test_should_remove_san_manager: Test function `test_should_remove_san_manager` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:134
· conf 1.00
[MINED106] Phantom test coverage: test_should_do_nothing_when_san_manager_not_exist: Test function `test_should_do_nothing_when_san_manager_not_exist` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/unit/plugins/modules/test_oneview_san_manager.py:145
· conf 1.00
[MINED106] Phantom test coverage: test_should_fail_when_name_not_found: Test function `test_should_fail_when_name_not_found` runs code but contains no assert / expect / should call — it passes regard…AGT012
Agent control bridge may listen on a network interface without visible auth
plugins/modules/nmcli.py:152
· conf 0.72
Agent control bridge may listen on a network interface without visible authAIC004
Suspicious implementation file appears unreferenced
plugins/modules/scaleway_database_backup.py:1
· conf 0.78
Suspicious implementation file appears unreferencedCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
plugins/callback/counter_enabled.py:143
· conf 0.95
[COMP001] High cognitive complexity: Function `v2_runner_on_ok` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…DKC007
Compose service contains a literal secret environment value
tests/integration/targets/jenkins_credential/docker-compose.yml:7
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
tests/integration/targets/keycloak_clientscope_type/docker-compose.yml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:16
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:16
· conf 0.56
Compose service contains a literal secret environment valueDKC015
Database service has no healthcheck
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:8
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:8
· conf 0.88
Database service has no healthcheckDKR002
Dockerfile base image has no explicit tag
tests/integration/targets/jenkins_credential/docker-compose.yml:7
· conf 0.90
Compose service `jenkins` image has no explicit tagERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
plugins/modules/bzr.py:91
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
plugins/modules/hwc_smn_topic.py:259
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
plugins/module_utils/_ldap.py:101
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.MINED111
Bare except continues silently
plugins/modules/btrfs_subvolume.py:273
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/capabilities.py:162
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/consul.py:625
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:249
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:384
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:417
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:462
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:485
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/datadog_monitor.py:498
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/gitlab_project_approvals.py:131
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/gitlab_project_approvals.py:146
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/ipa_hbacrule.py:432
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/mail.py:409
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/manageiq_group.py:315
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/manageiq_group.py:394
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/manageiq_group.py:484
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/runit.py:204
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/utm_network_interface_address.py:129
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
plugins/modules/utm_proxy_frontend_info.py:138
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/integration/targets/cmd_runner/library/cmd_echo.py:58
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/sanity/extra/botmeta.py:88
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/sanity/extra/botmeta.py:149
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/plugins/modules/test_jenkins_build_info.py:41
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/plugins/modules/test_jenkins_build.py:40
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/plugins/module_utils/test__cmd_runner.py:145
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:5
· conf 0.90
[MINED124] requirements.txt: `nox` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, acc…MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:6
· conf 0.90
[MINED124] requirements.txt: `ruff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, ac…MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:7
· conf 0.90
[MINED124] requirements.txt: `antsibull-nox` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typos…MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:8
· conf 0.90
[MINED124] requirements.txt: `pre-commit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosqua…MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:9
· conf 0.90
[MINED124] requirements.txt: `ansible-core` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosq…MINED124
requirements.txt entry has no version pin
CWE-1357
.devcontainer/requirements-dev.txt:10
· conf 0.90
[MINED124] requirements.txt: `andebox` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats,…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:10
· conf 0.90
[MINED124] requirements.txt: `redis` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, a…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:14
· conf 0.90
[MINED124] requirements.txt: `linode-python # APIv3` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious cod…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:15
· conf 0.90
[MINED124] requirements.txt: `linode_api4 # APIv4` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:18
· conf 0.90
[MINED124] requirements.txt: `python-gitlab` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typos…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:19
· conf 0.90
[MINED124] requirements.txt: `PyGithub` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:20
· conf 0.90
[MINED124] requirements.txt: `httmock` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats,…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:21
· conf 0.90
[MINED124] requirements.txt: `pynacl` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, …MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:24
· conf 0.90
[MINED124] requirements.txt: `lxml` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, ac…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:25
· conf 0.90
[MINED124] requirements.txt: `semantic_version` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (ty…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:34
· conf 0.90
[MINED124] requirements.txt: `dnspython` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquat…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:47
· conf 0.90
[MINED124] requirements.txt: `passlib[argon2]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typ…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:53
· conf 0.90
[MINED124] requirements.txt: `python-jenkins < 1.8.0 ; python_version < '3.8'` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases c…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/unit/requirements.txt:57
· conf 0.90
[MINED124] requirements.txt: `jsonpatch` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquat…SEC001
Hardcoded Password
plugins/lookup/onepassword_raw.py:43
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC002
Hardcoded API Key
plugins/lookup/revbitspss.py:54
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC007
Unsafe Deserialization
docs/docsite/reformat-yaml.py:17
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
plugins/cache/pickle.py:60
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC014
SSL Verification Disabled
plugins/modules/irc.py:252
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC015
Insecure Randomness for Security
plugins/modules/bitbucket_access_key.py:167
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
plugins/modules/consul_session.py:170
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
plugins/modules/github_key.py:188
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC042
SQL identifier injection via f-string in cursor execute
plugins/modules/mssql_db.py:120
· conf 1.00
[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odo…SEC042
SQL identifier injection via f-string in cursor execute
plugins/modules/vertica_configuration.py:128
· conf 1.00
[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odo…SEC042
SQL identifier injection via f-string in cursor execute
plugins/modules/vertica_role.py:130
· conf 1.00
[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odo…SEC045
eval()/exec() on stored or user-supplied data
plugins/modules/memset_dns_reload.py:159
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
plugins/modules/memset_zone_domain.py:229
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC107
Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2)
plugins/modules/mqtt.py:149
· conf 1.00
[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols…SEC127
AI agent stub — TODO: implement / pass placeholder body
plugins/module_utils/_mh/base.py:58
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
plugins/modules/gitlab_project_badge.py:86
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
plugins/lookup/etcd.py:131
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
plugins/module_utils/_gitlab.py:62
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC002
Source file name looks like an AI patch artifact
plugins/modules/scaleway_database_backup.py:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
plugins/become/run0.py:77
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/cache/redis.py:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/cache/yaml.py:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/connection/jail.py:91
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/connection/lxd.py:45
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/connection/zone.py:110
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/connection/zone.py:137
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/filter/remove_keys.py:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/lookup/onepassword_doc.py:48
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/lookup/onepassword_raw.py:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/lookup/onepassword_raw.py:53
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/lookup/onepassword_ssh_key.py:69
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/lookup/onepassword_ssh_key.py:72
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/bitbucket_pipeline_key_pair.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/bitbucket_pipeline_known_host.py:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/bitbucket_pipeline_variable.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/bitbucket_pipeline_variable.py:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/btrfs_subvolume.py:153
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/cobbler_system.py:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/consul_auth_method.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/consul_binding_rule.py:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/consul_binding_rule.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/consul_token.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/datadog_monitor.py:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/datadog_monitor.py:228
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/django_createcachetable.py:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/django_loaddata.py:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/django_loaddata.py:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/modules/django_loaddata.py:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/module_utils/_scaleway.py:135
· conf 0.86
Duplicated implementation block across source filesAIC005
Duplicate top-level symbol appears in a patch-style file
plugins/modules/scaleway_database_backup.py:1
· conf 0.64
Duplicate top-level symbol appears in a patch-style fileCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
plugins/become/sudosu.py:88
· conf 0.95
[COMP001] High cognitive complexity: Function `build_become_command` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand …DKC006
Compose service does not declare a runtime user
tests/integration/targets/jenkins_credential/docker-compose.yml:7
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
tests/integration/targets/keycloak_clientscope_type/docker-compose.yml:8
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:16
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:16
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
tests/integration/targets/jenkins_credential/docker-compose.yml:7
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
tests/integration/targets/keycloak_clientscope_type/docker-compose.yml:8
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
tests/integration/targets/keycloak_clientsecret_info/docker-compose.yml:16
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
tests/integration/targets/keycloak_clientsecret_regenerate/docker-compose.yml:16
· conf 0.62
Compose service lacks no-new-privileges hardeningSEC124
TOCTOU file access (os.access then open)
plugins/modules/gunicorn.py:120
· conf 1.00
[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …SEC124
TOCTOU file access (os.access then open)
plugins/modules/lvm_pv.py:101
· conf 1.00
[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …SEC124
TOCTOU file access (os.access then open)
plugins/module_utils/_stormssh.py:113
· conf 1.00
[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 423 more): Same pattern found in 423 additional files. Review if needed.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
[ERR001] Silent Exception Swallowing (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 44 more): Same pattern found in 44 additional files. Review if needed.MINED006
Overcatch Baseexception
CWE-705
[MINED006] Overcatch Baseexception (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED007
Sql String Concat
CWE-89
[MINED007] Sql String Concat (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 31 more): Same pattern found in 31 additional files. Review if needed.MINED043
Http Not Https
CWE-319
plugins/callback/splunk.py:78
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
plugins/filter/json_query.py:22
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
plugins/lookup/etcd3.py:47
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 60 more): Same pattern found in 60 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
plugins/action/iptables_state.py:171
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
plugins/action/shutdown.py:29
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
plugins/callback/cgroup_memory_recap.py:98
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED053
Placeholder Default Username
CWE-1392CWE-798
[MINED053] Placeholder Default Username (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED053
Placeholder Default Username
CWE-1392CWE-798
plugins/cache/redis.py:19
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
plugins/modules/etcd3.py:100
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
plugins/modules/keyring_info.py:61
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED055
Npm Install No Lockfile
CWE-1357
.azure-pipelines/scripts/report-coverage.sh:16
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED055
Npm Install No Lockfile
CWE-1357
.devcontainer/setup.sh:8
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED063
Toctou Os Path Exists
CWE-367
plugins/modules/cloud_init_data_facts.py:109
· conf 1.00
[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.MINED063
Toctou Os Path Exists
CWE-367
plugins/modules/locale_gen.py:145
· conf 1.00
[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.MINED067
Python Requests No Timeout
CWE-400
plugins/modules/circonus_annotation.py:180
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
plugins/module_utils/_gitlab.py:118
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED072
Python Pass Only Class
CWE-1188
[MINED072] Python Pass Only Class (and 14 more): Same pattern found in 14 additional files. Review if needed.MINED072
Python Pass Only Class
CWE-1188
plugins/action/shutdown.py:28
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
plugins/lookup/bitwarden.py:131
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
plugins/lookup/bitwarden_secrets_manager.py:81
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED073
Redos Greedy Quantifier
CWE-1333CWE-400
plugins/modules/pkg5.py:113
· conf 1.00
[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data — denial of service.MINED073
Redos Greedy Quantifier
CWE-1333CWE-400
plugins/modules/pkgin.py:179
· conf 1.00
[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data — denial of service.MINED073
Redos Greedy Quantifier
CWE-1333CWE-400
plugins/modules/swdepot.py:77
· conf 1.00
[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data — denial of service.MINED074
Ai Tell Fake Citation
plugins/modules/ipify_facts.py:49
· conf 1.00
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.MINED076
Catch And Reraise Noop
plugins/callback/logentries.py:164
· conf 1.00
[MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if AI accidentally changes message.MINED076
Catch And Reraise Noop
plugins/lookup/etcd.py:152
· conf 1.00
[MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if AI accidentally changes message.MINED077
Python Open No Context
CWE-772
plugins/connection/lxc.py:175
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.MINED077
Python Open No Context
CWE-772
plugins/module_utils/_univention_umc.py:91
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.SEC001
Hardcoded Password
plugins/modules/hponcfg.py:54
· conf 0.15
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC004
SQL Injection Risk
[SEC004] SQL Injection Risk (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC015
Insecure Randomness for Security
[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 61 more): Same pattern found in 61 additional files. Review if needed.SEC042
SQL identifier injection via f-string in cursor execute
[SEC042] SQL identifier injection via f-string in cursor execute (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC103
LDAP injection — non-constant search filter
[SEC103] LDAP injection — non-constant search filter (and 7 more): Same pattern found in 7 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 84 more): Same pattern found in 84 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/29433b5c-fbf4-4b2b-a41c-fe10525cb172/.