https://github.com/thClaws/thClaws ·
lang: rust ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 29 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 21 |
AGT015 Remote install command pipes network code directly to a she… |
medium | 5 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED066 Rust Panic Macro |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED059 Rust Expect In Prod |
info | 4 |
MINED043 Http Not Https |
info | 4 |
DKR002 Dockerfile base image has no explicit tag |
medium | 3 |
MINED003
Rust Unwrap In Prod
CWE-755
crates/core/src/api_v1/info.rs:322
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/core/src/auto_learn.rs:200
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/core/src/commands.rs:183
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cargo-audit.yml:19
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cargo-audit.yml:22
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cargo-audit.yml:25
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:31
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:42
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:45
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:56
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:68
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:69
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:72
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:79
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:100
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:101
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:102
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:110
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:140
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:141
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:142
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:150
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/core/assets/gui-shell-bridge.js:28
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/core/src/external_url.rs:17
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/core/src/messenger/client.rs:148
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
crates/core/assets/gui-shells/session-explorer/main.js:142
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
frontend/src/components/TeamView.tsx:95
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
crates/core/assets/gui-shell-bridge.js:96
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
crates/core/src/api_v1/oauth_callback.rs:156
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
frontend/src/components/CodeEditor.tsx:168
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
frontend/src/components/ModelPickerModal.tsx:33
· conf 0.80
localStorage write failures are swallowed silentlyAGT013
Agent auto-approve or skip-permissions mode is easy to enable
user-manual/ch26-gui-shells.md:189
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableAGT013
Agent auto-approve or skip-permissions mode is easy to enable
user-manual-th/ch26-gui-shells.md:185
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableAGT015
Remote install command pipes network code directly to a shell
user-manual/ch05-permissions.md:106
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
user-manual/ch11-built-in-tools.md:35
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
user-manual-th/ch02-installation.md:270
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
user-manual-th/ch05-permissions.md:121
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
user-manual-th/ch11-built-in-tools.md:35
· conf 0.70
Remote install command pipes network code directly to a shellCORE_LARGE_FILES
Average file size is 1080 lines (recommend <300)
Average file size is 587 lines (recommend <300)DKR003
Dockerfile base image uses the latest tag
docker-compose.yml:20
· conf 0.94
Compose service `thclaws` image uses the latest tagERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
frontend/src/components/ShellPicker.tsx:179
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC045
eval()/exec() on stored or user-supplied data
crates/core/src/util.rs:165
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
frontend/src/components/TeamView.tsx:95
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
crates/core/src/deploy_client.rs:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/gui_shell/serve.rs:118
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/messenger/approver.rs:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/messenger/bootstrap.rs:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/messenger/client.rs:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/messenger/config.rs:53
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/providers/ollama_cloud.rs:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/providers/openai_responses.rs:148
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/approver.rs:51
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/approver.rs:108
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/client.rs:259
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/config.rs:95
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/headless.rs:108
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/telegram/topic.rs:47
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/tools/memory.rs:133
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/tools/pptx_create.rs:216
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/tools/pptx_edit.rs:86
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/core/src/workflow/headless.rs:34
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/KmsBrowserSidebar.tsx:91
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/MarkdownEditor.tsx:64
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/MessengerConnectModal.tsx:39
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/ModelPickerModal.tsx:179
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/PlanSidebar.tsx:83
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/PlanSidebar.tsx:107
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/ResearchSidebar.tsx:143
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/Sidebar.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/TelegramConnectModal.tsx:111
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/TodoSidebar.tsx:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
frontend/src/components/TodoSidebar.tsx:57
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
docker-compose.yml:20
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:20
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsSEC006
XSS Risk
crates/core/assets/gui-shells/session-explorer/main.js:142
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.DKR002
Dockerfile base image has no explicit tag
Dockerfile:24
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
Dockerfile:43
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
Dockerfile:69
· conf 0.48
Dockerfile base image is selected through a build variableMINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 27 more): Same pattern found in 27 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
crates/core/src/external_url.rs:70
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/core/src/line/config.rs:195
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/core/src/messenger/config.rs:191
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
crates/core/assets/gui-shell-bridge.js:107
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
frontend/src/hooks/useIPC.ts:36
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
frontend/src/components/SettingsMenu.tsx:68
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
frontend/src/hooks/useIPC.ts:46
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
frontend/src/components/ShellPicker.tsx:58
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
frontend/src/components/ShellView.tsx:64
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED058
React Dangerously Set Html
CWE-79
frontend/src/components/TeamView.tsx:253
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
crates/core/src/api_v1/oauth_callback.rs:72
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/core/src/commands.rs:243
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/core/src/line/upload.rs:80
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED066
Rust Panic Macro
CWE-755
crates/core/src/cancel.rs:162
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/core/src/line/protocol.rs:127
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/core/src/messenger/client.rs:300
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/35c0bd90-7a84-43f2-96fa-aa9e363646bc/.