https://github.com/tiangolo/fastapi.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 25 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 10 |
AUC003 [AUC003] Object-level route lacks visible authorization: A … |
high | 8 |
AUC004 [AUC004] Admin route does not show super_admin separation: … |
medium | 5 |
MINED111 Bare except continues silently |
medium | 4 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 3 |
SEC139 AI-generated migration/route without companion test file |
medium | 3 |
MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/test_local_docs.py:12
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/test_swagger_ui_escape.py:11
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/body_updates/tutorial002_py310.py:23
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/body_updates/tutorial002_py310.py:28
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/applications.py:2283
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/applications.py:3034
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/exceptions.py:37
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/param_functions.py:317
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/routing.py:2556
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
fastapi/routing.py:3315
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…MINED001
Bare Except Pass
CWE-755
docs_src/dependencies/tutorial008b_an_py310.py:14
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
docs_src/dependencies/tutorial008b_py310.py:12
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
docs_src/dependencies/tutorial008c_an_py310.py:8
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED009
Floats For Money
CWE-682
docs_src/body/tutorial001_py310.py:8
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED009
Floats For Money
CWE-682
docs_src/body/tutorial002_py310.py:8
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED009
Floats For Money
CWE-682
docs_src/body/tutorial003_py310.py:8
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_datastructures.py:10
· conf 1.00
[MINED106] Phantom test coverage: test_upload_file_invalid_pydantic_v2: Test function `test_upload_file_invalid_pydantic_v2` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_dependency_after_yield_streaming.py:103
· conf 1.00
[MINED106] Phantom test coverage: test_broken_session_data: Test function `test_broken_session_data` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_dependency_after_yield_streaming.py:115
· conf 1.00
[MINED106] Phantom test coverage: test_broken_session_stream_raise: Test function `test_broken_session_stream_raise` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_dependency_yield_scope.py:182
· conf 1.00
[MINED106] Phantom test coverage: test_broken_scope: Test function `test_broken_scope` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_empty_router.py:33
· conf 1.00
[MINED106] Phantom test coverage: test_include_empty: Test function `test_include_empty` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_exception_handlers.py:70
· conf 1.00
[MINED106] Phantom test coverage: test_override_server_error_exception_raises: Test function `test_override_server_error_exception_raises` runs code but contains no assert / expect / should call — it…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:6
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_sequence: Test function `test_invalid_sequence` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:18
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_tuple: Test function `test_invalid_tuple` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:30
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_dict: Test function `test_invalid_dict` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:42
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_simple_list: Test function `test_invalid_simple_list` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:51
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_simple_tuple: Test function `test_invalid_simple_tuple` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:60
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_simple_set: Test function `test_invalid_simple_set` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_invalid_path_param.py:69
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_simple_dict: Test function `test_invalid_simple_dict` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_pydantic_v1_error.py:19
· conf 1.00
[MINED106] Phantom test coverage: test_raises_pydantic_v1_model_in_endpoint_param: Test function `test_raises_pydantic_v1_model_in_endpoint_param` runs code but contains no assert / expect / should c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_pydantic_v1_error.py:32
· conf 1.00
[MINED106] Phantom test coverage: test_raises_pydantic_v1_model_in_return_type: Test function `test_raises_pydantic_v1_model_in_return_type` runs code but contains no assert / expect / should call — …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_pydantic_v1_error.py:45
· conf 1.00
[MINED106] Phantom test coverage: test_raises_pydantic_v1_model_in_response_model: Test function `test_raises_pydantic_v1_model_in_response_model` runs code but contains no assert / expect / should c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_pydantic_v1_error.py:58
· conf 1.00
[MINED106] Phantom test coverage: test_raises_pydantic_v1_model_in_additional_responses_model: Test function `test_raises_pydantic_v1_model_in_additional_responses_model` runs code but contains no as…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_router_circular_import.py:5
· conf 1.00
[MINED106] Phantom test coverage: test_router_circular_import: Test function `test_router_circular_import` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response_dataclass.py:39
· conf 1.00
[MINED106] Phantom test coverage: test_invalid: Test function `test_invalid` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response_dataclass.py:44
· conf 1.00
[MINED106] Phantom test coverage: test_double_invalid: Test function `test_double_invalid` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response_dataclass.py:49
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_list: Test function `test_invalid_list` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response.py:51
· conf 1.00
[MINED106] Phantom test coverage: test_invalid: Test function `test_invalid` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response.py:56
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_none: Test function `test_invalid_none` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response.py:75
· conf 1.00
[MINED106] Phantom test coverage: test_double_invalid: Test function `test_double_invalid` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_validate_response.py:80
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_list: Test function `test_invalid_list` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1092
· conf 1.00
[MINED108] `self.routes` used but never assigned in __init__: Method `openapi` of class `FastAPI` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1106
· conf 1.00
[MINED108] `self.openapi` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.openapi`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1116
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1133
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1140
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1154
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:1348
· conf 1.00
[MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `websocket` of class `FastAPI` reads `self.add_api_websocket_route`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:4641
· conf 1.00
[MINED108] `self.add_middleware` used but never assigned in __init__: Method `middleware` of class `FastAPI` reads `self.add_middleware`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/applications.py:4688
· conf 1.00
[MINED108] `self.add_exception_handler` used but never assigned in __init__: Method `exception_handler` of class `FastAPI` reads `self.add_exception_handler`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/exceptions.py:208
· conf 1.00
[MINED108] `self._format_endpoint_context` used but never assigned in __init__: Method `__str__` of class `ValidationException` reads `self._format_endpoint_context`, but no assignment to it exists i…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/params.py:134
· conf 1.00
[MINED108] `self.default` used but never assigned in __init__: Method `__repr__` of class `Param` reads `self.default`, but no assignment to it exists in __init__ (and no class-level fallback). This …MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/params.py:578
· conf 1.00
[MINED108] `self.default` used but never assigned in __init__: Method `__repr__` of class `Body` reads `self.default`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1325
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `route` of class `APIRouter` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1417
· conf 1.00
[MINED108] `self.routes` used but never assigned in __init__: Method `add_api_route` of class `APIRouter` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1450
· conf 1.00
[MINED108] `self.add_api_route` used but never assigned in __init__: Method `api_route` of class `APIRouter` reads `self.add_api_route`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1500
· conf 1.00
[MINED108] `self.routes` used but never assigned in __init__: Method `add_api_websocket_route` of class `APIRouter` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1562
· conf 1.00
[MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `websocket` of class `APIRouter` reads `self.add_api_websocket_route`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1573
· conf 1.00
[MINED108] `self.add_websocket_route` used but never assigned in __init__: Method `websocket_route` of class `APIRouter` reads `self.add_websocket_route`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1762
· conf 1.00
[MINED108] `self.add_api_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_api_route`, but no assignment to it exists in __init__ (and no class-…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1799
· conf 1.00
[MINED108] `self.add_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1812
· conf 1.00
[MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_api_websocket_route`, but no assignment to it exists in __i…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1819
· conf 1.00
[MINED108] `self.add_websocket_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_websocket_route`, but no assignment to it exists in __init__ (a…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1823
· conf 1.00
[MINED108] `self.add_event_handler` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_event_handler`, but no assignment to it exists in __init__ (and n…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:1825
· conf 1.00
[MINED108] `self.add_event_handler` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_event_handler`, but no assignment to it exists in __init__ (and n…MINED108
self.attribute used but never assigned in __init__
CWE-476
fastapi/routing.py:2181
· conf 1.00
[MINED108] `self.api_route` used but never assigned in __init__: Method `get` of class `APIRouter` reads `self.api_route`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_additional_properties_bool.py:19
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `post` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_additional_properties.py:14
· conf 0.80
[MINED112] FastAPI POST /foo has no auth: Handler `foo` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_compat.py:25
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `foo` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_compat.py:58
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `foo` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_datastructures.py:37
· conf 0.80
[MINED112] FastAPI POST /uploadfile/ has no auth: Handler `create_upload_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_forms_from_non_typing_sequences.py:8
· conf 0.80
[MINED112] FastAPI POST /form/python-list has no auth: Handler `post_form_param_list` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_forms_from_non_typing_sequences.py:13
· conf 0.80
[MINED112] FastAPI POST /form/python-set has no auth: Handler `post_form_param_set` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_forms_from_non_typing_sequences.py:18
· conf 0.80
[MINED112] FastAPI POST /form/python-tuple has no auth: Handler `post_form_param_tuple` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appear…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_forms_single_model.py:30
· conf 0.80
[MINED112] FastAPI POST /form-extra-allow/ has no auth: Handler `post_form_extra_allow` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appear…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_forms_single_param.py:11
· conf 0.80
[MINED112] FastAPI POST /form/ has no auth: Handler `post_form` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_put_no_body.py:9
· conf 0.80
[MINED112] FastAPI PUT /items/{item_id} has no auth: Handler `save_item_no_body` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_pydantic_v1_error.py:28
· conf 0.80
[MINED112] FastAPI POST /param has no auth: Handler `endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_pydantic_v1_error.py:82
· conf 0.80
[MINED112] FastAPI POST /union has no auth: Handler `endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_pydantic_v1_error.py:95
· conf 0.80
[MINED112] FastAPI POST /sequence has no auth: Handler `endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_regex_deprecated_body.py:17
· conf 0.80
[MINED112] FastAPI POST /items/ has no auth: Handler `read_items` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_request_body_parameters_media_type.py:23
· conf 0.80
[MINED112] FastAPI POST /products has no auth: Handler `create_product` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the functio…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_request_body_parameters_media_type.py:28
· conf 0.80
[MINED112] FastAPI POST /shops has no auth: Handler `create_shop` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_required_noneable.py:18
· conf 0.80
[MINED112] FastAPI POST /body-embed has no auth: Handler `send_body_embed` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the func…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_tuples.py:19
· conf 0.80
[MINED112] FastAPI POST /model-with-tuple/ has no auth: Handler `post_model_with_tuple` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appear…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_tuples.py:24
· conf 0.80
[MINED112] FastAPI POST /tuple-of-models/ has no auth: Handler `post_tuple_of_models` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_tuples.py:29
· conf 0.80
[MINED112] FastAPI POST /tuple-form/ has no auth: Handler `hello` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_union_body_discriminator_annotated.py:37
· conf 0.80
[MINED112] FastAPI POST /pet/assignment has no auth: Handler `create_pet_assignment` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears i…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_union_body_discriminator_annotated.py:41
· conf 0.80
[MINED112] FastAPI POST /pet/annotated has no auth: Handler `create_pet_annotated` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_union_body_discriminator.py:29
· conf 0.80
[MINED112] FastAPI POST /items/ has no auth: Handler `save_union_body_discriminator` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears i…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_union_inherited_body.py:18
· conf 0.80
[MINED112] FastAPI POST /items/ has no auth: Handler `save_union_different_body` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in th…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
docs/en/docs/js/custom.js:180
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/doc_parsing_utils.py:17
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
docs/en/docs/js/termynal.js:226
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
docs_src/sql_databases/tutorial001_an_py310.py:54
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
docs_src/sql_databases/tutorial001_py310.py:50
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
docs_src/sql_databases/tutorial002_an_py310.py:71
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
docs/en/docs/js/custom.js:166
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
docs_src/body/tutorial002_py310.py:20
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
docs_src/body/tutorial004_py310.py:19
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
docs_src/additional_status_codes/tutorial001_an_py310.py:11
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
docs_src/additional_status_codes/tutorial001_py310.py:9
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
docs_src/app_testing/app_b_an_py310/main.py:31
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AGT006
React interval is created without an explicit cleanup
docs/en/docs/js/custom.js:139
· conf 0.78
React interval is created without an explicit cleanupAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/bigger_applications/app_an_py310/internal/admin.py:6
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/settings/app01_py310/main.py:8
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/settings/app03_an_py310/main.py:16
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/settings/tutorial001_py310.py:15
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
docs_src/websockets_/tutorial003_py310.py:66
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/header_params/tutorial003_an_py310.py:8
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/header_params/tutorial003_py310.py:6
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/server_sent_events/tutorial005_py310.py:14
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/sql_databases/tutorial001_an_py310.py:66
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/sql_databases/tutorial001_py310.py:62
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/sql_databases/tutorial002_an_py310.py:96
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/sql_databases/tutorial002_py310.py:95
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
docs_src/websockets_/tutorial002_py310.py:59
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
fastapi/applications.py:3034
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
fastapi/routing.py:3315
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC012
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, p…MINED109
Mutable default argument
CWE-1023
docs_src/query_params_str_validations/tutorial012_an_py310.py:9
· conf 1.00
[MINED109] Mutable default argument in `read_items` (list): `def read_items(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. M…MINED109
Mutable default argument
CWE-1023
docs_src/query_params_str_validations/tutorial013_an_py310.py:9
· conf 1.00
[MINED109] Mutable default argument in `read_items` (list): `def read_items(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. M…MINED109
Mutable default argument
CWE-1023
fastapi/_compat/v2.py:173
· conf 1.00
[MINED109] Mutable default argument in `validate` (dict): `def validate(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutat…MINED111
Bare except continues silently
fastapi/concurrency.py:30
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
fastapi/encoders.py:346
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
fastapi/routing.py:270
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/test_ws_router.py:245
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC015
Insecure Randomness for Security
docs_src/security/tutorial004_an_py310.py:82
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
docs_src/security/tutorial004_py310.py:81
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
docs_src/security/tutorial005_an_py310.py:97
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
scripts/docs.py:191
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
docs_src/sql_databases/tutorial001_an_py310.py:54
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
docs_src/sql_databases/tutorial001_py310.py:50
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
docs_src/sql_databases/tutorial002_an_py310.py:71
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
docs_src/python_types/tutorial011_py310.py:8
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
docs_src/security/tutorial002_an_py310.py:21
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
docs_src/security/tutorial002_py310.py:19
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC139
AI-generated migration/route without companion test file
docs_src/extra_models/tutorial001_py310.py:38
· conf 1.00
[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion tes…SEC139
AI-generated migration/route without companion test file
docs_src/extra_models/tutorial002_py310.py:36
· conf 1.00
[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion tes…SEC139
AI-generated migration/route without companion test file
docs_src/generate_clients/tutorial002_py310.py:34
· conf 1.00
[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion tes…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
docs_src/app_testing/app_b_py310/main.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/background_tasks/tutorial002_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_multiple_params/tutorial003_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_multiple_params/tutorial004_an_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_multiple_params/tutorial004_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_multiple_params/tutorial004_py310.py:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_nested_models/tutorial005_py310.py:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_nested_models/tutorial006_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_nested_models/tutorial007_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_nested_models/tutorial007_py310.py:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/body_updates/tutorial002_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/custom_request_and_route/tutorial001_py310.py:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/custom_request_and_route/tutorial002_py310.py:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/dependencies/tutorial008b_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/dependencies/tutorial014_an_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/dependency_testing/tutorial001_py310.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/extra_data_types/tutorial001_py310.py:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/generate_clients/tutorial003_py310.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/metadata/tutorial001_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/path_operation_configuration/tutorial004_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/path_operation_configuration/tutorial005_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/request_files/tutorial002_py310.py:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/request_files/tutorial003_an_py310.py:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/request_files/tutorial003_py310.py:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/request_files/tutorial003_py310.py:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/response_model/tutorial003_py310.py:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/response_model/tutorial006_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/schema_extra_example/tutorial004_an_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/schema_extra_example/tutorial004_py310.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
docs_src/schema_extra_example/tutorial004_py310.py:13
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
docs_src/security/tutorial005_an_py310.py:108
· conf 0.95
[COMP001] High cognitive complexity: Function `get_current_user` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
docs_src/security/tutorial005_py310.py:107
· conf 0.95
[COMP001] High cognitive complexity: Function `get_current_user` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
fastapi/_compat/shared.py:202
· conf 0.95
[COMP001] High cognitive complexity: Function `annotation_is_pydantic_v1` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to unders…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED043
Http Not Https
CWE-319
docs/en/docs/js/init_kapa_widget.js:13
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
docs_src/metadata/tutorial001_1_py310.py:26
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
docs_src/metadata/tutorial001_py310.py:26
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
docs/en/docs/js/custom.js:70
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
docs_src/generate_clients/tutorial004.js:29
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED050
Stub Only Function
CWE-1188
docs_src/dependencies/tutorial008b_an_py310.py:15
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
docs_src/dependencies/tutorial008b_py310.py:13
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
docs_src/dependencies/tutorial008c_an_py310.py:9
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED072
Python Pass Only Class
CWE-1188
docs_src/dependencies/tutorial008b_an_py310.py:14
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
docs_src/dependencies/tutorial008b_py310.py:12
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
docs_src/dependencies/tutorial008c_an_py310.py:8
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/3698120a-e08b-4304-8dd1-f2dcb9f557ea/.