https://github.com/pallets/flask ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 6 |
MINED111 Bare except continues silently |
medium | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED050 Stub Only Function |
info | 3 |
AUC002 [AUC002] Low visible authorization coverage in route invent… |
medium | 1 |
AUC001 [AUC001] No Repobility access matrix policy found: The repo… |
medium | 1 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 1 |
WEB003 Public web service has no security.txt |
medium | 1 |
MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/conftest.py:72
· conf 1.00
[MINED106] Phantom test coverage: test_apps: Test function `test_apps` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifyin…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:67
· conf 1.00
[MINED106] Phantom test coverage: test_method_route_no_methods: Test function `test_method_route_no_methods` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:152
· conf 1.00
[MINED106] Phantom test coverage: test_disallow_string_for_allowed_methods: Test function `test_disallow_string_for_allowed_methods` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:945
· conf 1.00
[MINED106] Phantom test coverage: test_baseexception_error_handling: Test function `test_baseexception_error_handling` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1086
· conf 1.00
[MINED106] Phantom test coverage: test_trapping_of_all_http_exceptions: Test function `test_trapping_of_all_http_exceptions` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1396
· conf 1.00
[MINED106] Phantom test coverage: test_build_error_handler_reraise: Test function `test_build_error_handler_reraise` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1628
· conf 1.00
[MINED106] Phantom test coverage: test_werkzeug_passthrough_errors: Test function `test_werkzeug_passthrough_errors` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_basic.py:1790
· conf 1.00
[MINED106] Phantom test coverage: test_index: Test function `test_index` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verify…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_cli.py:217
· conf 1.00
[MINED106] Phantom test coverage: test_locate_app_raises: Test function `test_locate_app_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:19
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_pyfile: Test function `test_config_from_pyfile` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:25
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_object: Test function `test_config_from_object` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:31
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_file_json: Test function `test_config_from_file_json` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:38
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_file_toml: Test function `test_config_from_file_toml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:110
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_mapping: Test function `test_config_from_mapping` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:132
· conf 1.00
[MINED106] Phantom test coverage: test_config_from_class: Test function `test_config_from_class` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:170
· conf 1.00
[MINED106] Phantom test coverage: test_redirect_with_app: Test function `test_redirect_with_app` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:180
· conf 1.00
[MINED106] Phantom test coverage: test_abort_no_app: Test function `test_abort_no_app` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:199
· conf 1.00
[MINED106] Phantom test coverage: test_abort_with_app: Test function `test_abort_with_app` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:220
· conf 1.00
[MINED106] Phantom test coverage: test_name_with_import_error: Test function `test_name_with_import_error` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_helpers.py:364
· conf 1.00
[MINED106] Phantom test coverage: test_open_resource_exceptions: Test function `test_open_resource_exceptions` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_testing.py:192
· conf 1.00
[MINED106] Phantom test coverage: test_session_transaction_needs_cookies: Test function `test_session_transaction_needs_cookies` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:18
· conf 1.00
[MINED106] Phantom test coverage: test_basic_view: Test function `test_basic_view` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage with…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:29
· conf 1.00
[MINED106] Phantom test coverage: test_method_based_view: Test function `test_method_based_view` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:42
· conf 1.00
[MINED106] Phantom test coverage: test_view_patching: Test function `test_view_patching` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_views.py:183
· conf 1.00
[MINED106] Phantom test coverage: test_endpoint_override: Test function `test_endpoint_override` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED108
self.attribute used but never assigned in __init__
CWE-476
examples/celery/src/task_app/__init__.py:33
· conf 1.00
[MINED108] `self.run` used but never assigned in __init__: Method `__call__` of class `FlaskTask` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This rais…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/config.py:124
· conf 1.00
[MINED108] `self.from_pyfile` used but never assigned in __init__: Method `from_envvar` of class `Config` reads `self.from_pyfile`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:155
· conf 1.00
[MINED108] `self._cookies` used but never assigned in __init__: Method `session_transaction` of class `FlaskClient` reads `self._cookies`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:162
· conf 1.00
[MINED108] `self._add_cookies_to_wsgi` used but never assigned in __init__: Method `session_transaction` of class `FlaskClient` reads `self._add_cookies_to_wsgi`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:179
· conf 1.00
[MINED108] `self._update_cookies_from_response` used but never assigned in __init__: Method `session_transaction` of class `FlaskClient` reads `self._update_cookies_from_response`, but no assignment …MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:196
· conf 1.00
[MINED108] `self._copy_environ` used but never assigned in __init__: Method `_request_from_builder_args` of class `FlaskClient` reads `self._copy_environ`, but no assignment to it exists in __init__ …MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:216
· conf 1.00
[MINED108] `self._copy_environ` used but never assigned in __init__: Method `open` of class `FlaskClient` reads `self._copy_environ`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:220
· conf 1.00
[MINED108] `self._copy_environ` used but never assigned in __init__: Method `open` of class `FlaskClient` reads `self._copy_environ`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:225
· conf 1.00
[MINED108] `self._copy_environ` used but never assigned in __init__: Method `open` of class `FlaskClient` reads `self._copy_environ`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/testing.py:228
· conf 1.00
[MINED108] `self._request_from_builder_args` used but never assigned in __init__: Method `open` of class `FlaskClient` reads `self._request_from_builder_args`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:173
· conf 1.00
[MINED108] `self.endpoint` used but never assigned in __init__: Method `blueprint` of class `Request` reads `self.endpoint`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:190
· conf 1.00
[MINED108] `self.blueprint` used but never assigned in __init__: Method `blueprints` of class `Request` reads `self.blueprint`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:205
· conf 1.00
[MINED108] `self.mimetype` used but never assigned in __init__: Method `_load_form_data` of class `Request` reads `self.mimetype`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/flask/wrappers.py:206
· conf 1.00
[MINED108] `self.files` used but never assigned in __init__: Method `_load_form_data` of class `Request` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:472
· conf 1.00
[MINED108] `self.expect_order` used but never assigned in __init__: Method `test_simple` of class `TestRoutes` reads `self.expect_order`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:478
· conf 1.00
[MINED108] `self.expect_order` used but never assigned in __init__: Method `test_sort` of class `TestRoutes` reads `self.expect_order`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:482
· conf 1.00
[MINED108] `self.expect_order` used but never assigned in __init__: Method `test_sort` of class `TestRoutes` reads `self.expect_order`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_cli.py:487
· conf 1.00
[MINED108] `self.expect_order` used but never assigned in __init__: Method `test_sort` of class `TestRoutes` reads `self.expect_order`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_helpers.py:261
· conf 1.00
[MINED108] `self._gen` used but never assigned in __init__: Method `test_streaming_with_context_and_custom_close` of class `TestStreaming` reads `self._gen`, but no assignment to it exists in __init_…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_helpers.py:270
· conf 1.00
[MINED108] `self._gen` used but never assigned in __init__: Method `test_streaming_with_context_and_custom_close` of class `TestStreaming` reads `self._gen`, but no assignment to it exists in __init_…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_json.py:242
· conf 1.00
[MINED108] `self.object_hook` used but never assigned in __init__: Method `loads` of class `CustomProvider` reads `self.object_hook`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_json_tag.py:56
· conf 1.00
[MINED108] `self.serializer` used but never assigned in __init__: Method `to_json` of class `TagFoo` reads `self.serializer`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:227
· conf 1.00
[MINED108] `self.Custom` used but never assigned in __init__: Method `app` of class `TestGenericHandlers` reads `self.Custom`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:262
· conf 1.00
[MINED108] `self.report_error` used but never assigned in __init__: Method `test_handle_class_or_code` of class `TestGenericHandlers` reads `self.report_error`, but no assignment to it exists in __in…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_user_error_handler.py:290
· conf 1.00
[MINED108] `self.report_error` used but never assigned in __init__: Method `test_handle_generic` of class `TestGenericHandlers` reads `self.report_error`, but no assignment to it exists in __init__ (…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:22
· conf 0.80
[MINED112] FastAPI POST /add has no auth: Handler `add` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:30
· conf 0.80
[MINED112] FastAPI POST /block has no auth: Handler `block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/celery/src/task_app/views.py:36
· conf 0.80
[MINED112] FastAPI POST /process has no auth: Handler `process` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_basic.py:236
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `do_set` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_basic.py:395
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `set_session` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
tests/test_request.py:13
· conf 0.80
[MINED112] FastAPI POST / has no auth: Handler `index` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
examples/tutorial/flaskr/__init__.py:21
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
examples/javascript/js_example/views.py:14
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
src/flask/debughelpers.py:107
· conf 0.95
[COMP001] High cognitive complexity: Function `_dump_loader_info` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — n…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
src/flask/debughelpers.py:124
· conf 0.95
[COMP001] High cognitive complexity: Function `explain_template_loading_attempts` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human t…MINED111
Bare except continues silently
src/flask/app.py:1017
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/flask/app.py:1598
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/flask/cli.py:650
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/flask/cli.py:956
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/tutorial/flaskr/auth.py:47
· conf 0.95
[COMP001] High cognitive complexity: Function `register` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bra…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
src/flask/json/provider.py:47
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/flask/json/tag.py:75
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/flask/views.py:83
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED055
Npm Install No Lockfile
CWE-1357
.devcontainer/on-create-command.sh:5
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/36f0902f-1f35-47f9-80e0-336870c8415f/.