https://github.com/phpbb/phpbb ·
lang: php ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC002 Source file name looks like an AI patch artifact |
low | 20 |
MINED004 Weak Crypto |
high | 4 |
SEC039 Plaintext-equivalent password hash — unsalted single-pass d… |
critical | 4 |
MINED019 Ssti Jinja From String |
critical | 4 |
MINED048 Php Error Suppress |
info | 4 |
SEC084 JS: require() with non-literal |
critical | 4 |
MINED043 Http Not Https |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED019
Ssti Jinja From String
CWE-94
phpBB/includes/ucp/ucp_activate.php:143
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.MINED019
Ssti Jinja From String
CWE-94
phpBB/includes/ucp/ucp_resend.php:147
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.MINED019
Ssti Jinja From String
CWE-94
phpBB/phpbb/console/command/user/activate.php:204
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.SEC039
Plaintext-equivalent password hash — unsalted single-pass digest
phpBB/phpbb/auth/provider/db.php:201
· conf 1.00
[SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwo…SEC039
Plaintext-equivalent password hash — unsalted single-pass digest
phpBB/phpbb/passwords/driver/base_native.php:55
· conf 1.00
[SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwo…SEC039
Plaintext-equivalent password hash — unsalted single-pass digest
phpBB/phpbb/passwords/driver/bcrypt.php:61
· conf 1.00
[SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwo…SEC084
JS: require() with non-literal
phpBB/adm/index.php:22
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).SEC084
JS: require() with non-literal
phpBB/common.php:23
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).SEC084
JS: require() with non-literal
phpBB/develop/add_permissions.php:32
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).JRN009
Secret-like setting is echoed into a password input value
phpBB/adm/style/auth_provider_oauth.html:14
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
phpBB/styles/prosilver/template/ucp_register.html:45
· conf 0.83
Secret-like setting is echoed into a password input valueMINED004
Weak Crypto
CWE-327
phpBB/develop/benchmark.php:70
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
phpBB/phpbb/cache/driver/base.php:100
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
phpBB/phpbb/cache/driver/memory.php:31
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED104
Chmod 777
CWE-732CWE-276
.github/setup-sphinx.sh:143
· conf 1.00
[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/check_merge_to_master.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/check_merge_to_master.yml:46
· conf 0.90
[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v3`: `uses: peter-evans/find-comment@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/check_merge_to_master.yml:55
· conf 0.90
[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v4`: `uses: peter-evans/create-or-update-comment@v4` resolves at workflow-run time. Tags and branches can be re-pushed…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/merge_3.3.x_to_master.yml:13
· conf 0.90
[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/merge_3.3.x_to_master.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:36
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:41
· conf 0.90
[MINED115] Action `shivammathur/setup-php` pinned to mutable ref `@v2`: `uses: shivammathur/setup-php@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:55
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:177
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:187
· conf 0.90
[MINED115] Action `shivammathur/setup-php` pinned to mutable ref `@v2`: `uses: shivammathur/setup-php@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:203
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:229
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:320
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:330
· conf 0.90
[MINED115] Action `shivammathur/setup-php` pinned to mutable ref `@v2`: `uses: shivammathur/setup-php@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:346
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:367
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:428
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:443
· conf 0.90
[MINED115] Action `shivammathur/setup-php` pinned to mutable ref `@v2`: `uses: shivammathur/setup-php@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:459
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:480
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:508
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:511
· conf 0.90
[MINED115] Action `shivammathur/setup-php` pinned to mutable ref `@v2`: `uses: shivammathur/setup-php@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:526
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:625
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:632
· conf 0.90
[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
.devcontainer/Dockerfile:3
· conf 0.90
[MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/base:0-` not pinned by digest: `FROM mcr.microsoft.com/vscode/devcontainers/base:0-` resolves the tag at build time. The registry CA…SEC013
Path Traversal — User Input in File Path
phpBB/phpbb/plupload/plupload.php:360
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
phpBB/assets/javascript/hermite.js:7
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
phpBB/assets/javascript/phpbb-avatars.js:133
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
phpBB/language/en/acp/forums.php:95
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
phpBB/assets/javascript/phpbb-avatars.js:96
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…DKR001
Docker final stage has no non-root USER
.devcontainer/Dockerfile:3
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreSEC001
Hardcoded Password
phpBB/phpbb/db/driver/postgres.php:39
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
phpBB/install/startup.php:188
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
phpBB/phpbb/feed/helper.php:157
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
phpBB/phpbb/db/driver/sqlite3.php:93
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC046
Client-side open redirect — window.location = server-supplied URL
phpBB/assets/javascript/phpbb-avatars.js:245
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…AIC002
Source file name looks like an AI patch artifact
phpBB/includes/acp/acp_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/includes/acp/info/acp_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v310/bot_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v310/jquery_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v310/mod_rewrite.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v310/notifications_schema_fix.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v31x/style_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v320/font_awesome_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v320/icons_alt.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v32x/jquery_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v330/jquery_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/bot_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/font_awesome_5_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/jquery_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/profilefields_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/profilefield_youtube_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v33x/topic_views_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v400/search_backend_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/db/migration/data/v400/storage_backup.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
phpBB/phpbb/install/module/requirements/task/check_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
phpBB/develop/adjust_sizes.php:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/adjust_smilies.php:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/adjust_uids.php:53
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/adjust_uids.php:71
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/adjust_usernames.php:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/export_events_for_rst.php:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/export_events_for_wiki.php:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/export_events_for_wiki.php:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/generate_utf_confusables.php:142
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/develop/generate_utf_tables.php:105
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/includes/acp/acp_main.php:467
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/includes/mcp/mcp_logs.php:116
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/includes/ucp/ucp_pm.php:187
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/includes/ucp/ucp_profile.php:489
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/auth/provider/db.php:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/auth/provider/ldap.php:76
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/config/set_atomic.php:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/config/set_atomic.php:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/config/set.php:25
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/extension/remove.php:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/extension/update.php:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/searchindex/delete.php:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/console/command/user/add.php:63
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/cron/task/core/tidy_warnings.php:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/driver/mssqlnative.php:68
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/driver/oracle.php:170
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/driver/postgres.php:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/driver/sqlite3.php:62
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/extractor/oracle_extractor.php:184
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
phpBB/phpbb/db/migration/data/v33x/bot_update.php:45
· conf 0.86
Duplicated implementation block across source filesAIC007
Generated build artifact directory is present at repository root
build:1
· conf 0.70
Generated build artifact directory is present at repository rootCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
phpBB/develop/remove-php-end-tags.py:53
· conf 0.95
[COMP001] High cognitive complexity: Function `process_dir` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…SEC132
String concat where the language has interpolation (AI style drift)
phpBB/adm/style/permissions.js:119
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB005
robots.txt does not advertise a sitemap
git-tools/merge.php
· conf 0.74
robots.txt does not advertise a sitemapDKR002
Dockerfile base image has no explicit tag
.devcontainer/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableMINED004
Weak Crypto
CWE-327
[MINED004] Weak Crypto (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED019
Ssti Jinja From String
CWE-94
[MINED019] Ssti Jinja From String (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED043
Http Not Https
CWE-319
phpBB/adm/style/tooltip.js:6
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
phpBB/common.php:60
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
phpBB/develop/benchmark.php:30
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
phpBB/assets/javascript/phpbb-avatars.js:202
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
phpBB/assets/javascript/webpush.js:67
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED047
Emoji In Source
phpBB/includes/utf/data/case_fold_c.php:1
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED048
Php Error Suppress
CWE-755
[MINED048] Php Error Suppress (and 39 more): Same pattern found in 39 additional files. Review if needed.MINED048
Php Error Suppress
CWE-755
phpBB/adm/index.php:51
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
phpBB/common.php:34
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
phpBB/develop/adjust_avatars.php:147
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED077
Python Open No Context
CWE-772
phpBB/develop/remove-php-end-tags.py:40
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC039
Plaintext-equivalent password hash — unsalted single-pass digest
[SEC039] Plaintext-equivalent password hash — unsalted single-pass digest (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC084
JS: require() with non-literal
[SEC084] JS: require() with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/39acd121-31dd-4d86-b94c-121eecd4031c/.